You are on page 1of 834

OFFICIAL

MICROSOFT

LEARNING

PRODUCT

6419A
Configuring, Managing and Maintaining Windows Server 2008 Servers
®

Volume 1

Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.

WWW.ISLAMSC.COM

ii

Configuring, Managing and Maintaining Windows Server® 2008 Servers

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Microsoft Press, Active Directory, ActiveX, BitLocker, Excel, Hyper-V, Internet Explorer, MS, MSDN, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Product Number: 6419A Part Number: X15-19813 Released: 02/2009

WWW.ISLAMSC.COM

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION – Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft • • • • updates, supplements, Internet-based services, and support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.

1. DEFINITIONS. a. “Academic Materials” means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. location, an IT Academy location, or such other entity as Microsoft may designate from time to time. conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.

f.

“Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

g.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

WWW.ISLAMSC.COM

i.

“Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf. Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”. Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

j.

k. “Trainer Content” means the materials accompanying these license terms that are for use by

l.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using

n.

2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may: i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

WWW.ISLAMSC.COM

i.

Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own 4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions
in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not

contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to

c. Confidential Information. The Licensed Content, including any viewer, user interface, features

and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers. i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.

ii.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a

WWW.ISLAMSC.COM

protective order or otherwise protect the information. Confidential information does not include information that • • • d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.

Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

e.

f.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers: i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks:

WWW.ISLAMSC.COM

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations. You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

o

o o o o

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the Course. iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

WWW.ISLAMSC.COM

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• • •

The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below: Form of Notice: © 2009 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed

Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some

rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not • • install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy;

• • • • • •

WWW.ISLAMSC.COM

• • • • •

transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and

regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. Content marked as “NFR” or “Not for Resale.”

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed 10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-

based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the

laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

WWW.ISLAMSC.COM

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. This limitation applies to • • anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. Cette limitation concerne: • • tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

WWW.ISLAMSC.COM

Configuring, Managing and Maintaining Windows Server® 2008 Servers

xi

Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.

Aaron Clutter – Lead Developer
Aaron Clutter has been developing and leading the development of content for Aeshen since 2002. He has a background as a Windows administrator and network engineer.

Michael Cassens – Content Developer
Michael Cassens is a Senior Content Developer at Aeshen and joined in 2006. He earned his MCSD and MCP+Site Building certifications in 2000 and a Masters in Computer Science in 2003. He has also worked as an independent software consultant and an Adjunct Professor at the University of Montana since 1998.

Sean Masters – Content Developer
Sean Masters joined Aeshen in 2007. He has worked in SMB technical operations for nearly 10 years including 4 years as manager of information technology at a property management firm and 4 years as a private consultant to various legal and financial firms in the New England area.

Valerie Lee – Content Developer
Valerie Lee joined Aeshen in 2006, and has gained extensive knowledge of Microsoft technologies by working on Microsoft TechNet Content, Webcasts, White Papers, and Microsoft Learning Courses. Prior to joining Aeshen, she worked as a consultant in positions providing desktop and network troubleshooting and training support.

Joel Barker – Content Developer
Joel Barker has been developing content for Microsoft server products for five years; prior to that he has held a variety of positions in the IT industry.

WWW.ISLAMSC.COM

xii

Configuring, Managing and Maintaining Windows Server® 2008 Servers

Philip Morgan - Subject Matter Expert
Philip Morgan is a Senior Product Analyst at Aeshen and joined the company in 2007. He has been an MCT since 1996 and has worked as a trainer, consultant, and network administrator helping people learn, implement, and use Microsoft products.

Conan Kezema – Technical Reviewer
Conan Kezema, MCSE, MCT is an educator, consultant, network systems architect, and author who specializes in Microsoft technologies.

WWW.ISLAMSC.COM

Configuring, Managing and Maintaining Windows Server® 2008 Servers

xiii

Contents
Module 1: Introduction to Managing Microsoft Windows Server 2008 Environment
Lesson 1: Server Roles Lesson 2: Overview of Active Directory Lesson 3: Using Windows Server 2008 Administrative Tools Lesson 4: Using Remote Desktop for Administration Lab: Administering Windows Server 2008 1-3 1-15 1-28 1-36 1-44

Module 2: Creating Active Directory Domain Services User and Computer Objects
Lesson 1: Managing User Accounts Lesson 2: Creating Computer Accounts Lesson 3: Automating AD DS Object Management Lesson 4: Using Queries to Locate Objects in AD DS Lab: Creating AD DS User and Computer Accounts 2-3 2-17 2-24 2-33 2-39

Module 3: Creating Groups and Organizational Units
Lesson 1: Introduction to AD DS Groups Lesson 2: Managing Groups Lesson 3: Creating Organizational Units Lab: Creating an OU Infrastructure 3-3 3-17 3-22 3-29

Module 4: Managing Access to Resources in Active Directory Domain Services
Lesson 1: Managing Access Overview Lesson 2: Managing NTFS File and Folder Permissions Lesson 3: Assigning Permissions to Shared Resources Lesson 4: Determining Effective Permission Lab: Managing Access to Resources 4-3 4-11 4-20 4-33 4-44

WWW.ISLAMSC.COM

xiv

Configuring, Managing and Maintaining Windows Server® 2008 Servers

Module 5: Configuring Active Directory Objects and Trusts
Lesson 1: Delegate Administrative Access to Active Directory Objects Lab A: Configuring Active Directory Delegation Lesson 2: Configure Active Directory Trusts Lab B: Configuring Active Directory Trusts 5-3 5-12 5-16 5-24

Module 6: Creating and Configuring Group Policy
Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policy Lab A: Creating and Configuring GPOs Lab B: Verifying and Managing GPOs 6-3 6-18 6-31 6-37 6-47 6-51 6-57

Module 7: Configure User and Computer Environments By Using Group Policy
Lesson 1: Configuring Group Policy Settings Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy Lab A: Configuring Logon Scripts and Folder Redirection Using Group Policy Lesson 3: Configuring Administrative Templates Lab B: Configuring Administrative Templates Lesson 4: Deploying Software Using Group Policy Lab C: Deploying Software with Group Policy Lesson 5: Configuring Group Policy Preferences Lab D: Configuring Group Policy Preferences Lesson 6: Introduction to Group Policy Troubleshooting Lesson 7: Troubleshooting Group Policy Application Lesson 8: Troubleshooting Group Policy Settings Lab E: Troubleshooting Group Policy Issues 7-3 7-7 7-13 7-17 7-23 7-28 7-36 7-39 7-44 7-48 7-55 7-67 7-71

WWW.ISLAMSC.COM

Configuring, Managing and Maintaining Windows Server® 2008 Servers

xv

Module 8: Implementing Security Using Group Policy
Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lab A: Implementing Security Using Group Policy Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security Using Security Templates Lab B: Configuring and Verifying Security Policies 8-3 8-15 8-20 8-26 8-34 8-43

Module 9: Configuring Server Security Compliance
Lesson 1: Securing a Windows Infrastructure Lesson 2: Overview of EFS Lesson 3: Configuring an Audit Policy Lesson 4: Overview of Windows Server Update Services (WSUS) Lesson 5: Managing WSUS Lab: Manage Server Security 9-3 9-9 9-13 9-20 9-32 9-40

Module 10: Configuring and Managing Storage Technologies
Lesson 1: Windows Server 2008 Storage Management Overview Lesson 2: Managing Storage Using File Server Resource Manager Lab A: Installing the FSRM Role Service Lesson 3: Configuring Quota Management Lab B: Configuring Storage Quotas Lesson 4: Implementing File Screening Lab C: Configuring File Screening Lesson 5: Managing Storage Reports Lab D: Generating Storage Reports Lesson 6: Understanding Storage Area Networks 10-3 10-13 10-20 10-22 10-29 10-31 10-38 10-40 10-45 10-47

WWW.ISLAMSC.COM

xvi

Configuring, Managing and Maintaining Windows Server® 2008 Servers

Module 11: Configuring and Managing Distributed File System
Lesson 1: Distributed Files System (DFS) Overview Lesson 2: Configuring DFS Namespaces Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace Lesson 3: Configuring DFS Replication Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-3 11-13 11-22 11-26 11-42

Module 12: Configuring Network Access Protection
Lesson 1: Overview of Network Access Protection Lesson 2: How NAP Works Lesson 3: Configuring NAP Lesson 4: Monitoring and Troubleshooting NAP Lab: Configuring NAP for DHCP and VPN 12-3 12-18 12-25 12-33 12-37

Module 13: Configuring Availability of Network Content and Resources
Lesson 1: Configuring Shadow Copies Lab A: Configuring Shadow Copying Lesson 2: Providing Server and Service Availability Lab B: Configuring Network Load Balancing 13-3 13-11 13-14 13-26

Module 14: Monitoring and Maintaining Windows Server 2008 Servers
Lesson 1: Planning Monitoring Tasks Lesson 2: Calculating a Server Baseline Lesson 3: Measuring Performance Objects Lab A: Identifying Windows Server 2008 Monitoring Requirements Lesson 4: Selecting Appropriate Monitoring Tools Lesson 5: Planning Notification Methods Lesson 6: Overview of Windows Server 2008 Management Tasks Lesson 7: Automating Windows Server 2008 Management Lab B: Configuring Windows Server 2008 Monitoring 14-3 14-9 14-14 14-24 14-29 14-37 14-41 14-45 14-49

WWW.ISLAMSC.COM

COM . Managing and Maintaining Windows Server® 2008 Servers xvii Module 15: Managing Windows Server 2008 Backup and Restore Lesson 1: Planning Backups with Windows Server 2008 Lesson 2: Planning Backup Policy on Windows Server 2008 Lesson 3: Planning a Server Restore Policy Lesson 4: Planning an EFS Restore Policy Lesson 5: Troubleshooting Windows Server 2008 Startup Lab A: Planning Windows Server 2008 Backup Policy Lab B: Planning Windows Server 2008 Restore 15-3 15-15 15-20 15-29 15-40 15-51 15-58 Lab Answer Keys WWW.ISLAMSC.Configuring.

WWW.COM .ISLAMSC.

The course also focuses on configuring security. The course focuses heavily on Active Directory® Domain Services object creation and Group Policy management.COM . and familiarity with Microsoft Windows® (client side) Working knowledge of networking technologies Intermediate understanding of network operating systems Working experience with Windows Server 2003 and Windows Server 2008 Basic knowledge of Active Directory • • • • • WWW. STUDENT USE PROHIBITED About This Course This section provides you with a brief description of the course. The secondary audiences for this course are individuals who are network infrastructure technology specialists. server maintenance. audience. file. software distribution. hardware portion of Net+. suggested prerequisites. The primary audience for this course will be responsible for day-to day management of the server OS. and server data protection. profiling and monitoring. and course objectives. Server+. storage. Network Access Protection. and Tier 2 troubleshooting for a subset of the organizations servers. troubleshooting. Student Prerequisites This course requires that you meet the following prerequisites: • At least one year experience operating Windows Servers daily in the area of account management.ISLAMSC. server monitoring. and updates. and directory services. or server security A+.About This Course xix MCT USE ONLY. Course Description This five-day instructor-led course provides students with the knowledge and skills to configure and manage Microsoft® Windows Server® 2008 servers. Audience The primary audience for this course is IT Professionals who want to increase their hands-on deployment and day-to-day management skills for Windows Server 2008 servers in an enterprise organization. patches.

corporate policies) Basic knowledge of TCP/IP Basic knowledge of scripting tools such as Windows Powershell™ and WMI Course Objectives After completing this course.About This Course xx MCT USE ONLY.ISLAMSC. STUDENT USE PROHIBITED • • • An understanding of security concepts and methodologies (for example.COM . students will be able to: • • • • • • • • • • • • • • • Describe the different administrative tools and tasks in Windows Server 2008 Configure AD DS user and computer accounts Create Groups and Organizational Units Manage access to shared resources in an AD DS environment Configure Active Directory Objects and Trusts Create and configure Group Policy Objects Configure user and computer environments by using Group Policy Implement security by using Group Policy Configure and analyze server security and security update compliance Configure and manage storage technologies included with Windows Server 2008 Configure and manage Distributed File System Configure Network Access Protection Configure availability of network resources Plan and Maintain Windows Server 2008 monitoring Manage a Windows Server 2008 Backup and Restore WWW.

which consists of Windows Infrastructure Services. Module 5: “Configuring Active Directory Objects and Trusts” explains how to implement and configure AD DS objects and trusts. Module 7: “Configure User and Computer Environments by Using Group Policy” describes how to configure user desktop settings by using Group Policy and how to troubleshoot and resolve issues related to Group Policy. Module 4: “Managing Access to Resources in Active Directory Domain Services” explains how to manage access to shared resources in an AD DS environment. This module also explains how to o administer a Windows 2008 server. Module 10: “Configuring and Managing Storage Technologies” explains how to configure and troubleshoot file system storage technologies included with Windows Server 2008. Module 2: “Creating Active Directory Domain Services User and Computer Objects” explains how to configure AD DS user and computer accounts.About This Course xxi MCT USE ONLY. and Active Directory. Module 8: “Implementing Security Using Group Policy” describes how to configure security settings and apply them using GPOs. Module 6: “Creating and Configuring Group Policy” explains how Group Policy objects (GPOs) work and how to create and apply GPOs. WWW. STUDENT USE PROHIBITED Course Outline This section provides an outline of the course: Module 1: “Introduction to Managing Microsoft Windows Server 2008 Environment” describes the fundamentals of an enterprise networking environment. This module also describes some of the management tasks that you should undertake with a focus on security update management and discusses automated maintenance tools such as Windows Server Update Services.ISLAMSC.COM . Windows Application Platform Services. Module 3: “Creating Groups and Organizational Units” explains how to configure AD DS group accounts and organizational units. Module 9: “Configuring Server Security Compliance” explains how to configure and analyze server security and security update compliance.

VPN. It explains how to enable a shadow copy volume. and 802. STUDENT USE PROHIBITED Module 11: “Configuring and Managing Distributed File System” explains how to configure and manage Distributed File System. This module also describes how you should plan for encrypted file system recovery. collecting data by using Data Collector Sets. measuring key performance metrics. restoration of system state data. this module explains how you can use failover clustering and Network Load Balancing (NLB) to facilitate greater data availability and workload scalability.COM .ISLAMSC. Finally. Module 15: “Managing Windows Server 2008 Backup and Restore” describes the changes to backup in Windows Server 2008 and helps you to plan your backup requirements and policy to meet the requirements of your organization. Module 13: “Configuring Availability of Network Resources and Content” explains how to configure network resources and content availability.About This Course xxii MCT USE ONLY. WWW. Module 14: “Monitoring and Maintaining Windows Server 2008 Servers” covers planning your monitoring tasks to determine appropriate server baselines. and creating a server restore policy to verify server operations. Module 12: “Configuring Network Access Protection” explains how to configure and manage NAP for DHCP. which provides access to previous file and folder versions on a network. and identifying suitable notification methods when an alert occurs.1X.

• • • Lessons: Include detailed information for each topic. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.About This Course xxiii MCT USE ONLY. MSDN®.ISLAMSC. Labs: Include complete lab exercise information and answer keys in digital form to use during lab time.COM . which is just right for an effective in-class learning experience. and Microsoft Press®. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet. STUDENT USE PROHIBITED Course Materials The following materials are included with your kit: • Course Handbook. Labs: Provide a real-world. expanding on the content in the Course Handbook. • • • • • Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Course Companion CD. easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. hands-on platform for you to apply the knowledge and skills learned in the module. WWW. A succinct classroom learning guide that provides all the critical technical information in a crisp. tightly-focused format. Searchable.

com. To inquire about the Microsoft Certification Program. you will have the opportunity to complete an online evaluation to provide feedback on the course. send e-mail to mcphelp@microsoft. and instructor. a self-extracting executable file that contains all the files required for the labs and demonstrations. • Course evaluation. STUDENT USE PROHIBITED • Student Course Files: Include the Allfiles. WWW. double-click StartCD.exe. At the end of the course.com. and then in the root directory of the CD.COM .exe.ISLAMSC. insert the Course Companion CD into the CD-ROM drive. Note: To access the full course content. send e-mail to support@mscourseware.About This Course xxiv MCT USE ONLY. training facility. To provide additional comments or feedback on the course.

click Turn off and delete changes.com Standalone server Standalone server Domain Controller for Fabrikam.ISLAMSC.WoodgroveBank.About This Course xxv MCT USE ONLY.com domain Domain Controller for WoodgroveBank. On the virtual machine. click Close.com Client computer in WoodgroveBank.com WWW.COM . on the Action menu.com Client computer in the Woodgrovebank. STUDENT USE PROHIBITED Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course. in the What do you want the virtual machine to do? list. In the Close dialog box. The following table shows the role of each virtual machine used in this course: Virtual machine 6419-LON-DC1 6419-NYC-CL1 6419-NYC-CL2 6419-NYC-DC1 6419-NYC-DC2 6419-NYC-INF 6419-NYC-SVR1 6419-NYC-SVR2 6419-VAN-DC1 Role Domain Controller for EMEA.com Domain Controller for WoodgroveBank. perform the following steps: 1. you will use Microsoft Virtual Server 2005 R2 with SP1 to perform the labs. To close a virtual machine without saving the changes. you must close the virtual machine and must not save any changes. Virtual Machine Configuration In this course. and then click OK. 2.com Member server for WoodgroveBank. Important: At the end of each lab.

WWW. a super VGA (SVGA) 17-inch monitor. and a sound card with amplified speakers.About This Course xxvi MCT USE ONLY. a DVD drive. The lab files are located in the folder E:\ModXX\Labfiles within the virtual machines. a network adapter. dual 120 GB hard disks 7200 RM SATA or better. Course Hardware Level To ensure a satisfactory student experience.ISLAMSC. Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. STUDENT USE PROHIBITED Software Configuration The following software is installed on each VM: • • Windows Server 2008 Enterprise Edition Windows Server 2003 Enterprise Edition is installed in 6419-VAN-DC1 Course Files There are files associated with the labs in this course.COM . 4 GB RAM expandable to 8GB or higher. which specifies an Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor. Classroom Setup Each classroom computer will have the same virtual machine configured in the same way. This course requires that you have a computer that meets or exceeds hardware level 6. a Microsoft Mouse or compatible pointing device.

STUDENT USE PROHIBITED Module 1 Introduction to Managing Microsoft Windows Server 2008 Environment Contents: Lesson 1: Server Roles Lesson 2: Overview of Active Directory Lesson 3: Using Windows Server 2008 Administrative Tools Lesson 4: Using Remote Desktop for Administration Lab: Administering Windows Server 2008 1-3 1-15 1-28 1-36 1-44 WWW.ISLAMSC.COM .Introduction to Managing Microsoft Windows Server 2008 Environment 1-1 MCT USE ONLY.

STUDENT USE PROHIBITED Module Overview Multiple tools exist to facilitate management of Microsoft® Windows Server® 2008 computers and Active Directory® domains. This change offers a single point for server administration. In Windows Server 2008.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.1-2 Configuring. many of these tools have been consolidated into the Server Manager tool.COM . you will be able to more quickly and effectively implement change requests. By understanding the tools available to manage Windows Server 2008 and Active Directory.

This is a new method of organizing the addition and removal of services. Understanding server roles and features allows you to install and support only the Windows Server 2008 components you need in your environment.ISLAMSC.COM . WWW. STUDENT USE PROHIBITED Lesson 1 Server Roles Windows Server 2008 is configured by adding and removing server roles and features.Introduction to Managing Microsoft Windows Server 2008 Environment 1-3 MCT USE ONLY.

and Datacenter editions that do not have Hyper-V included. Hyper-V™ is a role that is provided for 64-bit installations of Windows Server 2008. STUDENT USE PROHIBITED Windows Server 2008 Editions Key Points Windows Server 2008 is available in several editions to meet the needs of various organizations. x64. Enterprise. The editions are available for x86. Question: Describe the criteria you will use when deciding what edition of Windows Server to deploy. You can order Standard. WWW.1-4 Configuring. and Itanium processors.COM . Windows HPC Server 2008 is designed for clustering hundreds of computers together to work on a single processing task. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.

In a small organization. many roles can be combined on a single computer. consider the following: • • The capacity of the computer should be sufficient for all the installed roles. In a large enterprise. Ensure that security requirements for the roles you plan to install can co-exist on a single computer.COM .ISLAMSC. WWW. When deploying multiple server roles on a single computer. STUDENT USE PROHIBITED What Are Server Roles? Key Points Server roles are a way to configure a computer running Windows Server 2008 to perform a specific function. computers can be configured to perform a single role to ensure greater scalability.Introduction to Managing Microsoft Windows Server 2008 Environment 1-5 MCT USE ONLY.

dedicated servers. STUDENT USE PROHIBITED • • Configure security settings appropriately for all installed roles. what are the advantages of consolidated servers. Question: In your work environment.ISLAMSC. Plan ahead for possible migration paths if the computer becomes overloaded. or both? WWW.1-6 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .

Introduction to Managing Microsoft Windows Server 2008 Environment 1-7 MCT USE ONLY.COM . Helps protect information from unauthorized use and generates licenses that specify what actions can be taken with protected content and by whom.ISLAMSC. The table below describes Microsoft Windows® infrastructure services roles: Role Active Directory Certificate Services Description Creates and manages certification authorities. Automatically allocates IP addresses and IP configuration information to clients. Certification authorities are used to create digital certificates for identification and encryption. STUDENT USE PROHIBITED What Are the Windows Infrastructure Services Roles? Key Points Windows infrastructure services roles are used to form the underlying framework of software and services that are used by other applications within the organization. Active Directory Rights Management Services DHCP Server WWW.

ISLAMSC.COM . File Services Network Policy and Access Services Hyper-V Print Services Terminal Services Windows Deployment Services Question: List the Windows infrastructure services roles used in your work environment. Provides support for LAN or WAN routing.1-8 Configuring. Deploys Windows operating systems to computers over the network. STUDENT USE PROHIBITED (continued) Role DNS Server Fax Server Description Provides name resolution for TCP/IP networks. Allows users to run programs on a remote server but view the results in a Remote Desktop window. Sends and receives faxes electronically rather than requiring paper-based copies of documents. Provides technologies for storage management. file replication. and file searching. and dialup connections. VPN connections. WWW. Provides server virtualization functionality. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Enables and manages network printing. network access policy enforcement.

The table below describes Windows application platform services roles: Role Application Server Description Provides a complete solution for hosting and managing distributed business applications. and Integration (UDDI) Services Web Server (IIS) WWW.ISLAMSC. and Message Queuing. Discovery. Enables Windows Server 2008 as a Web server.Introduction to Managing Microsoft Windows Server 2008 Environment 1-9 MCT USE ONLY. Universal Description.NET Frameworks. Web server.COM . Includes services such as . STUDENT USE PROHIBITED What Are the Windows Application Platform Services Roles? Key Points Windows application platform services roles are used as a platform for the development of applications. Shares information about Web services within an organization or between business partners.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.ISLAMSC.COM . STUDENT USE PROHIBITED Question: List the Windows application platform roles used in your work environment.1-10 Configuring.

Question: Briefly describe one or two scenarios where you would implement each server role. WWW.ISLAMSC.COM . STUDENT USE PROHIBITED What Are the Active Directory Server Roles? Key Points The Active Directory roles allow you to implement and control Active Directory for your organization.Introduction to Managing Microsoft Windows Server 2008 Environment 1-11 MCT USE ONLY.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Server roles. such as the following. WWW.COM .1-12 Configuring. STUDENT USE PROHIBITED AD DS Integration with Other Active Directory Server Roles Key Points Many of the other Windows Server 2008 server roles integrate with AD DS.ISLAMSC. rely on AD DS: • • • Active Directory Federation Services (AD FS) Active Directory Rights Management Services (AD RMS) Active Directory Certificate Services (AD CS) Question: Describe any other applications you aware of that can leverage AD DS.

COM . Question: Which of these features do you use in your work environment? WWW. STUDENT USE PROHIBITED What Are Server Features? Key Points Server features support server roles or enhance the functionality of a server.Introduction to Managing Microsoft Windows Server 2008 Environment 1-13 MCT USE ONLY.ISLAMSC.

1-14 Configuring. Question: Describe two scenarios in which Server Core would be a beneficial choice of server platform.COM . It provides a minimal environment for running specific server roles. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. A graphical interface is not included as part of the Server core installation. STUDENT USE PROHIBITED What Is Server Core? Key Points Server Core is a new installation option for Windows Server 2008. WWW.ISLAMSC.

ISLAMSC. and domain controllers.Introduction to Managing Microsoft Windows Server 2008 Environment 1-15 MCT USE ONLY. WWW. In this lesson. you will learn about Active directory domains.COM . STUDENT USE PROHIBITED Lesson 2 Overview of Active Directory Active Directory is a central repository of network information. forests. Understanding how Active Directory is organized is essential to understanding network security and management.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED What Is Active Directory? Key Points Active Directory is a central repository of network information that is used for logon security and application configuration.1-16 Configuring.COM . The information stored in Active Directory includes: • • • • • • • User accounts Computer accounts Application configuration information Subnet addresses Group accounts Printer objects Published folder objects WWW.ISLAMSC.

The schema partition is the list of allowed objects and attributes in Active Directory.Introduction to Managing Microsoft Windows Server 2008 Environment 1-17 MCT USE ONLY. It is composed of multiple partitions.ISLAMSC. The domain partition holds information that is specific to a particular domain. Question: Why is it important that the schema is replicated to all domain controllers in entire forest? WWW.COM . STUDENT USE PROHIBITED Active Directory is not a large single database. The configuration partition holds configuration information for Active Directory and applications.

COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Benefits of Active Directory Key Points Active Directory provides a single repository of information that is used for network management. Each workgroup member has its own security database and group policy store.1-18 Configuring. A workgroup is a peer-to-peer network without a centralized security database. they are considered members of a workgroup. Question: Are there any situations where a workgroup would be preferable? WWW. When Windows computers are not joined to a domain.ISLAMSC.

Introduction to Managing Microsoft Windows Server 2008 Environment

1-19

MCT USE ONLY. STUDENT USE PROHIBITED

What Is a Domain?

Key Points
A domain is a logical grouping of objects such as: • User accounts. These are required for users to log on and access network resources. Information such as e-mail addresses and mailing addresses can be stored as part of a user account. Computer accounts. These are required for a computer to participate in the domain and become part of the security infrastructure. To log on with a domain user account, you must use a computer that has a computer account in the domain. Groups. These are used to organize users and computers into sets for assigning permissions to resources. Using groups make it easier to manage access to resources such as files.

WWW.ISLAMSC.COM

1-20

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Question: How has your organization used domains to create security boundaries? If your organization does not use domains, how might domains be used in your organization?

WWW.ISLAMSC.COM

Introduction to Managing Microsoft Windows Server 2008 Environment

1-21

MCT USE ONLY. STUDENT USE PROHIBITED

What Is an Organization Unit?

Key Points
An organizational (OU) unit is a grouping of objects within a domain. OUs can contain: • • • • Users Groups Computers Other OUs

WWW.ISLAMSC.COM

1-22

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

OUs are used to: • Apply Group Policy Settings: Group Policy Settings can be associated with an OU. When associated with an OU, the group policy applies to all user and computer accounts within the OU. Delegate management: Permissions to manage Active Directory objects can be assigned to an OU. Permissions granted to an OU are inherited for objects inside the OU.

Question: Describe one scenario when you would use a domain to organize a network. Describe one scenario when you would use an OU to organize a network.

WWW.ISLAMSC.COM

Introduction to Managing Microsoft Windows Server 2008 Environment

1-23

MCT USE ONLY. STUDENT USE PROHIBITED

What Is a Forest?

Key Points
A forest is collection of domains that: • • • Share a common schema Share a common Global Catalog Are connected by two-way transitive trusts

When domains have a trust relationship, accounts in the trusted domain can be granted access to resources in the trusting domain. Domain trees in a forest are not required to have the same naming structures. Question: Does a trust automatically allow users in one domain to access resources in another domain?

WWW.ISLAMSC.COM

1-24

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

What Is a Domain Controller?

Key Points
The following are characteristics of a domain controller: • • A domain controller is a computer that holds a copy of Active Directory information. Domain controllers update this copy of Active Directory information through multi-master replication with other domain controllers in the domain and forest. At minimum, a domain controller holds a copy of the local domain partition, the configuration partition, and the schema partition.

Note: A global catalog server is a domain controller that holds a subset of the domain information for all domains in the entire forest.

Question: How many domain controllers should you have?

WWW.ISLAMSC.COM

Introduction to Managing Microsoft Windows Server 2008 Environment

1-25

MCT USE ONLY. STUDENT USE PROHIBITED

What Is a Read-Only Domain Controller?

Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports. An RODC hosts read-only partitions of the AD DS database. This means that no changes can ever be made to the database copy stored by RODC, and all AD DS replication uses a one-way connection from a domain controller that has a writeable database copy to the RODC. Question: In your work environment, do you have scenarios where an RODC would be beneficial?

WWW.ISLAMSC.COM

1-26

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Read-Only Domain Controller Features

Key Points
RODCs provide several features designed to work together to increase security. These features minimize the risks of deploying a domain controller in a location with low physical security or high exposure to attack. Question: If you plan to use one or more RODCs in your work environment, which RODC features do you plan to use?

WWW.ISLAMSC.COM

Introduction to Managing Microsoft Windows Server 2008 Environment

1-27

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Joining a Domain

Key Points
• • Join NYC-CL1 to the WoodgroveBank.com domain. View the results of joining the domain.

WWW.ISLAMSC.COM

1-28

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3

Using Windows Server 2008 Administrative Tools

Each administrative tool included with Windows Server 2008 is used to manage different system components. Administrative tools include: • • • • • Microsoft Management Console Problem Reports and Solutions Server Manager Computer Management Device Manager

By understanding the administrative tools available to you in Windows Server 2008, you can choose the best tool for the administrative task at hand.

WWW.ISLAMSC.COM

Introduction to Managing Microsoft Windows Server 2008 Environment

1-29

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Management Console

Key Points
• • A snap-in is a program that allows you to perform specific administrative tasks. New snap-ins are added when you install additional software components. For example, the snap-ins for managing Microsoft Exchange Server 2007 are added when you install Exchange Server 2007. You can remotely administer a server by re-focusing the MMC snap-in to the remote server. Custom consoles allow you to create a console with only the capabilities that you require as part of your job role.

• •

Question: Will you create customized consoles for most of your management tasks?

WWW.ISLAMSC.COM

1-30

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Server Manager

Key Points
Combining frequently used snap-ins into a single console simplifies administration of your server. Question: Why is it beneficial to combine frequently used snap-ins into a single console?

WWW.ISLAMSC.COM

Introduction to Managing Microsoft Windows Server 2008 Environment

1-31

MCT USE ONLY. STUDENT USE PROHIBITED

Computer Management

Key Points
This administrative tool is included with Microsoft Windows 2000 Server and Windows Server 2003 operating systems. Many of the snap-ins found in Server Manager are also found in Computer Management. Question: Will you use Computer Management or Server Manager to manage your servers?

WWW.ISLAMSC.COM

1-32

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Device Manager

Key Points
• On of the most common uses for Device Manager is updating device drivers. Device drivers are used by the operating system to communicate with devices such as network adapters or video adapters. When an incorrect driver is used, the device will typically have limited functionality or no functionality at all. Device Manager visually indicates if a device is disabled or is not functioning properly. This makes it easy to identify malfunctioning components.

Question: Why would you update a device driver if a device appears to be working properly?

WWW.ISLAMSC.COM

Introduction to Managing Microsoft Windows Server 2008 Environment

1-33

MCT USE ONLY. STUDENT USE PROHIBITED

Problem Reports and Solutions

Key Points
Problem Reports and Solutions is a utility for monitoring and resolving system problems. Problem Reports and Solutions records the details of a system problem, and then contacts Microsoft for a resolution of the problem. Question: How do Problem Reports and Solutions improve upon the Dr. Watson utility found in previous versions of Microsoft Windows operating system?

WWW.ISLAMSC.COM

1-34

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Using Windows Server 2008 Administrative Tools

Key Points
• • • • Use Problem Reports and Solutions. Use Server Manager. Use Computer Management. Use Device Manager.

Question: Which of the administrative tools demonstrated will you use most often?

WWW.ISLAMSC.COM

STUDENT USE PROHIBITED Common Administration Tasks Key Points Administrative tools can be grouped by the task in which each tool will commonly be used. Question: Describe one or more common administrative tasks you carry out in your work environment and a tool that would be used to carry out this task. WWW.ISLAMSC.COM .Introduction to Managing Microsoft Windows Server 2008 Environment 1-35 MCT USE ONLY. Sometimes multiple tools may be used to carry out a single task.

ISLAMSC. STUDENT USE PROHIBITED Lesson 4 Using Remote Desktop for Administration Remote Desktop for Administration is widely used by most organizations to access servers remotely and to perform system maintenance. There are many configuration options you can use for controlling security of the connections and other connection characteristics. Remote Desktop for Administration can help you reduce the time and effort involved in server administration tasks.1-36 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.COM .

STUDENT USE PROHIBITED Remote Desktop for Administration Key Points Remote Desktop for Administration is a service that allows administrators to access the desktop of a computer running Windows Server 2008 remotely.ISLAMSC. Remote Desktop for Administration requires no extra licensing. Remote Desktop for Administration is installed by default but is not enabled by default. WWW. Note the following primary differences between Remote Desktop for Administration and the Windows Server 2008 Terminal Services role: • • • Remote Desktop for Administration is limited to two concurrent remote connections. This service can be used to access a server from a corporate desktop or a remote location.COM .Introduction to Managing Microsoft Windows Server 2008 Environment 1-37 MCT USE ONLY.

Question: What concerns are there about allowing a server administrator to use Remote Desktop for Administration from home? WWW. STUDENT USE PROHIBITED Note: Remote Desktop for Administration generates a much smaller amount of network data than running server management utilities over the network from a workstation. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .ISLAMSC.1-38 Configuring.

Once connected. you are presented with a command prompt rather than a Windows desktop.COM . STUDENT USE PROHIBITED Benefits of Remote Desktop for Administration Key Points Remote Desktop for Administration is a useful tool with several benefits.ISLAMSC. you can enable Remote Desktop for Administration.Introduction to Managing Microsoft Windows Server 2008 Environment 1-39 MCT USE ONLY. Question: Can Remote Desktop for Administration result in cost savings for an organization? WWW. Note: Even though Server Core does not include a graphical desktop.

1-40 Configuring.ISLAMSC. Describe the options on the following tabs: • • • • • • General tab Display tab Local Resources tab Programs tab Experience tab Advanced tab Question: Why would you disable client features such as local drives and printers? WWW.COM . STUDENT USE PROHIBITED Demonstration: Remote Desktop Client Configuration Key Points • • View the Remote Desktop options on NYC-CL1. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

When enabled. Members of the Local Administrators group are allowed to connect by default.Introduction to Managing Microsoft Windows Server 2008 Environment 1-41 MCT USE ONLY. The Security layer determines the type of encryption that is performed between the client and server.COM . STUDENT USE PROHIBITED Securing Remote Desktop for Administration Key Points • • • The first level of securing Remote Desktop for Administration is controlling who can use it. Remote Desktop for Administration is disabled by default.ISLAMSC. access can be controlled by making users members of the Remote Desktop Users group. You can leave it disabled for high security installations. • WWW.

ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.1-42 Configuring. The Require Network Level Authentication setting requires users to enter a username and password before connecting to the server.COM . STUDENT USE PROHIBITED • • Encryption level controls which data is encrypted and the strength of the encryption. Question: Why should you not use the low encryption level? WWW.

Configure security settings on NYC-DC1. Question: When is connecting to the server console. STUDENT USE PROHIBITED Demonstration: Using Remote Desktop for Administration Key Points • • • On NYC-DC1. Connect to the console with the /console switch.COM .Introduction to Managing Microsoft Windows Server 2008 Environment 1-43 MCT USE ONLY.ISLAMSC. rather than a remote session. enable Remote Desktop for Administration. useful? WWW.

and then log on. You will also install the DNS Server role and verify domain membership on NYC-SVR1.ISLAMSC. The main tasks for this exercise are as follows: 1. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . Start the virtual machines. 2. 3. Install the DNS Server Role. Verify domain membership. STUDENT USE PROHIBITED Lab: Administering Windows Server 2008 Exercise 1: Install the DNS Server Role Scenario You have decided to prepare the server NYC-SVR1 for remote management through Remote Desktop. you will install the DNS Server role and verify domain membership. In this exercise. WWW.1-44 Configuring.

point to All Programs.Introduction to Managing Microsoft Windows Server 2008 Environment 1-45 MCT USE ONLY. In the Lab Launcher. Task 3: Verify domain membership 1. 2. point to Microsoft Learning. Minimize the Lab Launcher window. next to 6419A-NYC-DC1. and then log on 1. Log on to NYC-SVR1 as Administrator with the password Pa$$w0rd. Task 2: Install the DNS Server role • On NYC-SVR1. click Start. On NYC-SVR1. 3.ISLAMSC. in Active Directory Users and Computers. click Launch. Results: After this exercise. verify that the NYCSVR1 computer account exists. next to 6419A-NYC-SVR1. and then click 6419A. verify that Domain Admins is a member of the local administrators group. 8. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. In the Lab Launcher. in Local Users and Groups. In the Lab Launcher. The Lab Launcher starts. On your host machine. 6.COM . Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. WWW. On NYC-DC1. click Launch. next to 6419A-NYC-CL1. 2. use Server Manager to install the DNS Server role using the following settings: • Add only the DNS Server role service. STUDENT USE PROHIBITED Task 1: Start the virtual machines. click Launch. 7. 4. 5. you should have successfully installed the DNS Server role and successfully verified domain membership.

5. Verify Remote Desktop for Administration Functionality. Grant Axel Delgado access to Remote Desktop for Administration on NYCSVR1. The main tasks for this exercise are as follows: 1. On NYC-SVR1. 2. WWW. Allow connections only if Network Level Authentication is used. 2.ISLAMSC.1-46 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Enable Remote Desktop for Administration. Task 2: Grant Axel Delgado access to Remote Desktop for Administration on NYC-SVR1 • On NYC-SVR1 in Remote Settings. and configure security settings to allow Axel Delgato to carry out remote administration tasks. In this exercise. 3. 4. Task 1: Enable Remote Desktop for Administration 1. add Axel Delgado as a user allowed to connect remotely. open Remote settings in System Properties. STUDENT USE PROHIBITED Exercise 2: Configuring Remote Desktop for Administration Scenario The server NYC-SVR1 is being used to run a new application for loan applications. Configure security for Remote Desktop for Administration. Give Axel Delgado rights to run Reliability and Performance Monitor. You need to enable Remote Desktop for Administration for Axel Delgado with the highest level of security possible. The person responsible for monitoring this application needs access to NYC-SVR1 remotely because he is not authorized to enter the data center. you will enable Remote Desktop for Administration.COM .

Results: After this exercise. you should have successfully used Axel Delgado's account to remotely access NYC-SVR1 and run Reliability and Performance Monitor. 6419ANYC-CL1. Notice that data associated with Resource Overview is not available to Axel Delgado because Axel Delgado is not a local Administrator. On NYC-CL1. STUDENT USE PROHIBITED Task 3: Configure security for Remote Desktop for Administration 1. Verify that Axel Delgado can view information in Performance Monitor. open Reliability and Performance Monitor.woodgrovebank. open Terminal Service Configuration. 2. Task 5: Verify Remote Desktop for Administration functionality 1.Introduction to Managing Microsoft Windows Server 2008 Environment 1-47 MCT USE ONLY. open Remote Desktop Connection. 4. Computer: NYC-SVR1. and 6419A-NYC-SVR1 virtual machines and discard any changes.ISLAMSC.0) Encryption level: High Allow connections only from computers running Remote Desktop with Network Level Authentication Task 4: Give Axel Delgado rights to run Reliability and Performance Monitor • On NYC-SVR1. In the properties of RDP-TCP.com User name: woodgrovebank\Axel Password: Pa$$w0rd In the Remote Desktop Connection window. you must shut down the 6419A-NYC-DC1.COM . WWW. Lab Shutdown After you complete the lab. configure: • • • Security layer: SSL (TLS1. On NYC-SVR1. Log on using the following information: • • • 3. 2. use Local Users and Groups to add Axel Delgado as a member of Performance Log Users.

COM . STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1.ISLAMSC. 3. which tools can you use to track CPU utilization over time? WWW. 4.1-48 Configuring. Which server role must be installed to configure Windows Server 2008 as a domain controller? What is the relationship between Active Directory domains and Active Directory forests? Which administrative tool tracks system crashes and attempts to resolve them? When monitoring performance. 2. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

This takes up to an hour. It has been running perfectly until last week.Introduction to Managing Microsoft Windows Server 2008 Environment 1-49 MCT USE ONLY. There are 4. you drive into the office when required.ISLAMSC. How can you avoid the need to return to the office to perform support tasks after hours? And how will you address security concerns? 2. You would like to configure administrative tools for the server administrators that you manage. Each administrative tool would have all the options required for them to perform their job tasks. You are the lead server administrator for your location in a large organization. with seven server administrators. Currently. WWW.COM . it has been crashing once or twice a day. How can you create these custom tools? A computer running Windows Server 2008 has been in your organization for about two months. Your IT manager would like to respond more quickly to support calls after business hours. How can you determine the cause of this problem? You are the server administrator for a small organization with 100 users and three computers running Windows Server 2008. STUDENT USE PROHIBITED Real-world Issues and Scenarios 1. Since last week.000 users in your location. 3.

COM . Server Management WWW.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.1-50 Configuring. STUDENT USE PROHIBITED Tools Tool Active Directory Users and Computers Active Directory Domains and Trusts Active Directory Sites and Services ADSI Edit Use for Create user accounts Where to find it Administrative Tools View and manage trusts Administrative Tools View and manage Active Directory sites Perform manual edits of Active Directory objects Administrative Tools Administrative Tools Microsoft Management Console • Add snap-ins to perform administrative tasks Command prompt • Create custom consoles Problem Reports and Solutions • Track solutions to system problems Administrative Tools Server Manager • Add or remove server roles and features Administrative Tools • Perform diagnostics • Manage server configuration • Manage server storage Computer Management • • • • • Share folders Access system tools Manage server storage Manage services Manage Routing and Remote Access Administrative Tools Device Manager • Configure devices • Update drivers Administrative Tools. Computer Management.

Ctrl+Shift+Esc • View applications and processes • View basic performance information Reliability and Performance Monitor • • • • Resource Overview Performance Monitor Reliability Monitor Data Collector Sets Administrative Tools Event Viewer • View events in logs • Collect events at a single computer • Query events Remote Desktop for Administration and perform administrative tasks Administrative Tools. Server Management • Remotely connect to servers Control Panel > System > Remote settings Administrative Tools Terminal Services Configuration Local User and Computers snap-in • Configure Remote Desktop for Administration • Used to manage local users and groups Computer Management.Introduction to Managing Microsoft Windows Server 2008 Environment 1-51 MCT USE ONLY. STUDENT USE PROHIBITED (continued) Tool Task Manager Use for Where to find it Ctrl+Alt+Del. Server Management Administrative Tools Active Directory Users and Computers Run As Administrator • Used to manage domain user accounts and groups • Elevate privileges of a program Context menu when right-clicking an application shortcut Command prompt runas • Elevate privileges of a program WWW. Computer Management.ISLAMSC. rightclick taskbar.COM .

MCT USE ONLY. STUDENT USE PROHIBITED WWW.COM .ISLAMSC.

ISLAMSC. STUDENT USE PROHIBITED Module 2 Creating Active Directory Domain Services User and Computer Objects Contents: Lesson 1: Managing User Accounts Lesson 2: Creating Computer Accounts Lesson 3: Automating AD DS Object Management Lesson 4: Using Queries to Locate Objects in AD DS Lab: Creating AD DS User and Computer Accounts 2-3 2-17 2-24 2-33 2-39 WWW.COM .Creating Active Directory Domain Services User and Computer Objects 2-1 MCT USE ONLY.

STUDENT USE PROHIBITED Module Overview One of your functions as an Active Directory® Domain Services (AD DS) administrator is to manage user and computer accounts. These accounts are AD DS objects that individuals use to log on to the network and access resources. WWW.2-2 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.COM . you will learn about modifying user and computer accounts on computers running the Microsoft® Windows Server® 2008 operating system in a networked environment. In this module.

you will need to know how to create and configure user accounts. As the AD DS administrator. STUDENT USE PROHIBITED Lesson 1 Managing User Accounts In AD DS for Windows Server 2008.COM .ISLAMSC. all users that require access to network resources must be configured with a user account. With this user account. users can be authenticated to the AD DS domain and granted access to network resources. WWW.Creating Active Directory Domain Services User and Computer Objects 2-3 MCT USE ONLY.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The account can be either a local or a domain account.2-4 Configuring.COM . A user account also contains many other settings that can be configured based upon your organizational requirements. A user account includes the user name and password as well as group memberships. STUDENT USE PROHIBITED What Is a User Account? Key Points A user account is an object that contains all of the information that defines a user in Windows Server 2008.ISLAMSC. WWW.

you can: • • • Allow or deny users to log on to a computer based on their user account identity.COM . files. Manage users' access to resources such as AD DS objects and their properties. shared folders.Creating Active Directory Domain Services User and Computer Objects 2-5 MCT USE ONLY. directories. List at least one advantage of creating domain accounts. and printer queues. Question: List at least one advantage of creating local accounts. WWW.ISLAMSC. STUDENT USE PROHIBITED Usage With a user account. Grant users access to processes and services for a specific security context.

An LDAP-relative distinguished name.2-6 Configuring. Question: Provide at least one example of good scalable unique domain user name. an administrator provides a user logon name. User logon names must be unique in the domain/forest in which the user account is created. Names generated by Active Directory When a user account is created using Active Directory Users and Computers.ISLAMSC. A SID and global unique identifier (GUID). WWW. STUDENT USE PROHIBITED Names Associated with Domain User Accounts Key Points When creating a user account. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . Active AD DS also creates: • • • An LDAP distinguished name.

These options can be set when the user account is created or in the Properties dialog box of a user account.Creating Active Directory Domain Services User and Computer Objects 2-7 MCT USE ONLY. you can manage user account password options. Administrators can configure these settings by navigating to: Computer Configuration\Policies \Windows Settings\Security Settings\Account Policies\Password Policy.ISLAMSC. Question: Provide at least one example of a strong password. STUDENT USE PROHIBITED User Account Password Options Key Points As a systems administrator.COM . WWW. Systems administrators can also change the default domain password complexity settings by accessing the Group Policy Management Editor.

configuring group management. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. Administrators can set an expiration date for users in the Active Directory Users and Computers management console when new users are created.2-8 Configuring. • • • WWW. Administrators can easily access any user record and reset their password through a context menu. The Group Management functionality is also accessed through the Active Directory Users and Computers management console. assigning user profiles. Administrators can create groups and then assign users to these groups by selecting the user and adding them to a group.COM . • The Resetting Password function is accessed through the Active Directory Users and Computers management console. In the Active Directory Users and Computers management console. STUDENT USE PROHIBITED Standard User Management Key Points Some common standard user tasks are resetting passwords. which provide specific times when a user can access a computer. administrators can set logon hours. creating home directories and setting user expiration.

Creating Active Directory Domain Services User and Computer Objects 2-9 MCT USE ONLY.COM .ISLAMSC. This allows administrators to assign user access to resources. Administrators can assign custom profiles to users in the Active Directory Users and Computers management console. STUDENT USE PROHIBITED • Administrators can assign a home directory to their users in the Active Directory Users and Computers management console by accessing a user and specifying the user's home directory in the Home Folder section. • Question: How many times can users attempt to login before they are locked out (by default)? WWW.

Command line tools You also can use the command-line tools Dsadd. STUDENT USE PROHIBITED Tools for Configuring User Accounts Key Points Active Directory Users and Computers Active Directory Users and Computers is the primary tool used for day-to-day administration of AD DS.2-10 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. also known as a comma-separated value format (Csvde format) as input to create multiple accounts in AD DS.ISLAMSC. and Dsrm to manage user accounts in AD DS.COM . Csvde The Csvde command-line tool uses a comma-delimited text file. Dsmod. WWW.

Creating Active Directory Domain Services User and Computer Objects 2-11 MCT USE ONLY.COM . and delete objects in Active Directory. Windows PowerShell Use Windows PowerShell™ when you want to change the attribute values for multiple Active Directory objects or when the selection criteria for these objects are complex.ISLAMSC. Question: List at least two criteria required when selecting from the available methods for automating user creation. modify. STUDENT USE PROHIBITED Ldifde Ldifde command-line tool uses a line-separated value format to create. WWW.

2-12 Configuring. Rename Account using dsmod.ISLAMSC.COM . Add a User through the dsadd. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Review User Account and Properties. Rename Account in Active Directory Users and Computers. STUDENT USE PROHIBITED Demonstration: Configuring User Accounts Key Points: • • • • • • Add a User in Active Directory Users and Computers. Review Password Complexity Settings. WWW.

STUDENT USE PROHIBITED Question: How would you create several user objects with the same settings for attributes.Creating Active Directory Domain Services User and Computer Objects 2-13 MCT USE ONLY.COM . such as department and office location? Question: Under what circumstances would you disable a user account rather than delete it? Question: Why are you prompted to change the additional names when you change the user name? Question: Why would you rename a user name in AD DS when a user changes their name rather than deleting the account and creating a new account with the new name? WWW.ISLAMSC.

you must be a member of the Account Operators group. click Control Panel. To prevent a particular user from logging on for security reasons. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. or the Enterprise Admins group in Active Directory. STUDENT USE PROHIBITED What Is a User Account Template? Key Points A user account template is an account that has commonly used settings and properties already configured. Domain Admins group.COM . and then double-click Active Directory Users and Computers. You can use user account templates to simplify the process of creating domain user accounts. By creating disabled user accounts with common group memberships. • • • WWW.2-14 Configuring. or you must have been delegated the appropriate authority. you can disable user accounts rather than deleting user accounts.ISLAMSC. • To perform this procedure. you can use disabled user accounts as account templates to simplify user account creation. double-click Administrative Tools. click Start. To open Active Directory Users and Computers.

and groups are retained when a new user is created from a template.Creating Active Directory Domain Services User and Computer Objects 2-15 MCT USE ONLY.ISLAMSC. • Question: List at least one example of how your company uses account templates. but the Description and Office attributes are not replicated. STUDENT USE PROHIBITED • Information such as logon hours. WWW.COM . Additional attributes can be viewed and modified in the Active Directory Schema MMC snap-in.

and rename its identity attributes.ISLAMSC.COM .2-16 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Copy the template account. Question: What are some fields not populated when you create a new user from a template? Question: How could you make a template account easy to find in AD DS? WWW. STUDENT USE PROHIBITED Demonstration: Creating and Using a User Account Template Key Points • • Use Active Directory Users and Computers to add a new user to the Users container.

To be fully authenticated by AD DS.Creating Active Directory Domain Services User and Computer Objects 2-17 MCT USE ONLY. WWW.COM . This means that computers must have accounts and passwords. All computers running Microsoft Windows NT® or later operating systems must have computer accounts in AD DS.ISLAMSC. a user must have a valid user account. STUDENT USE PROHIBITED Lesson 2 Creating Computer Accounts In AD DS. and the user must also log on to the domain from a computer that has a valid computer account. just like users. computers are security principals.

ISLAMSC. Question: List at least one way your company manages their computer accounts.2-18 Configuring. computers must have valid accounts in AD DS.COM . and receiving security policies. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. obtaining an IP address. The two main functions of a computer account are performing security and management activities. To have full access to these network resources. STUDENT USE PROHIBITED What Is a Computer Account? Key Points Computers access network resources to perform key tasks such as authenticating user log on. WWW.

If you need to secure the pre-staged account.ISLAMSC. Pre-staging the account is simply creating the computer account in AD before joining the computer to the domain. Adding computers to an AD DS domain If a computer is joined to a domain. In most organizations. Both administrators and users can join computers to the domain.COM . the computer account is created in the Computers container by default. then you can provide a staging GUID that will then be used only by the computer that matches the GUID. WWW. STUDENT USE PROHIBITED Options for Creating Computer Accounts Key Points You can create computer accounts in AD DS by joining the computer to the domain.Creating Active Directory Domain Services User and Computer Objects 2-19 MCT USE ONLY. administrators will move the computer accounts to department-specific OUs so that specific software and operating system configurations can be applied to the computers. or by pre-staging computer accounts before joining the computer to the domain.

Question: List at least one advantage of pre-staging when deploying. Organizations pre-stage computer accounts in order to automate the operating system and application installation by using tools such as Windows Deployment Services.ISLAMSC. you create the computer in the domain before joining the computer to the domain. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. When you pre-stage a computer account.2-20 Configuring.COM . STUDENT USE PROHIBITED Pre-staging computer accounts You can ensure that computer accounts are configured in the right AD DS container by pre-staging computer accounts.

You can call or send e-mail to the person who is responsible for the server before you perform maintenance on the server. To maintain computers. The Managed By property lists the individual responsible for the computer. This information can be useful when you have a data center with servers for different departments and you need to perform maintenance on the server.COM . STUDENT USE PROHIBITED Managing Computer Accounts Key Points The most commonly used properties for computer accounts in AD DS are the Location and Managed by properties. you must find the physical location of the computers.Creating Active Directory Domain Services User and Computer Objects 2-21 MCT USE ONLY.ISLAMSC. • • The Location property can be used to document the computer’s physical location in your network. Question: How can the Location and Managed by properties be used to automate computer account management? WWW.

ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . WWW. Configure the Computer Account Settings. STUDENT USE PROHIBITED Demonstration: Configuring Computer Accounts Key Points • • • Create a normal user account in Active Directory Users and Computers.2-22 Configuring. Disable and Reset an Account.

No one else will be using the user’s computer. and you want to ensure that no one can log on to the computer while she is gone.Creating Active Directory Domain Services User and Computer Objects 2-23 MCT USE ONLY. you want to minimize the amount of effort required for the user to start using the computer when she comes back.COM . You want to ensure that only members of the desktop support team can add the computers to the domain. STUDENT USE PROHIBITED Question: A user is taking a two month leave from work. How should you configure the computer account? Question: You are pre-staging 100 computer accounts for workstations that will be added to the domain over the next few weeks. What should you do? WWW.ISLAMSC. However.

you may need to create or modify the configuration for many objects simultaneously. This lesson describes how to manage multiple AD DS objects. If your organization moves to a new location.2-24 Configuring. you may want to automate the new-accounts configuration process. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. For example.COM . in some cases. STUDENT USE PROHIBITED Lesson 3: Automating AD DS Object Management In most cases. However. if your organization hires a large group of new employees. you may want to automate the task of assigning new addresses and phone numbers to all users. you are likely to create and configure AD DS objects on an individual basis.ISLAMSC.

COM . STUDENT USE PROHIBITED Tools for Automating AD DS Object Management Key Points Windows Server 2008 provides a number of tools that you can use to create or modify multiple user accounts automatically in AD DS.ISLAMSC. Some of these tools require that you use a text file containing information about the user accounts that you want to create.Creating Active Directory Domain Services User and Computer Objects 2-25 MCT USE ONLY. they should be able to reuse those scripts with very little modification. WWW. Administrators can still use Microsoft Visual Basic Scripting Edition (VBScript) to manage Active Directory objects. If students already have VB scripts developed. Question: List at least one way your organization has employed these tools to automate AD DS Objects. You also can create Windows PowerShell scripts to add objects or make changes to Active Directory objects.

dc=contoso. STUDENT USE PROHIBITED Configuring AD DS Objects Using Command-Line Tools Key Points Use these command-line tools to configure AD DS objects.dc=com" -loc Downtown –desc Workstation Dsrm .dc=com" –samid Keith fn Keith –ln Harris –display "Keith Harris" –pwd Pa$$w0rd Dsmod .ISLAMSC.dsget user "cn=Keith Harris.dc=com" Dsget .dc=contoso. Examples: • • • • • Dsadd .dsadd user "cn=Keith Harris.net user “Gregory Weber” Pa$$w0rd /ad WWW.dsmod computer "cn=sales2.cn=users. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.dc=contoso.ou=sales.2-26 Configuring.dc=com" -memberof net user .dsrm -subtree -c "cn=sales2.cn=users.ou=sales.COM .dc=contoso.

ISLAMSC. STUDENT USE PROHIBITED • • Net group .Creating Active Directory Domain Services User and Computer Objects 2-27 MCT USE ONLY.Net computer //Sales2 /Del Question: List at least one example of why an administrator would want to use command line tools.Net group SalesGroup “Gregory Weber” Net computer .COM . WWW.

COM .ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. When you use the Ldifde tool.2-28 Configuring. STUDENT USE PROHIBITED Managing User Objects with LDIFDE Key Points You can use the Ldifde command-line tool to create and make changes to multiple accounts. Question: List at least one way that LDIFDE makes user management more scalable and reliable. WWW. you will use a line-separated text file to provide the command’s input information.

Question: List at least one advantage of using CSVDE over LDIFDE when managing user objects.Creating Active Directory Domain Services User and Computer Objects 2-29 MCT USE ONLY.COM . STUDENT USE PROHIBITED Managing User Objects with CSVDE Key Points You can use the Csvde command-line tool to create multiple accounts in AD DS. not to change them. you only can use the Csvde tool to create accounts. however.ISLAMSC. WWW.

exe). you can perform many of the tasks you could perform using the traditional command shell (cmd. plus many more. but can also be combined in multiple cmdlets to perform complex administrative tasks. called PowerShell. STUDENT USE PROHIBITED What Is Windows PowerShell? Key Points Windows PowerShell is an extensible scripting and command-line technology that developers and administrators can use to automate tasks in a Windows environment. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . When you run Windows PowerShell from this command shell.2-30 Configuring. Windows PowerShell uses a set of small cmdlets that each performs a specific task.ISLAMSC. Question: What is the difference between the command prompt and Windows PowerShell? WWW. Windows PowerShell is directly accessible through the new command shell.exe.

Question: List at least one important management cmdlets. Pipelining is consistent across all Cmdlets.ISLAMSC. STUDENT USE PROHIBITED Windows PowerShell Cmdlets Key Points Windows PowerShell is easy to learn because the use of Cmdlets. WWW.Creating Active Directory Domain Services User and Computer Objects 2-31 MCT USE ONLY.COM .

STUDENT USE PROHIBITED Demonstration: Configuring Active Directory Objects Using Windows PowerShell Key Points • • • Examine built in cmdlet commands. Build Complex Commands using Pipelines and Auto-Complete. Question: What are the advantages and disadvantages of modifying Active Directory objects by using Windows PowerShell scripts? How can you address the disadvantages? WWW. Examine and run a pre-existing script. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .ISLAMSC.2-32 Configuring.

Even if these accounts are grouped into different OUs.COM .ISLAMSC. Windows Server 2008 provides several features in Active Directory Users and Computers that make it easier to locate these users. it can still take some time to find a specific user in the domain. WWW.Creating Active Directory Domain Services User and Computer Objects 2-33 MCT USE ONLY. STUDENT USE PROHIBITED Lesson 4 Using Queries to Locate Objects in AD DS Some large organizations have thousands of user accounts in an AD DS domain.

COM . Click any of the column headings to sort the order of the objects (either ascending or descending). STUDENT USE PROHIBITED Options for Locating Objects in AD DS Key Points There are several options available in the Windows Server 2008 administration tools that can increase the efficiency of looking for user accounts in domains with many users. View the user accounts in their container in Active Directory Users and Computers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. To sort the order of objects in Active Directory Users and Computers: 1.ISLAMSC. WWW. 2. You can also add more columns to the display and then sort the display based on the additional column.2-34 Configuring.

computers. groups. STUDENT USE PROHIBITED To search for objects in Active Directory Users and Computers Active Directory provides information about all objects on a network. Contacts. would it be more efficient to use the graphic user interface or the command line tool? WWW. including people.COM . and Groups dialog box. and groups by using the Find Users. Question: If an administrator were searching for a number of disparate users. It is easy to search for users.ISLAMSC. contacts. and OUs. printers.Creating Active Directory Domain Services User and Computer Objects 2-35 MCT USE ONLY. Using a command line You can use the dsquery command to find users and computers in AD DS that match the specified search criteria. shared folders.

What is the quickest way to locate the user account? Question: You need to create a new user account and want to check if a user name is already in use in the domain. Question: You need to update the phone number for a user.xml file.COM . Export a query to an .ISLAMSC. How could you do this? WWW. STUDENT USE PROHIBITED Demonstration: Searching AD DS Key Points • • Create a Saved Query.2-36 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. You have only been given the user’s first name and last name and you do not know which OU contains the object.

edit. Queries can also be shared throughout the domain by exporting them to XML files and then importing those files to other domain controllers. Question: List at least one way that saved queries help with the long term maintainability of your organization.ISLAMSC. you can copy the .Creating Active Directory Domain Services User and Computer Objects 2-37 MCT USE ONLY.COM . Saved queries use predefined LDAP strings to search only the specified domain partition allowing you to focus searches to a single container object. and organize saved queries. STUDENT USE PROHIBITED What Is a Saved Query? Key Points The Active Directory Users and Computers management tool has a Saved Queries folder in which you can create. and reuse the same set of saved queries. You can also create a customized saved query that contains an LDAP search filter. After you successfully create your customized set of queries. WWW. save. Queries are specific to the domain controller on which they were created.msc file to other Windows Server 2008 domain controllers that are in the same domain.

How would you do this? WWW. Export a query to an . Question: You need to find all user accounts in your AD DS domain that are no longer active. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . STUDENT USE PROHIBITED Demonstration: Using a Saved Query Key Points • • Create a Saved Query.xml file.ISLAMSC.2-38 Configuring.

Creating Active Directory Domain Services User and Computer Objects 2-39 MCT USE ONLY. As one of the network administrators. one of your primary tasks will be to create and manage user and computer accounts. Woodgrove Bank has deployed AD DS for Windows Server 2008.COM . WWW. STUDENT USE PROHIBITED Lab: Creating AD DS User and Computer Accounts Scenario Woodgrove Bank is an enterprise that has offices located in several cities throughout the world.ISLAMSC.

next to 6419A-NYC-DC1. Create a new user account. 4. Start the virtual machines. Modify the user account properties for all Branch Managers. In the Lab Launcher. Create a saved query to find all investment users.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Create a new user account based on the customer service template.2-40 Configuring. 5. 2. 6. you will create and configure user accounts. click Launch. Modify the user account properties for all customer service representatives in New York. click Launch. Click the 6419A Lab Launcher shortcut on your desktop. Finally. 2. 7. The Lab Launcher starts. 3. Task 1: Start the virtual machines. and then log on 1. and then log on. 5. STUDENT USE PROHIBITED Exercise 1: Creating and Configuring User Accounts In this exercise. Create a template for the New York Customer Service department. Minimize the Lab Launcher window. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. WWW. Modify Kerim Hanif’s user account properties. you will create a saved query and verify its ability to return expected search results. The main tasks are as follows: 1.ISLAMSC. next to 6419A-NYC-CL1. You will create a template and a user account based on the template. In the Lab Launcher. 4. 8. 3.

open Active Directory Users and Computers. WWW.com Remote Access Permission : Allow access Logon Hours. Log off from NYC-CL1. Task 3: Modify Kerim Hanif’s user account properties 1.COM .Creating Active Directory Domain Services User and Computer Objects 2-41 MCT USE ONLY. Modify the user account properties for Kerim Hanif’s account as follows: • • • • • 2. STUDENT USE PROHIBITED Task 2: Create a new user account 1. First name: Kerim Last name: Hanif Full name: Kerim Hanif User logon name: Kerim Password: Pa$$w0rd On NYC-CL1. with a password of Pa$$w0rd. verify that you can log on as Kerim. On NYC-DC1. Mon-Fri.M Add Kerim to the ITAdmins_WoodgroveGG group. change the password to Pa$$w0rd1. 2.ISLAMSC. 8:00 A. and 5:00 P. Telephone number: 204-555-0100 Office: Downtown E-mail: Kerim@WoodgroveBank. When prompted. 4.M. create a new user with the following parameters: • • • • • 3. In the ITAdmins OU.

ISLAMSC.M – 6:00 P. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.M. Monday to Friday Task 5: Create a new user account based on the customer service template 1. Copy the CustomerService Template and create a new user with the following parameters: • • • • 2.COM . First Name: Sunil Last Name: Koduri User Logon Name: Sunil Password: Pa$$w0rd Enable the account. WWW.2-42 Configuring. create and configure a user account with the property settings in the following table: Property First name Last name Full name User logon name Password Description Office Member Of Department Logon Hours Disable the account Value CustomerService Template CustomerService Template _ CustomerServiceTemplate Pa$$w0rd Customer Service Representative New York Main Office NYC_CustomerServiceGG Customer Service 6:00 A. STUDENT USE PROHIBITED Task 4: Create a template for the New York Customer Service department • In the CustomerService OU.

ISLAMSC. Select all of the user accounts located by the search. search the WoodgroveBank. And you will have created a saved query and verified its ability to return expected search results. 2.Creating Active Directory Domain Services User and Computer Objects 2-43 MCT USE ONLY. Task 7: Modify the user account properties for all Branch Managers 1. In the CustomerService OU. In Active Directory Users and Computers.COM . update the properties of all the users to reflect the following information: • • • 2. Result: At the end of this exercise. Verify that the query displays all the users in the Investment departments in each city. Description: Customer Service Representative Office: New York Main Office Department: Customer Service View the properties of one of the user accounts in the OU to confirm that the Description. Office and Department attributes have been updated. and add them to the BranchManagersGG group. create a new saved query named Find_Investment_Users that will search for all users with a department attribute that starts with Investments. 2.com domain. STUDENT USE PROHIBITED Task 6: Modify the user account properties for all customer service representatives in New York 1. Task 8: Create a saved query to find all investment users 1. you will have created and configured user accounts. In Active Directory Users and Computers. 3. You will have created a template and a user account based on the template. Use an advanced search and search for all user accounts that have a job title of Branch Manager. WWW.

Delete a computer account in AD DS. delete the NYC-CL1 computer account. In Active Directory Users and Computers. attempt to log on as Axel with a password of Pa$$w0rd. 2. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 2.COM . in Active Directory Users and Computers. you will create and configure computer accounts. and click Change settings. create a new computer account named Vista1 in the Computers container. 3. log on as a local Administrator with a password of Pa$$w0rd. Note: You will be prompted to authenticate.2-44 Configuring. Configure the computer account settings so that Doris Krieger can join the computer to the domain. On NYC-CL1. Task 2: Delete a computer account in AD DS 1. The main tasks are as follows: 1. On NYC-DC1.ISLAMSC. Task 3: Join a computer to an AD DS domain 1. Create a computer account by using Active Directory Users and Computers. Authenticate as Administrator with a password of Pa$$w0rd. On NYC-CL1. Change the computer name to NYC-CL3 and configure the computer to be a member of a Workgroup called WORKGROUP. Join a computer to an AD DS domain. 2. delete a computer account and join a computer to an AD DS domain. Task 1: Create a computer account by using Active Directory Users and Computers 1. STUDENT USE PROHIBITED Exercise 2: Creating and Configuring Computer Accounts In this exercise. 2. WWW. 3. Access the System control panel.

verify that the NYC-CL3 account was added to the domain. After the computer restarts. 6. 5.COM . in Active Directory Users and Computers. Result: At the end of this exercise. Access the System control panel.com domain.ISLAMSC. WWW. and click Change settings.Creating Active Directory Domain Services User and Computer Objects 2-45 MCT USE ONLY. Restart the computer. verify that you can log on as WoodgroveBank\Axel with a password of Pa$$w0rd. Use the administrator credentials to join the computer to the domain. On NYC-DC1. Configure the computer to be a member of the WoodgroveBank. deleted a computer account and joined a computer to an AD DS domain. STUDENT USE PROHIBITED 4. you will have created and configured computer accounts. 9. On NYC-CL3. 8. 10. 11. log on as Administrator with a password of Pa$$w0rd. Restart the computer. 7.

ISLAMSC. STUDENT USE PROHIBITED Exercise 3: Automating the Management of AD DS Objects Woodgrove Bank is opening a new Houston branch. verify that the Houston OU and five child OUs were created. You need to import the user accounts into AD DS.csv. You need to create a new OU for the research and development (R&D) department in the Woodgrove Bank domain.txt file into the ImportUsers. The HR department has provided you with a file that includes all of the new users that are being hired for the Houston location.csv file. Task 1: Modify and use the Importusers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ps1 script to add new users to AD DS. Run the CreateUser. 3. 2.ldf file to prepare for modifying the properties for a group of users in AD DS. starting with the second line. On NYC-DC1. Modify and use the Modifyusers. WWW.COM . 2.csv with Notepad. Modify and run the ActivateUser. 3.2-46 Configuring.csv file to import a group of users into AD DS 1. browse to E:\Mod02\Labfiles and open ImportUsers. You also need to modify the user properties for the Houston users by updating the city information. Save the file as C:\import. and import and configure new user accounts into AD DS. and then activate and assign passwords to all of the accounts. Copy and paste the contents of the ImportUsers. Modify and use the Importusers. Woodgrove Bank is also planning on starting a Research and Development department in the NYC location. Examine the header information required to create OUs and user accounts. At the command prompt. 4. In Active Directory Users and Computers.csv and then press ENTER. and that several user accounts were created in each OU. The main tasks are as follows: 1. 4.csv file to import a group of users into AD DS. type CSVDE –I –F C:\import.vbs script to enable the imported user accounts and assign a password to each account.

On NYC-DC1. edit Activateusers.DC=com Save the file as c:\Activateusers.vbs.Creating Active Directory Domain Services User and Computer Objects 2-47 MCT USE ONLY. Modify the container values in the additional lines at the end of the script to include the following OUs.vbs. add a dash (–) on its own line followed by a blank line. 3.DC=WoodgroveBank.COM .ldf –d "OU=Houston.vbs script to enable the imported user accounts and assign a password to each account 1. STUDENT USE PROHIBITED Task 2: Modify and run the ActivateUser. 5. add the following lines: replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston 5. 2. After each changetype line.DC=com OU=ITAdmins. 3. Modify the container value in the second line to: OU=BranchManagers.ISLAMSC.OU=Houston. and then run using Cscript c:\Activateusers. Edit the C:\Modifyusers. use the Replace option to replace all instances of changetype: add. export all of the user accounts in the Houston child OUs by using the following command: LDIFDE –f c:\Modifyusers.DC=com" –r "objectClass=user" –l physicalDeliveryOfficeName.ldf file to prepare to modify the properties for a group of users in AD DS 1.DC=com OU=Investments.OU=Houston.OU=Houston. in E:\ Mod02\Labfiles. browse to the Houston OU.DC=WoodgroveBank.DC=WoodgroveBank.DC=com OU=Executives.DC=WoodgroveBank. On the Edit menu.ldf file.DC=WoodgroveBank.DC=WoodgroveBank.DC=com.OU=Houston.vbs. On NYC-DC1. WWW. and then save the file: • • • • 4. Task 3: Modify and use the Modifyusers. In Active Directory Users and Computers. 4. OU=CustomerService. and then confirm that user accounts in all child OUs are activated.OU=Houston. with changetype: modify. 2. At the end of the entry for each user.

2. In the Close box. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ps1. Save the file as C:\Modifyusers.2-48 Configuring. type ldifde –I –f c:\Modifyusers. At the command prompt. Enable execution in PowerShell by typing the following at a command prompt: Set-ExecutionPolicy AllSigned. In Active Directory Users and Computers. select Turn off machine and discard changes. WWW. For each virtual machine that is running. Run the script: E:\Mod02\Labfiles\CreateUser. Task 4: Modify and run the CreateUser.DC=com". Authenticate as Administrator with a password of Pa$$w0rd. Note: You will be prompted to authenticate. close the Virtual Machine Remote Control window. Result: At the end of this exercise. In Active Directory Users and Computers. in the ITAdmins OU.ISLAMSC.DC=WoodgroveBank. open CreateUser. 3. 8. verify that the Office attribute for the user accounts in Houston has been updated with the Houston location.COM . On NYC-DC1. STUDENT USE PROHIBITED 6.ldf and then press ENTER. Task 5: Close all virtual machines and discard undo disks 1. Click OK. Close the 6419A Lab Launcher. 4.ps1 script to add a new user to AD DS 1. 2. and then press ENTER. 7.ps1 3. note the entry $objADSI = [ADSI]"LDAP://ou=ITAdmins. you will have examined several options for automating the management of user objects. Under #Assign the location where the user account will be created. verify that the user Jesper has been created. in E:\Mod02\LabFiles.

ISLAMSC. How can you do this? 2. A user in your group leaves the company.Creating Active Directory Domain Services User and Computer Objects 2-49 MCT USE ONLY. WWW. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. What is the best way to do this? You are responsible for maintaining the servers in your organization. You want to enable other administrators in the organization to determine the physical location of each server without adding any additional administrative tasks or creating any additional documents. You are responsible for managing accounts and access to resources for members of your group. and you expect a replacement for that employee in a few days. What should you do with the previous user’s account? A user in your group must create a test lab with 24 computers that will be joined to the domain but the account must be created in a separate OU.COM . 3.

Considerations for Managing AD DS User and Computer Accounts When managing AD DS user and computer accounts. Complex passwords are more difficult for users to remember. At a minimum. What should you do? You are responsible for managing computer accounts for your group. What can you do to accelerate the search process? 5. However. you determine that most of the systems administrators are searching for the same information.COM . Consider delegating permissions to create and manage user accounts in your AD DS domain. You can delegate permissions at the domain or OU level. but they are also the most important first step in maintaining AD DS security. You are notified that a user with an account that was created by using one of the non-manager account templates has been accessing files that are restricted to the Managers group. To accelerate the process of creating new accounts when new employees enter your group. you should retain the password complexity requirements in a Windows Server 2008 domain. These tools can save a great deal of time when adding or modifying multiple accounts.ISLAMSC. you create a series of account templates that you use to create new user accounts and groups. 6.2-50 Configuring. the administrators tell you that it is taking too long to create and then run the search. explore using of LDIFDE. After further research. consider the following: • If your organization typically creates large numbers of user accounts at the same time. A user reports that they cannot log on to the domain from a specific computer but can log on from other computers. STUDENT USE PROHIBITED 4. CSVDE or Windows PowerShell scripts to automate the process of creating the accounts. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. What should you do? You have determined the best ways to search for Active Directory objects and documented your recommended search criteria. • • WWW.

Creating Groups and Organizational Units 3-1 MCT USE ONLY. STUDENT USE PROHIBITED Module 3 Creating Groups and Organizational Units Contents: Lesson 1: Introduction to AD DS Groups Lesson 2: Managing Groups Lesson 3: Creating Organizational Units Lab: Creating an OU Infrastructure 3-3 3-17 3-22 3-29 WWW.ISLAMSC.COM .

such as delegating administrative rights and assigning Group Policy settings to a collection of objects as a single unit. You use an OU to group and organize objects for administrative purposes. access to network resources is based on the individual user accounts. STUDENT USE PROHIBITED Module Overview One of the primary functions of a directory service such as Active Directory® Domain Services (AD DS) is to provide authorization for access to network resources. In an Active Directory domain. you do not want to administer access to resources by using individual user accounts. However. Ultimately. you must learn to create group objects to manage large collections of users simultaneously. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In a large company. you can organize users and computers in organizational units (OUs).ISLAMSC. in most cases. WWW. Because it is difficult to manage access to network resources by using individual user accounts.3-2 Configuring. this would result in significant administrative effort.COM .

or you can put one group within another to simplify administration even more. You use groups to efficiently manage access to domain resources. This lesson describes how to use and configure groups. which helps simplify network management and administration. STUDENT USE PROHIBITED Lesson 1 Introduction to Groups A group is a collection of user or computer accounts. You can use groups separately.COM .ISLAMSC. WWW.Creating Groups and Organizational Units 3-3 MCT USE ONLY.

computers.ISLAMSC. and enable you to assign permissions for resources to multiple users or computers concurrently instead of individually. and permissions are attached to objects. Groups are an important administrative tool for simplifying administration. These rights authorize users to perform specific actions. such as users. User rights are different from permissions because user rights apply to user accounts.COM . or resources. locations. such as logging on to a system interactively or backing up files and directories. Groups can be made up according to their departments.3-4 Configuring. Administrators can assign specific rights to group accounts or to individual user accounts. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED What Are Groups? Key Points Groups are a logical collection of AD DS objects. WWW. Note: Groups can be converted from distribution to security (or vice versa) if the domain functional level is Microsoft® Windows® 2000 native or later versions. or other groups.

Creating Groups and Organizational Units 3-5 MCT USE ONLY. STUDENT USE PROHIBITED Group Scopes There are three group scopes available: • • • Domain Local Global Universal Question: Describe a situation where you would use a distribution group instead of a security group.COM . WWW.ISLAMSC.

They also determine which Windows Server operating systems that you can run on domain controllers in the domain or forest. select the Windows Server 2003 functional level.COM . However. you can use as many AD DS features as possible. select the Microsoft Windows Server 2008 functional level during the deployment process. When you deploy AD DS. WWW. For example. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. However. functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest. This way. STUDENT USE PROHIBITED AD DS Domain Functional Levels Key Points Functional levels determine the available AD DS domain or forest capabilities. if you are sure that you will never add domain controllers that run Microsoft Windows Server® 2003 to the domain or forest. set the domain and forest functional levels to the highest value that your environment can support.3-6 Configuring. if you might retain or add domain controllers that run Windows Server 2003.

what functional level do you think you should have? WWW.COM . STUDENT USE PROHIBITED After you raise the domain or forest functional level. Question: What domain functional level do you currently have in your organization? If you don’t know.Creating Groups and Organizational Units 3-7 MCT USE ONLY.ISLAMSC. you cannot go back to a lower functional level.

or assign permissions to resources in any domain in the forest or any other trusting domain in another forest. Windows Server 2003 or Windows Server 2008 to create global groups. Because groups with global scope are not replicated outside their own domain. Question: In what ways could you use global groups in your organization? WWW.3-8 Configuring. you can change accounts in a group having global scope frequently without generating replication traffic to the global catalog. and computers that are from the same domain as the global group.COM . groups. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Use groups with global scope to manage directory objects that require daily maintenance. The domain functional level must be Microsoft Windows 2000 native. STUDENT USE PROHIBITED What Are Global Groups? Key Points A global group is a security or distribution group that can contain users. such as user and computer accounts. You can use global security groups to assign user rights. delegate authority to AD DS objects.ISLAMSC.

ISLAMSC. At the Windows 2000 native domain functional level and higher. STUDENT USE PROHIBITED What Are Universal Groups? Key Points A universal group is a security or distribution group that can contain users. groups.Creating Groups and Organizational Units 3-9 MCT USE ONLY. Any changes to the membership of this type of group cause the entire membership of the group to be replicated to every global catalog in the forest. although distribution groups with universal scope are still permitted. You can use universal security groups to assign user rights and permissions to resources in any domain in the forest. universal groups are available for both distribution and security groups. you shouldn't change the membership of a group with universal scope frequently. security groups with universal scope cannot be created. When the domain functional level is set to Windows 2000 mixed.COM . Therefore. and computers from any domain in its forest. Question: In what ways could you use universal groups in your organization? WWW. Changes to the universal groups are registered in the Global Catalog.

You can put all global groups that have to share the same resources into the appropriate domain local group. or any trusted domain. • • The domain functional level must be Windows 200 native or higher to create domain local groups. and domain local groups from the local domain. Domain local groups also can contain universal or global groups from any domain in the forest or any trusted domain. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . any domain in the forest.3-10 Configuring. Question: How could you provide members of a Sales department that travel frequently between domains in a multi-city company with access to printers on various domains that are managed by using domain local groups? WWW. STUDENT USE PROHIBITED What Are Domain Local Groups? Key Points A domain local group is a security or distribution group that can contain user accounts from the local domain. Use a domain local group to assign permissions to resources that are located in the same domain as the domain local group.ISLAMSC.

Local groups can contain local or domain user accounts. as well as.Creating Groups and Organizational Units 3-11 MCT USE ONLY.ISLAMSC. Domain controllers do not have local users and groups.COM . as the only security database located on a domain controller is the AD DS database. WWW. computers. a workstation. STUDENT USE PROHIBITED What Are Local Groups? Key Points A local group is a collection of user accounts or domain groups that are created on a member server of an AD DS domain or a stand-alone server. You cannot create local groups on AD DS domain controllers. You can create local groups to grant permissions for resources residing on the local computer. and universal groups. global groups.

3-12 Configuring. WWW.COM . Local groups also are known as machine local groups to distinguish them from domain local groups. it is important to distinguish between a local group and a group that has a domain local scope. STUDENT USE PROHIBITED Note: Because groups that have a domain local scope also are known as local groups.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: Describe a situation where you would use a local group instead of one of the domain groups.

STUDENT USE PROHIBITED Discussion: Identifying Group Usage Key Points Discuss these scenarios with the classroom. led by your instructor.COM .ISLAMSC. WWW.Creating Groups and Organizational Units 3-13 MCT USE ONLY.

you add a group as a member of another group. STUDENT USE PROHIBITED What Is Group Nesting? Key Points When you use nesting. Group nesting is available when the domain functional level is Windows 2000 native. WWW. Tracking permissions is more complex with multiple levels. Windows Server 2003 or Windows Server 2008. and reduces replication traffic caused by the replication of changes in group membership. Note: You should avoid nesting multiple levels of groups.3-14 Configuring. You can use nesting to combine group management.ISLAMSC. Nesting increases the member accounts that are affected by a single action.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

• AGUDLP – Accounts. Universal. STUDENT USE PROHIBITED The following are best practices: • AGDLP – Accounts. Global group is then placed inside (nested) within the Domain Local group. Question: Describe a scenario where you could use nesting in your organization to simplify management. Domain Local. Domain Local. the global is first nested within a universal group. Global. Global. WWW. Permission is assigned to the Domain Local group. Permissions • In this practice. Permissions • • • Take accounts and place accounts into Global Groups.ISLAMSC.COM .Creating Groups and Organizational Units 3-15 MCT USE ONLY.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.3-16 Configuring.ISLAMSC. led by your instructor. WWW.COM . STUDENT USE PROHIBITED Discussion: Strategies for Nesting AD DS Groups Key Points Discuss these scenarios with the classroom.

COM . This lesson describes how to perform these tasks. The administration tasks could include selecting group names.Creating Groups and Organizational Units 3-17 MCT USE ONLY. you will spend much of your time creating and administering groups. STUDENT USE PROHIBITED Lesson 2 Managing Groups As an AD DS administrator. creating groups. and adding members to groups. WWW.ISLAMSC.

COM . Within the finance department. Contoso has worldwide locations.3-18 Configuring. however. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. there are separate departments for accounts receivable and accounts payable.ISLAMSC. the finance department is only located in the New York office. How many security groups would you create? What would be the name(s) for the security group(s) you would create? WWW. STUDENT USE PROHIBITED Considerations for Naming Groups Key Points A large organization might have many security and distribution groups. using departmental. Keeping the names concise. or project names all are helpful ways to identify groups more easily. A standardized naming convention can help you locate and identify groups more easily. geographic. Question: You want to create a security group for the finance department at Contoso Corporation.

COM . What type of group should you create? Question: Which group scope can be assigned permissions in any domain or forest? WWW.Creating Groups and Organizational Units 3-19 MCT USE ONLY.ISLAMSC. The group will not be used to assign permissions. Question: Your organization requires a group that can be used to send e-mail to users in multiple domains. STUDENT USE PROHIBITED Demonstration: Creating Groups Key Points • • Create a security group. Create a distribution group.

3-20 Configuring. The Members attribute lists all user accounts or other group accounts that are members of the group. Question: In what ways can the Member tab and the Members Of tab simply management of groups? WWW. All groups have a Members attribute and a Member Of attribute. All user accounts have a Member Of attribute that lists all the groups of which the user is a member.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The Managed By tab on the properties of a group lists the users or groups that manage the group.COM . You can easily delegate administration of the group on this tab. while the Member Of tab indicates into which groups the group has been added or nested. STUDENT USE PROHIBITED Identifying Group Membership Key Points Use Active Directory Users and Computers to determine the membership status of both users and groups.

Change the Group scope to a different scope.COM . open a group and change its group type.ISLAMSC. Question: Describe a situation where you would want to change a group type. Return the Group Type to its original setting. STUDENT USE PROHIBITED Demonstration: Modifying Group Scope and Type Key Points • • • In Active Directory Users and Computers. Question: List some problems that may arise from changing a group type from security to distribution. WWW.Creating Groups and Organizational Units 3-21 MCT USE ONLY.

3-22 Configuring. and how to move objects between OUs. WWW. You also will learn about the available options for creating OU hierarchies.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In this lesson.COM . STUDENT USE PROHIBITED Lesson 3 Creating Organizational Units Another option for collecting several user and computer accounts for administrative purposes is to create organizational units (OUs). you will learn to create OUs.

OUs are useful in grouping and organizing objects for administrative purposes. such as delegating administrative rights and assigning policies to a collection of objects as a single unit.Creating Groups and Organizational Units 3-23 MCT USE ONLY.COM . Question: Describe an example of how you can create an OU to isolate file and print server accounts. STUDENT USE PROHIBITED What Is an Organizational Unit (OU)? Key Points An OU is an AD DS object that is contained in a domain. WWW. and allow only a particular administrator to access these accounts. You can use OUs to organize hundreds of thousands of directory objects into manageable units.ISLAMSC.

ISLAMSC. you are grouping objects that you can administer as a unit. the hierarchy should make it possible to administer AD DS resources as flexibly and effectively as possible.COM . Whatever the order. STUDENT USE PROHIBITED What Is an OU Hierarchy? Key Points AD DS OUs are used to create a hierarchical structure within a domain.3-24 Configuring. you can group all the computers in an OU. That organization could be based on geographic. Question: What is one advantage of the OU structure being invisible to end-users? WWW. By creating an OU structure. or user classifications. if all the computers that are used by IT administrators must be configured in a certain way. An organizational hierarchy should logically represent an organizational structure. and assign a policy to manage the computers in the OU. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. functional. For example. resource-based.

ISLAMSC. This approach works well for small organizations with a single location.Creating Groups and Organizational Units 3-25 MCT USE ONLY. Toronto. you should use a location-based hierarchy. and Miami in a single domain. without regard to geographical location or divisional barriers. For example. STUDENT USE PROHIBITED OU Hierarchy Examples Key Points Organizations may deploy OU hierarchies by using several different models. WWW. you might decide to create OUs for New York.COM . Departmental OU A Departmental OU is based only on the organization's business functions. Geographic OUs If the organization has multiple locations and network management is distributed geographically.

Resource-based OUs can simplify software installations or printer selections based on Group Policies. separation of administrative duties. can be delegated to managers of those departments. This design is most useful when all resources of a given type are managed in the same manner. Management-based OUs Management-based OUs reflect the various administrative divisions within the organization by mirroring its structure in the OU structure. would you make any changes based on this information? WWW.ISLAMSC. Delegation of authority. when they are placed into nested departmental OUs. The eventual OU design should represent how the business will be administered. STUDENT USE PROHIBITED Resource OUs Resource OUs are designed to manage resource objects (non-users such as client computers. and design flexibility are important factors you must consider when you design Group Policy and select the scenarios to use for your organization. central versus distributed administration. Responsibilities to manage users and groups.3-26 Configuring. or printers).COM . servers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: How would you structure the OU hierarchy in your organization? If you already have an OU structure in your organization.

what can happen to a user in regards to Group Policy and delegated authority? Question: Why would you locate user accounts and computer accounts in separate OUs? WWW.Creating Groups and Organizational Units 3-27 MCT USE ONLY.ISLAMSC. Place two user accounts in Marketing: Claus Hansen and Arno Harteveld.COM . Create subOUs within the newly created OU. Create several other objects within OUs. Question: When you move a user. STUDENT USE PROHIBITED Demonstration: Creating OUs Key Points • • • • Create a new OU named Vancouver.

3-28 Configuring. Would you create an OU or a group for these users? Describe the reason for your choice. or Windows PowerShell™ scripts to automate creating the accounts. explore using LDIFDE. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . WWW. STUDENT USE PROHIBITED OUs and Groups Summary Key Points The main difference between OUs and groups is that security groups can be used as security principals. These tools can save you significant time when you are adding or modifying multiple AD DS objects.ISLAMSC. Question: You have a collection of users that you want to give permissions to access certain file servers. whereas OUs can not be used to apply permissions. CSVDE. If your organization typically creates many user groups or OUs at the same time.

Woodgrove Bank is opening a new subsidiary in Vancouver.ISLAMSC. STUDENT USE PROHIBITED Lab: Creating an OU Infrastructure Scenario Woodgrove Bank is an enterprise that has offices located in several cities throughout the world.COM . Woodgrove Bank has deployed AD DS on servers running Windows Server 2008.Creating Groups and Organizational Units 3-29 MCT USE ONLY. WWW. and one of your primary tasks will be to create a new OU design and move users from current positions to the new subsidiary. and they need an OU design for the subsidiary.

and then log on 1. Task 1: Start the virtual machines. and then log on. You will add users to the groups and inspect the results. 5.COM . Inspect the contents of the Vancouver groups. 2.3-30 Configuring. you will create three new groups by using Active Directory Users and Computers. 3. Minimize the Lab Launcher window. You will create one group by using Dsadd. 3. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. The main tasks are as follows: 1. next to 6419A-NYC-DC1. WWW. Add members to the new groups.ISLAMSC. Create three groups using Active Directory Users and Computers. In the Lab Launcher. 2. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Start the virtual machines. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 5. 4. click Launch. 4. STUDENT USE PROHIBITED Exercise 1: Creating AD DS Groups In this exercise. click Launch. next to 6419A-NYC-SVR1. In the Lab Launcher. Create a group using the Dsadd command-line tool.

dc=com” –samid VAN_MarketingGG –secgrp yes –scope g 2. 2.dc=WoodgroveBank. open Active Directory Users and Computers. Press ENTER.Creating Groups and Organizational Units 3-31 MCT USE ONLY.cn=Users. The two group names are as follows: • • VAN_CustomerServiceGG VAN_InvestmentsGG Task 3: Create a group using the Dsadd command-line tool 1. On NYC-DC1. STUDENT USE PROHIBITED Task 2: Create three groups using Active Directory Users and Computers 1. enter the following command: dsadd group “cn=VAN_MarketingGG. 3. Group Name: VAN_BranchManagersGG Scope: Global Type: Security Repeat step 2 to create two more groups that have the same scope and type.com domain.COM . Use the Find command to locate the new group in the WoodgroveBank. WWW. In the WoodgroveBank.com OU.ISLAMSC. create a new group in the Users container using the following parameters: • • • 3. At a command prompt.

You also will have added users to the groups and inspected the results.ISLAMSC. 2. Task 5: Inspect the contents of the Vancouver groups 1. In Active Directory Users and Computers. and view its properties. and one new group by using Dsadd. right-click VAN_BranchManagersGG. Add each worker to the groups indicated in the following table: Find Neville Burdan Suchitra Mohan Anton Kirilov Shelley Dyck Barbara Moreland Nate Sun Yvonne McKay Monika Buschmann Bernard Duerr Add to group VAN_BranchManagersGG VAN_BranchManagersGG VAN_CustomerServiceGG VAN_CustomerServiceGG VAN_InvestmentsGG VAN_InvestmentsGG VAN_MarketingGG VAN_MarketingGG VAN_MarketingGG 2. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. search the WoodgroveBank.3-32 Configuring.com. STUDENT USE PROHIBITED Task 4: Add members to the new groups 1. In Active Directory Users and Computers. you will have created three new groups by using Active Directory Users and Computers. WWW.com domain by using the standard Find box to find each of the user accounts listed in the table in Step 2. Result: At the end of this exercise. Open the Members tab and observe that Neville Burdon and Suchitra Mohan are now members. click the Users container in WoodgroveBank.COM . In the contents view area.

you will have discussed and determined how to plan an OU hierarchy.COM . Discussion Questions 1. or Functional)? What does the pattern of naming second level OUs in other centers suggest for the new Vancouver OU? What would be a simple but effective way of delegating administrative tasks (such as adding users and computers to the domain. you will discuss and determine how to plan an OU hierarchy. or Functional? Why? What would be the most logical way to additionally subdivide the subsidiary’s organizational unit (Geographic. Canada. 2. 4.com is the most likely to be applied in creating the new subsidiary’s resources: Geographic. 3.ISLAMSC.Creating Groups and Organizational Units 3-33 MCT USE ONLY. WWW. Organizational. Scenario A new subsidiary of Woodgrove Bank is located in Vancouver. STUDENT USE PROHIBITED Exercise 2: Planning an OU Hierarchy (Discussion) In this exercise. It will have the following departments: • • • • Management Customer Service Marketing Investments The OU hierarchy has to support delegation of administrative tasks to users within that organizational unit. and employee contact details) to certain users within a department? Result: At the end of this exercise. Which approach to extending the organizational hierarchy of WoodgroveBank. Organizational. and changing user properties such as password resets.

Task 1: Create OUs using Active Directory Users and Computers 1. by using the Dsadd command-line tool The main tasks are as follows: 1. 7. 2.3-34 Configuring. Additionally. create three OUs with the following names: • • • BranchManagers CustomerService Marketing WWW. 6. At the root level of WoodgroveBank. and update the descriptions of the user accounts that have been moved into the new subsidiary.com.COM . The benefit of having OUs based on administrative units is in delegating administrative responsibilities to members of those units. open Active Directory Users and Computers. Delegate control over an OU. by using an MMC snap-in In Directory Service Tools. you will populate the groups that have the members of the corresponding departments. create a new OU called Vancouver. On NYC-DC1. Inside the Vancouver OU. Move groups that you created in Exercise 1 into the appropriate OUs.com. Nest an OU inside another OU. 3. 8. STUDENT USE PROHIBITED Exercise 3: Creating an OU Hierarchy In this exercise. You also will move users (see list in this section) from other subsidiaries into groups. 2. Close all virtual machines. you will use the output from the previous discussion to create an OU structure for the new Vancouver subsidiary of WoodgroveBank.ISLAMSC. and add groups to the appropriate OUs. 3. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and discard undo disks. 4. You will create OUs in two ways: • • In Active Directory Users and Computers. Test delegated user rights. Create OUs using Active Directory Users and Computers. Find and move users into Vancouver OUs. Create an OU using Dsadd. 5.

dc=WoodgroveBank. STUDENT USE PROHIBITED Task 2: Create an OU using Dsadd 1. Note: There is a potential risk associated with the movement of security groups from one OU into another. In Active Directory Users and Computers. click Run. Group Policies that are in effect in one OU may no longer be applied in the new location. Click Start. WWW. Task 3: Nest an OU inside another OU 1. 2. and note the presence of the new OU.dc=com” -desc “Investment department” -d WoodgroveBank.ISLAMSC. AD DS notifies administrators of that risk whenever a group is moved between OUs. In Active Directory Users and Computers. Click OK to dismiss the warning message. and then type cmd to open a command-line window. Press ENTER. 4.com domain object. By default. refresh the WoodgroveBank.COM .Creating Groups and Organizational Units 3-35 MCT USE ONLY. refresh the object tree.com domain level into the Vancouver OU. Move the new Investments OU from WoodgroveBank. 2.com -u Administrator -p Pa$$w0rd 3. Type the following command at the command prompt: dsadd ou “ou=Investments.

You can use the Move command. locate the remaining groups that you created in Exercise 1 for the new Vancouver subsidiary in the WoodgroveBank.3-36 Configuring. STUDENT USE PROHIBITED Task 4: Move groups that you created in Exercise 1 into the appropriate OUs 1. or use the Cut and Paste commands.com OU. • • • • VAN_MarketingGG group to Vancouver\Marketing OU VAN_BranchManagersGG group to Vancouver\BranchManagers OU VAN_InvestmentsGG group to Vancouver\Investments OU VAN_CustomerServiceGG group to Vancouver\CustomerService OU Task 5: Find and move users into Vancouver OUs • Use Active Directory Users and Computers to find and move the following users into the OUs that the following table lists: Find Neville Burdan Suchitra Mohan Anton Kirilov Shelley Dyck Barbara Moreland Nate Sun Yvonne McKay Monika Buschmann Bernard Duerr Move to Vancouver OU BranchManagers BranchManagers CustomerService CustomerService Investments Investments Marketing Marketing Marketing WWW. Note: There are several ways to move objects between OUs in Active Directory Users and Computers. In Active Directory Users and Groups. drag the object into a new OU. Move the following groups into the following Vancouver OUs: 2. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .ISLAMSC.

Task 7: Test delegated user rights 1. You should see the following message: “Windows cannot move object [user name] because: Access denied. Note: This feature is under Remote Server Administration Tools.Creating Groups and Organizational Units 3-37 MCT USE ONLY. Provide the domain administrator credentials when prompted. On NYC-SVR1. Create. and let the installation complete. 6. STUDENT USE PROHIBITED Task 6: Delegate control over an OU 1. log on with the account WoodgroveBank\Yvonne and the password Pa$$w0rd. Start Server Manager as an Administrator. 3. and then click Finish. When prompted. Delegate to her the following common tasks: • • • • 4. WWW.ISLAMSC. and then click Next.” Try to move a user from the Miami BranchManagers OU into the Vancouver BranchManagers OU. delete and manage groups Modify the membership of a group Click Next. Add Yvonne McKay to the selected users and groups list. 2. select the Vancouver\Marketing OU.” 7. and open the Delegation of Control Wizard. Install the Active Directory Domain Services Tools feature. 4. and manage user accounts Reset user passwords and force password change at next logon Create. In Active Directory Users and Computers. restart the computer and log on as Yvonne. Reset the password of Monika Buschmann using the password Pa$$w0rd again. 2. 5.COM . Start Server Manager as an Administrator. Start Active Directory Users and Computers. delete. You should see the following message: “Password for Monika Buschmann has been changed. 3.

COM . You also will have delegated administrative permissions and tested them. In the Close box.ISLAMSC.3-38 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW. Click OK. Close the 6419A Lab Launcher. you will have created OUs by using Active Directory Users and Computers and Dsadd. select Turn off machine and discard changes. Result: At the end of this exercise. close the Virtual Machine Remote Control window. 2. For each virtual machine that is running. and discard undo disks 1. STUDENT USE PROHIBITED Task 8: Close all virtual machines. 3.

ISLAMSC. You want to establish an efficient way to maintain printing permissions to members in each work group. The project team must have access to the same shared resources. or replaced with a new one. What should you do with the user’s account? A project manager in your department is starting a group project that will continue for the next year. such as printers. What is the best way to do this? You are responsible for maintaining access to local resources. WWW. you do not want to give her permission to manage anything else in AD DS. 3. Several users from your department and other departments will be dedicated to the project during this time. The project manager must be able to manage the user accounts and group accounts in AD DS. However. A user in your group transfers into another department within the company. You also want to simplify the replacement of printers when one has to be taken offline for repairs. in your organization. How can you do this with the least disruption and effort on your part? 2.COM .Creating Groups and Organizational Units 3-39 MCT USE ONLY. even while those members may change frequently. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. You are responsible for managing accounts and access to resources for members of your group.

You have decided to create a naming convention for all organizational units and groups. he informs you that he cannot access his files that are stored on a file server. Separate various functional needs for administration among users by adding additional OUs. The user account also was moved into the new department OU. Considerations for Managing AD DS Groups and OUs When you manage AD DS groups and organizational units.3-40 Configuring. Nancy. • • WWW. These tools can save you significant time when you are adding or modifying multiple AD DS objects. What should you do? An employee in your company has transferred to another department. What should you do? 5. You can delegate permissions at the domain or OU level. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED 4. 6. When you open Active Directory Users and Computers and view the OU.ISLAMSC. or Windows PowerShell scripts to automate creating the accounts.. CSVDE. thereby separating their spheres of influence. Groups that have names such as Ajax_account. consider the following: • If your organization typically creates many user groups or OUs simultaneously. The user account was removed from all groups associated with the old department and added to groups associated with the new department. SW_Colorado. and New_Canon_printer. you notice that all groups and users exist at the same level. and a FileShare object named DO_NOT_OPEN. What considerations should you take as you set a pattern for naming new objects? You take over the administration of your department’s AD DS organizational unit. explore using LDIFDE. etc. After the user transfer is complete. Keep the number of people to whom you delegate administrative control for creating and modifying groups or OUs to a minimum.COM . 2. Consider delegating permissions to create and manage groups and OUs in your AD DS domain. 3. exist side-by-side with computer accounts named New_IBM_1.

COM . STUDENT USE PROHIBITED Module 4 Managing Access to Resources in Active Directory Domain Services Contents: Lesson 1: Managing Access Overview Lesson 2: Managing NTFS File and Folder Permissions Lesson 3: Assigning Permissions to Shared Resources Lesson 4: Determining Effective Permission Lab: Managing Access to Resources 4-3 4-11 4-20 4-33 4-44 WWW.Managing Access to Resources in Active Directory Domain Services 4-1 MCT USE ONLY.ISLAMSC.

COM . or special permissions. NTFS file system permissions. Manage permissions inheritance. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. STUDENT USE PROHIBITED Module Overview One of the primary reasons to deploy Active Directory® Domain Services (AD DS) is to enable users to access shared resources on the network. This module describes how to configure shared folders to enable those users and groups to gain access to the resources. Specifically. Manage access to files and folders by using shared folder permissions. The previous modules introduced users and groups as the primary way to enable access to those resources. WWW. this module helps you learn the skills and knowledge necessary to: • • • Understand how permissions enable resource access.4-2 Configuring.

Managing Access to Resources in Active Directory Domain Services 4-3 MCT USE ONLY. you must understand how Microsoft® Windows® operating systems use security principals and security tokens to allow access to resources. WWW. Then you must understand how permissions are applied to resources such as shared folders. STUDENT USE PROHIBITED Lesson 1 Managing Access Overview In order to manage access to resources. This lesson provides the information that you need to manage access to resources.ISLAMSC.COM .

4-4 Configuring. STUDENT USE PROHIBITED What Are Security Principles? Key Points A security principal is an AD DS entity that can be authenticated by a Windows operating system. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Security principals include the following: • • • User and computer accounts A thread or process that runs in the security context of a user or computer account Groups of the previous accounts WWW.ISLAMSC.COM .

STUDENT USE PROHIBITED Every security principal is assigned a security identifier (SID) automatically when it is created. The domain identifier is the same for all security principals created in the domain.Managing Access to Resources in Active Directory Domain Services 4-5 MCT USE ONLY.COM . they will be issued a new SID. Relative identifier. What are the ramifications of this? WWW. Question: When a user is deleted and then recreated. A SID has two components: • • Domain identifier. The relative identifier is unique to each security principal created in the domain.ISLAMSC.

How access tokens are created When a user logs on.COM .4-6 Configuring. STUDENT USE PROHIBITED What Are Access Tokens? Key Points An access token is a protected object that contains information about the identity and rights associated with a user account. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. the logon process provides a SID that represents the user and a list of SIDs for the security groups of which the user is a member. if authentication is successful. The Local Security Authority (LSA) on the computer uses this information to create an access token that includes the SIDs and a list of rights assigned by local security policy to the user and to the user’s security groups.ISLAMSC.

ISLAMSC. Whenever a thread or process interacts with a shared resource or tries to perform a system task that requires user rights. a copy of the access token is attached to every process and thread that executes on the user’s behalf. the operating system checks the access token associated with the thread to verify the user access to the resource. STUDENT USE PROHIBITED How access tokens are used to verify the user’s user rights After LSA creates the primary access token.COM . Question: When accessing a resource.Managing Access to Resources in Active Directory Domain Services 4-7 MCT USE ONLY. is it a best practice to assign permission to the Group SID or the User SID? WWW.

When you assign permissions. the permissions are inherited by default on all subfolders or files in that folder.4-8 Configuring. Configure permission inheritance.COM . You can apply permissions explicitly on folders or files. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. When you apply permissions explicitly. When you configure permissions on a folder. you can: • Explicitly apply permissions. You can accept the default permission inheritance or modify the default behavior by blocking permission inheritance or by assigning explicit permissions to lower level folders or files. you access the shared resource object directly and configure permissions on that object.ISLAMSC. STUDENT USE PROHIBITED What Are Permissions? Key Points Permissions define the type of access that is granted to a security principal for an object. • WWW.

STUDENT USE PROHIBITED • Accept implicitly applied permissions. and no inherited permissions apply to the user account.COM .Managing Access to Resources in Active Directory Domain Services 4-9 MCT USE ONLY. the user will be denied access to the object. Question: List at least one way that administrators can easily maintain permissions on an object? WWW. If no permissions are assigned explicitly to an object for a particular user account.ISLAMSC.

DACL or SACL. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and all securable objects on a local computer or on the network.4-10 Configuring. plays a more critical role in security? WWW. STUDENT USE PROHIBITED How Access Control Works Key Points The process of accessing an AD DS resource is called access control and it is based on the verification of security principals. Security descriptors include information about who owns an object. have security descriptors assigned to them to help control access to the objects. who can access it and in what way. Question: Which access control resource. and what types of access are audited. All objects in AD DS.ISLAMSC.COM .

ISLAMSC. you also can assign permissions by using NTFS permissions. STUDENT USE PROHIBITED Lesson 2 Managing NTFS File and Folder Permissions In addition to configuring access to shared folders by using shared folder permissions.Managing Access to Resources in Active Directory Domain Services 4-11 MCT USE ONLY.COM . WWW. The information in this lesson presents the skills and knowledge that you must have to manage access to files and folders by using NTFS permissions.

Execute applications plus all Read permissions. plus the ability to change permissions and take ownership of the file. plus ability to delete files.ISLAMSC. and permissions. and computers can do with the contents of the file or folder. groups.COM . and view owner. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and view permissions and owner. Full Control. and computers can access files and folders. Read the file. STUDENT USE PROHIBITED What Are NTFS Permissions? Key Points NTFS permissions specify which users. Read & Execute. Modify.4-12 Configuring. Write to the file. NTFS file permissions include: • • • • • Read. Write. change attributes. WWW. groups. All the previous permissions. NTFS permissions also dictate what users. All the previous permissions. attributes.

Write.ISLAMSC. Question: If an administrator wanted to prevent a user from viewing the permissions or the owner of a folder which folder permission should be applied? WWW.Managing Access to Resources in Active Directory Domain Services 4-13 MCT USE ONLY. STUDENT USE PROHIBITED There are six basic NTFS folder permissions: • • • • • • Read. Full Control. List Folder Contents. View files and subfolders. All the previous permissions. view permissions. permissions and view owner. plus ability to delete folder. Read files. Modify. Execute applications plus all permissions of Read and List Folder Contents.COM . Create new files and folders. plus the ability to change permissions on the folder and take ownership. All the previous permissions. change folder attributes. and subfolders. and owner. folders. Read & Execute.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Standard permissions are the most frequently assigned permissions.4-14 Configuring. The permissions described in the previous topic are standard permissions. WWW.ISLAMSC. STUDENT USE PROHIBITED What Are Standard and Special Permissions? Key Points NTFS permissions fall into two categories: standard and special.COM . Question: Think of a situation where administrators may need to assign special permissions. Special permissions give you a finer degree of control for assigning access to objects.

Managing Access to Resources in Active Directory Domain Services 4-15 MCT USE ONLY. A security principal that is inheriting permissions can have additional NTFS permissions assigned. and the subfolders and files that are contained in it inherit the permissions assigned to it. Blocking permission inheritance The folder on which you prevent permissions inheritance becomes the new parent folder.COM . Permissions can be inherited only from a direct parent. but the inherited permissions cannot be removed until inheritance is blocked. the permissions that you grant to a parent folder are inherited by its subfolders and files.ISLAMSC. WWW. STUDENT USE PROHIBITED What Is NTFS Permissions Inheritance? Key Points By default.

ISLAMSC.4-16 Configuring. STUDENT USE PROHIBITED Administrators can also use the Icalcs. icacls.exe c:\folder_name /setowner "domain\user" Question: List one or two ways permission inheritance can reduce administration time. WWW.exe utility to reset folder permissions while in a specific folder or directory.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

Question: If you deny NTFS permission to a group for a particular resource while allowing the same permission to another group for that resource. view the standard permissions. STUDENT USE PROHIBITED Demonstration: Configuring NTFS Permissions Key Points • • • Browse a directory.COM . and Deny permission for Write in a nested folder. what would their effective permissions be in the two folders? WWW. View the advanced NTFS permissions.ISLAMSC.Managing Access to Resources in Active Directory Domain Services 4-17 MCT USE ONLY. View permission inheritance. what will happen to the permissions of an individual who is a member of both groups? Question: If a group added to a shared folder was given an NTFS permission of Allow for Write in a shared folder.

the permissions might change.4-18 Configuring. depending on where you move the file or folder.ISLAMSC. Copying a file When you copy a file or folder from one folder to another folder. When you copy a file or folder: • • Within a single NTFS partition. the copy of the folder or file inherits the permissions of the destination folder. You should understand the changes that the permissions undergo when they are copied or moved. WWW.COM . the copy of the folder or file inherits the permissions of the destination folder. or from one partition to another partition. permissions for the files or folders might change. STUDENT USE PROHIBITED Effects on NTFS Permissions When Copying and Moving Files and Folders Key Points When you copy or move a file or folder. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. To a different NTFS partition.

When you move a file or folder: • In the same NTFS partition. Permissions explicitly applied to the folder will be retained. • • Question: Provide one or two examples where moving files and folders within the same partition reduces administration time. the folder or file loses its NTFS permissions. the copy of the folder or file loses its NTFS permissions. Permissions previously inherited will be lost.Managing Access to Resources in Active Directory Domain Services 4-19 MCT USE ONLY. When you move a folder or file between partitions. because non-NTFS partitions do not support NTFS permissions. the file or folder will inherit the new permissions. To a different NTFS partition. the folder or file inherits the permissions of the destination folder. To a non-NTFS partition.ISLAMSC. Moving a file When you move a file or folder. such as a file allocation table (FAT) partition. WWW.COM . If the permissions of the new parent folder are changed later. because non-NTFS partitions do not support NTFS permissions. permissions might change. depending on the permissions of the destination folder. the folder or file keeps its original permissions. STUDENT USE PROHIBITED • To a non-NTFS partition. Windows Server 2008 copies the folder or file to the new location and then deletes it from the old location.

COM . public data. STUDENT USE PROHIBITED Lesson 3 Assigning Permissions to Shared Resources Shared folders give users access to files and folders over a network. Shared folders can contain applications. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW. Using shared data folders provides a central location for users to access common files and makes it easier to back up data that is contained in those files.ISLAMSC. or a user’s personal data.4-20 Configuring. Users can connect to the shared folder over the network to access its folders and files.

For example. When you create a shared folder by using the Provision a Shared Folder Wizard in the Share and Storage Management console.COM . it is made available to multiple users simultaneously over the network.Managing Access to Resources in Active Directory Domain Services 4-21 MCT USE ONLY. WWW. Question: List at least one benefit of sharing folders across a network. users can access all the files and subfolders in the shared folder. or by using the File Sharing Wizard. STUDENT USE PROHIBITED What Are Shared Folders? Key Points When you share a folder.ISLAMSC. You can store files in shared folders according to categories or functions. As soon as they are granted permission. Most organizations deploy dedicated file servers to host shared folders. you can configure the permissions assigned to each share as you create it. you can put shared files for the Sales department in one shared folder and shared files for executives in another.

4-22 Configuring. Administrators can quickly administer files and folders on remote servers by using these hidden shared folders. STUDENT USE PROHIBITED What Are Administrative Shared Folders? Key Points Windows Server 2008 automatically creates shared folders on computers running Windows that enable you to perform administrative tasks. Question: List at least one benefit of having and creating your own hidden shares.ISLAMSC. Appending the dollar sign at the end of the folder name hides the shared folder from users who browse the network.COM . These default administrative shares have a dollar sign ($) at the end of the share name. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

STUDENT USE PROHIBITED Shared Folder Permissions Key Points Shared folder permissions apply only to users who connect to the folder over the network. You can grant shared folder permissions to user accounts.COM . users will have the same level of access to subfolders under a shared folder as they have on the parent folder. groups. and computer accounts. Question: List at least one example of when an administrator might give Full Control to a folder. They do not restrict access to users who access the folder at the computer where the folder is stored.ISLAMSC. By default. WWW.Managing Access to Resources in Active Directory Domain Services 4-23 MCT USE ONLY.

In Windows Server 2008. These groups are builtin groups that are put in the Groups folder in Computer Management or the BuiltIn container in Active Directory Users and Groups. Using the Share and Storage snap in to modify the share permissions.4-24 Configuring. Use Windows Explorer to create a share. populate each with a text file and some data. WWW. Test share access. Server Operators.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Creating Shared Folders Key Points • • • • • Create two test directories. Using the Share and Storage Management Microsoft Management Console (MMC) snap-in to create a hidden share. the only groups that can create shared folders are the Administrators.COM . and Power Users groups.

COM .ISLAMSC.Managing Access to Resources in Active Directory Domain Services 4-25 MCT USE ONLY. STUDENT USE PROHIBITED Question: How do you apply sharing permissions to a folder? Question: How would you begin to create a shared folder by using the Using Share and Storage Management MMC? Question: Which tool would you use to create a shared folder? WWW.

STUDENT USE PROHIBITED Connecting to Shared Folders Key Points After you create a shared folder.ISLAMSC.4-26 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . users can access the folder over the network by using multiple methods. Users can access a shared folder on another computer by using: • • • • • The Network window (in Microsoft Windows Server® 2008 or Microsoft Windows Vista®) My Network Places (in Microsoft Windows Server 2003 or Microsoft Windows XP) The Map Network Drive feature Searching AD DS The Run command on the Start menu WWW.

ISLAMSC. • Windows Server 2008 turns on Access Based Enumeration by default on new shares. Question: List at least one benefit of accessing resources through mapped drives. WWW. administrators can add a new Shared Folder making it searchable through Active Directory. STUDENT USE PROHIBITED • Administrators can also publish Shared Folders to Active Directory using the Active Directory Users and Computer interface. Users can also search Active Directory Shared Folders by accessing My Network Places in Windows XP and the Network in Windows Vista. Within the Organizational Unit. Access Based Enumeration prevents the display of folders or other shared resources that the user does not have rights to access.Managing Access to Resources in Active Directory Domain Services 4-27 MCT USE ONLY. Note: The Computer Browser service is disabled by default in Windows Server 2008.COM .

4-28 Configuring. create a hidden share. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Modify the share permissions. STUDENT USE PROHIBITED Demonstration: Managing Shared Folders Key Points • • • • Create two test directories. and then an administrator used the Close File feature? WWW.ISLAMSC.COM . Using the Share and Storage Management Microsoft Management Console (MMC) snap-in. Use Windows Explorer to create a share. Question: What would happen if the user was editing the file but had not saved the changes.

Do not grant more permissions for a shared folder than the users legitimately require. STUDENT USE PROHIBITED Considerations for Using Shared Folders Key Points When you are managing access to shared folders. consider the following best practices when granting permissions: • Use the most restrictive permissions possible.ISLAMSC. For example.Managing Access to Resources in Active Directory Domain Services 4-29 MCT USE ONLY. avoid granting permissions to individual users. Avoid assigning permissions to individual users. Use groups whenever possible. if a user only has to read the files in a folder. Because it is inefficient to maintain user accounts directly. • WWW.COM . grant Read permission for the folder to the user or group to which the user belongs.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. • Question: List one or two reasons why administrators should not leave the Everyone group in a share’s permissions. using the Authenticated or Domain Users groups limits access to shared folders to only authenticated users. Assign Full Control permissions with caution.ISLAMSC. STUDENT USE PROHIBITED • Remember that Full Control lets users modify permissions.4-30 Configuring. Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present) from the shared folder’s permissions list. Because members of the Everyone group includes Guests. WWW.COM . as any change in existing permissions could potentially affect security. and prevents users or viruses from accidentally deleting or damaging data and application files.

Managing Access to Resources in Active Directory Domain Services 4-31 MCT USE ONLY. Vista. The changes are made locally and can only be seen by the person making the changes until the files are synchronized again.COM . • WWW.ISLAMSC. synchronize and then disconnect computer. Server 2003 and Server 2008: • Select a folder at a networking place. the user can make edits to any of the documents in the folder. After the folder is taken offline. STUDENT USE PROHIBITED Offline File Configuration and Deployment Key Points Offline files are available in Windows XP. Make edits to documents on a disconnected computer. Users can set up a folder that will be taken offline by selecting it and synchronizing it with the network files.

Windows knows to synchronize the folder and its contents with the server version ensuring the folder is up to date.COM . STUDENT USE PROHIBITED • Reconnect to the computer to the network again to update changes. Files are synchronized automatically. Users must reconnect their computer back to the network in order to update any changes that were made locally.ISLAMSC. • Question: List at least one example of how offline files are useful. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Once the folder is connected to the network.4-32 Configuring. WWW.

STUDENT USE PROHIBITED Lesson 4 Determining Effective Permission You can assign user access to a shared folder by using shared folder permissions or NTFS permissions. you must understand how effective permissions are determined and how you can view effective permissions. WWW. You also can assign permissions to individual user accounts or group accounts.ISLAMSC.Managing Access to Resources in Active Directory Domain Services 4-33 MCT USE ONLY. To determine what level of access the user actually has on the network.COM .

• WWW. if a user is a member of a group that has Read permission and a member of a group that has Modify permission. For example.COM . For example. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. the explicit Allow would override the inherited Deny. the user has Modify permission. However.ISLAMSC. The following principles determine effective permissions: • Cumulative permissions are the combination of the highest NTFS permissions granted to the user and all the groups of which the user is a member. which are cumulative permissions based on group membership. an explicit Allow permission can override an inherited deny permission.4-34 Configuring. if a user is denied write access to a folder explicitly but explicitly allowed write access to a subfolder or a particular file. Explicit Deny permissions override equivalent Allow permissions. STUDENT USE PROHIBITED What Are Effective NTFS Permissions? Key Points Windows Server 2008 provides a tool (Effective Permissions tool) that shows effective permissions.

because that user created the file. the user can change the permissions. a user can create a file in a folder where the user typically has Modify permission. NTFS file permissions take priority over folder permissions.ISLAMSC.COM . For example. • • Question: Provide at least one example of how cumulative permissions benefit administrators. For example. the effective permission for those files will be Read. The user then can grant himself Full Control over the file. Every object is owned in an NTFS volume or in Active Directory.Managing Access to Resources in Active Directory Domain Services 4-35 MCT USE ONLY. STUDENT USE PROHIBITED • Permissions can be applied to a user or a group. The owner controls how permissions are set on the object and to whom permissions are granted. WWW. However. Assigning permissions to groups is preferred as it is more efficient than managing the permissions of many individuals. if a user has Modify permission to a folder but only has Read permission to certain files in that folder.

What permissions does User1 have for Folder1? WWW. you are presented with a scenario in which you are asked to apply NTFS permissions.ISLAMSC. and the Sales group has Read permission for Folder1. You and your classmates will discuss possible solutions to the scenario. STUDENT USE PROHIBITED Discussion: Applying NTFS Permissions In this discussion. Question: The Users group has Write permission.4-36 Configuring. Scenario User1 is a member of the Users group and the Sales group.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The graphic on the slide shows folders and files on the NTFS partition.

STUDENT USE PROHIBITED Question: The Users group has Read permission for Folder1.Managing Access to Resources in Active Directory Domain Services 4-37 MCT USE ONLY. What permissions does User1 have for File2? Question: The Users group has Modify permission for Folder1.COM . What do you do to ensure that the Sales group has only Read permission for File2? WWW. The Sales group has Write permission for Folder2. File2 should be accessible only to the Sales group. and they should only be able to read File2.ISLAMSC.

Deny user permission. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . STUDENT USE PROHIBITED Demonstration: Evaluating Effective Permissions Key Points • • • Open a directory. Questions: Can the Effective Permissions tool return the actual permissions of a user? WWW. Use the effective permissions tool.ISLAMSC.4-38 Configuring. and assign permissions to a user.

COM .ISLAMSC. STUDENT USE PROHIBITED Effects of Combining Shared Folder and NTFS Permissions Key Points When enabling access to network resources on an NTFS volume. it is recommended that you use the most restrictive NTFS permissions to control access to folders and files.Managing Access to Resources in Active Directory Domain Services 4-39 MCT USE ONLY. combined with the most restrictive shared folder permissions that control network access. Question: Provide at least one consideration an administrator must acknowledge before combining Shared Folders and NTFS Permissions. WWW.

COM . and determine a user’s effective permissions. WWW.ISLAMSC. the Users folder has been shared. Scenario The figure shows two shared folders that contain folders or files that have NTFS permissions. User2. you will determine effective NTFS and shared folder permissions. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and the Users group has the shared folder permission Full Control.4-40 Configuring. In the first example. Look at each example. User1. These users are all members of the Users group. and User3 have been granted the NTFS permission Full Control to only their folder. STUDENT USE PROHIBITED Discussion: Determining Effective NTFS and Shared Folder Permissions In this discussion.

Within the Data directory. User2. Why? What permission needs to be changed. they get an access denied error. STUDENT USE PROHIBITED Question: Discuss what the effective permissions are for User1.ISLAMSC. and User3. Can User1 take full control of User2’s directory? Why? How does using the share permission instead of the NTFS permission prevent users from accessing other User’s directories? Question: You have shared the Data folder to the Sales Group. When users in the Sales Group try to save a file in the \Data\Sales directory.COM .Managing Access to Resources in Active Directory Domain Services 4-41 MCT USE ONLY. and why? WWW. you have given the Sales Group Full Control over the Sales Group.

4-42 Configuring. STUDENT USE PROHIBITED Considerations for Implementing NTFS and Shared Folder Permissions Key Points Here are several considerations to make administering permissions more manageable: 1. while permissions on a case-by-case basis are difficult to track. WWW. 2. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Use Deny permissions only when necessary. Because deny permissions are inherited exactly like allow permissions. Grant permissions to groups instead of users. assigning deny permissions to a folder can result in users not being able to access files lower in the folder structure.ISLAMSC. Deny permissions should be assigned in the following situations: • • To exclude a subset of a group that has Allow permissions. Groups can always have individuals added or deleted.COM . To exclude one permission when you have granted Full Control permissions already to a user or group.

you eliminate the need to update department groups before new users receive the shared folder. as long as you grant permissions for the object to other users. instead of bringing groups representing all departments of the company together into a ‘Read’ folder. assign Domain Users (which is a default group for all user accounts on the domain) to the share. groups.COM . Grant permissions to an object that is as high in the folder as possible so that the security settings are propagated throughout the tree. 5. WWW. we recommend that you remove the Everyone group. Consider assigning the most restrictive permissions for a group that contains many users at the shared folder level. In this manner.Managing Access to Resources in Active Directory Domain Services 4-43 MCT USE ONLY. Use NTFS permissions instead of shared permissions for fine-grained access. For example. you deny administrators access. Configuring both NTFS and shared folder permissions can be difficult. Never deny the Everyone group access to an object. or computers. If you deny everyone access to an object. STUDENT USE PROHIBITED 3. and then by using NTFS permissions to assign more specific permissions. Question: List one or two examples of best practices that you have implemented when assigning Shared Folder or NTFS permission in your organization. 4. Instead.ISLAMSC.

including the shared folder implementation. Woodgrove Bank has deployed AD DS in Windows Server 2008. They have recently opened a new subsidiary in Toronto. For example. Canada. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Lab: Managing Access to Resources Scenario Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. groups that mirror the departmental organization of the bank need shared file storage areas. WWW.ISLAMSC. As a network administrator assigned to the new subsidiary. one of your primary tasks will be to create and manage access to resources.4-44 Configuring.COM . You must also have shared folders to enable files to be shared during special projects between departments.

you will have discussed and determined solutions for a shared folder implementation. They plan to keep the information private until they can publish a report. Investments. STUDENT USE PROHIBITED Exercise 1: Planning a Shared Folder Implementation (Discussion) In this exercise. you will discuss and determine the best solutions for a shared folder implementation. The Woodgrove Bank Toronto subsidiary has an organizational hierarchy. Each department has groups populated with the employees in that department. targets and projections. To create a series of folders that will enable this information to be available to all employees in the subsidiary. WWW. and Customer Service. and managers from other parts of the Woodgrove Bank.ISLAMSC. How can individuals from various departments have contributing status while restricting access to those outside their project? Result: At the end of this exercise. its negative impact on the natural environment) is collecting data from various departments. and company news.COM . How could you give each department separate file-sharing spaces? All members of the Toronto subsidiary must be able to read documents posted by management about topics such as staffing. as outlined by its organizational units (OUs) that supports the activities of its four departments: Marketing. 2. Discussion Questions: 1. Management. 3.Managing Access to Resources in Active Directory Domain Services 4-45 MCT USE ONLY. what sorts of groups would be needed? What sorts of permissions would each require? What sorts of folder structures might be needed? A task force on reducing the subsidiary’s carbon footprint (that is.

create folders named: • • • • Marketing Managers Investments CustomerService WWW. Minimize the Lab Launcher window. next to 6419A-NYC-CL1. Create four new folders by using Windows Explorer. Create a shared folder for all Domain Users by using Share and Storage Management Microsoft Management Console (MMC). In the Lab Launcher. STUDENT USE PROHIBITED Exercise 2: Implementing a Shared Folder Implementation In this exercise. Task 2: Create four new folders by using Windows Explorer 1. 2. The main tasks are as follows: 1. 3. 4. and then log on. 2. you will create the shared folder implementation based on the discussion in the previous exercise.4-46 Configuring. Click the 6419A Lab Launcher shortcut on your desktop. On drive C. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. The Lab Launcher starts. 5. 5. On NYC-DC1.ISLAMSC. click Launch. Start the virtual machines. next to 6419A-NYC-DC1. click Launch. Set share permissions for the folders. 4. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Create a new group and shared folder for an interdepartmental project.COM . open Windows Explorer. 3. and then log on 1. Task 1: Start the virtual machines. 2. In the Lab Launcher.

type TOR_MarketingGG. In the Shares list of the Share and Storage Management MMC. click Share and Storage Management. Add the Domain Users group. and then click Add. 3. click Share Permissions. Click the Browse button. • • • TOR_BranchManagersGG (Managers folder) TOR_InvestmentsGG (Investments folder) TOR_CustomerServiceGG (CustomerService folder) Task 4: Create another shared folder by using Share and Storage Management MMC 1. WWW. 7. Do not change any other settings.COM .Managing Access to Resources in Active Directory Domain Services 4-47 MCT USE ONLY. In the Browse Folder window. Finish the Permissions settings. On the Start menu. and then click Share. create a new folder named CompanyNews on the C drive. 6. 5. and then click Close. Change the permission level to Contributor. Repeat creating shares for each of the remaining folders. 3. and notice that their permission is set as Read. and exit Share and Storage Management MMC. 8. in Administrative Tools. Click Create.ISLAMSC. STUDENT USE PROHIBITED Task 3: Set share properties for the folder 1. 2. 4. 4. and then click Share. and give them Full Control permissions. right-click CompanyNews. but click Next all the way through to the Create button. Add the TOR _BranchManagersGG group. 2. In the Permissions tab. In File Sharing dialog box. Start Provision Share Wizard. assigning the groups and permissions. and then click Properties. Right-click the Marketing folder.

and name it SpecialProjects. and add a new global security group named TOR_SpecialProjectGG. 3. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 2.COM . Open Active Directory Users and Computers MMC. STUDENT USE PROHIBITED Task 5: Create a new group and shared folder for an interdepartmental project 1. Open the SpecialProjects folder. 3.ISLAMSC.4-48 Configuring. 4. Result: At the end of this exercise. Create a new folder called Unshared. Click the Toronto OU. 7. you will have created a shared folder implementation. 5. Click Share. Create a new folder in drive C. Task 6: Block inheritance of a folder in a shared folder 1. Change Unshared Properties by removing the inheritable permissions. Give permissions back the Administrator. Expand the following Toronto OUs. Share the folder. 6. and use the Add to group command to add the users listed in the following table: Toronto OUs Investment Marketing Branch Managers Customer Service Names Aaron Con Aidan Delaney Sven Buck Dorena Paschke 4. WWW. Close Active Directory Users and Computers. 2. adding the TOR_SpecialProjectGG group that has Contribute permission levels.

txt. The main tasks are as follows: 1. Log on as Dorena with the password Pa$$w0rd. Close all virtual machines.Managing Access to Resources in Active Directory Domain Services 4-49 MCT USE ONLY. with the password Pa$$w0rd. and discard undo disks. 2. you will verify that the shared folder implementation meets the security requirements provided in the documentation.txt into it. Log off as Dorena. Try to open Company News. Check the permissions for Company News.txt file inside the News folder. Open the News. Name it News. Task 3: Check permissions of interdepartmental share Special Projects 1. Create a folder named News. Task 1: Log on to NYC-CL1 as Sven • Log on to NYC-CL1 as Sven. 2. 4. You will log on as some users to make sure that they have the required level of access.COM . 3. and drag News. 4. 2. STUDENT USE PROHIBITED Exercise 3: Evaluating the Shared Folder Implementation In this exercise. Close the Company News window and log off.ISLAMSC. Log on to NYC-CL1 as Sven. Task 2: Check the permissions for Company News 1. open the Company News folder and create a text file. 3. Check permissions of interdepartmental share Special Projects. WWW. Open the Special Project volume and create a text document. 3. After you are logged on as Sven.

4-50 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you will have verified that the shared folder implementation meets security requirements. and discard undo disks 1. STUDENT USE PROHIBITED Task 4: Close all virtual machines. WWW. For each virtual machine that is running. select Turn off machine and discard changes. close the Virtual Machine Remote Control window.COM . Result: At the end of this exercise.ISLAMSC. Click OK. 2. In the Close box. Close the 6419A Lab Launcher. 3.

COM . or add groups representing whole departments? How would this configuration change if your organization had multiple domains? 4.ISLAMSC. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. Which of these approaches would be the best way to do this: accept the default permissions. WWW. 2.Managing Access to Resources in Active Directory Domain Services 4-51 MCT USE ONLY. What is the role of ACLs in granting access to resources on an AD DS network? How do DACLs differ from SACLs? What happens to the shared folder configuration when you copy or move a shared folder from one hard disk to another on the same server? What happens to the shared folder configuration when you copy or move the shared folder to another server? You have to assign permissions to a shared folder so that all users in your organization can read the contents of the folder. 3. assign read permissions to the folder for the Domain Users group.

When moving a folder in an NTFS partition. Therefore. combined with the most restrictive shared folder permissions that control network access. The data that is stored in the shared folders is usually important to your organization. what permissions are required over the source file or folder and over the destination folder? What is the best way to create a shared folder that need to be accessed by users who are situated on two domains? Considerations for Managing Shared Folders and NTFS Permissions When you manage AD DS shared folders and NTFS permissions. You can delegate permissions to groups in the NTFS security settings of the appropriate level of the shared folder hierarchy. All shared folders should be part of your regular backup process.COM . consider the following: • Consider delegating permissions to create and manage shared folders in your AD DS domain.4-52 Configuring.ISLAMSC. it can be difficult to manage and troubleshoot file access issues. you must make sure that you can recover it if a server were to fail. When allowing access to network resources on an NTFS volume. we recommend that you use the most restrictive NTFS permissions to control access to folders and files. Document your shared folder and permissions configuration. The shared folder configuration can be very difficult over time as users or departments request new shared folders for many reasons. 6. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED 5. Without documentation. • • • WWW.

Configuring Active Directory Objects and Trusts 5-1 MCT USE ONLY.ISLAMSC.COM . STUDENT USE PROHIBITED Module 5 Configuring Active Directory Objects and Trusts Contents: Lesson 1: Delegate Administrative Access to Active Directory Objects Lab A: Configuring Active Directory Delegation Lesson 2: Configure Active Directory Trusts Lab B: Configuring Active Directory Trusts 5-3 5-12 5-16 5-24 WWW.

which is added to one or more groups in AD DS.COM .ISLAMSC.5-2 Configuring. mailboxes. WWW. The user and group accounts enable access to Windows Server-based network resources such as Web sites. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In most organizations. This module also describes how to configure and manage Active Directory trusts. the most common tasks for an AD DS administrator are configuring and managing AD DS objects. each employee is issued a user account. STUDENT USE PROHIBITED Module Overview After the initial deployment of Active Directory® Domain Services (AD DS). This module describes how to perform many of these administrative tasks. and options available for delegating or automating these tasks. and shared folders.

you can enable these users to perform specific Active Directory management tasks. without granting them more permissions than they need. WWW.COM . STUDENT USE PROHIBITED Lesson 1: Delegate Administrative Access to Active Directory Objects One of the options available for effectively administering a Microsoft® Windows Server® 2008 AD DS. is to delegate some of those administrative tasks to other administrators or users.Configuring Active Directory Objects and Trusts 5-3 MCT USE ONLY. By delegating control.ISLAMSC.

COM . You use permissions to assign privileges for administrators to manage an organizational unit or a hierarchy of organizational units. and to control the type of access they have. When permission to perform an operation is not allowed. it is implicitly denied. and the Active Directory objects contained within those organizational units. STUDENT USE PROHIBITED Active Directory Object Permissions Key Points Active Directory object permissions secure resources by enabling you to control which administrators or users can access individual objects or object attributes.5-4 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. • WWW. • • Denied permissions take precedence over any permission that you otherwise allow to user accounts and groups. You should use Deny permissions explicitly only when it is necessary to remove a permission that a user is granted by being a particular group’s member.ISLAMSC.

if you assign permissions at an OU level. Explicit permissions take precedence over inherited permissions. all of those permissions are inherited by objects inside the OU. such as the phone number. or just grant the user the permissions needed to change a single attribute. by default. Inherited permissions are those that are propagated to an object from a parent object.ISLAMSC. even inherited Deny permissions. For example.COM .Configuring Active Directory Objects and Trusts 5-5 MCT USE ONLY. on all user accounts. just grant the user the ability to modify group memberships in a container. • • Question: What are the risks with using special permissions to assign AD DS permissions? Question: What permissions would a user have on an object if you granted them full control permission. For example. and denied the user write access? WWW. you could grant a user Full Control over the group object class in a container. STUDENT USE PROHIBITED • Special permissions allow you to set permissions on a particular class of object or individual attributes of an object class.

Disable permission inheritance by child items.5-6 Configuring. Question: What would happen to an object’s permissions if you moved the object from one OU to another if the OUs had different permissions applied? Question: What would happen if you removed all permissions from an OU when you blocked inheritance and did not assign any new permissions? WWW. STUDENT USE PROHIBITED Demonstration: Active Directory Domain Services Object Permission Inheritance Key Points • • • Enable the Advanced view in Active Directory Users and Computers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. View the Effective Permissions for the object.ISLAMSC.COM .

what type of permissions does a Domain Administrator need to have to read the object's group information on the domain? What about a Local administrator and an Authenticated domain user? WWW. This tool calculates the permissions that are granted to the specified user or group. the Effective Permissions tool helps you to determine the permissions for an Active Directory object. STUDENT USE PROHIBITED What Are Effective Permissions? Key Points Accessible from an object's advanced properties settings. Question: When retrieving effective permissions. If the specified user or group is a domain object. accurate retrieval of information requires permission to read the membership information. and takes into account the permissions that are in effect from group memberships and any permission inherited from parent objects.Configuring Active Directory Objects and Trusts 5-7 MCT USE ONLY.COM .ISLAMSC.

COM . you can assign basic administrative tasks to regular users or groups.5-8 Configuring. For example. You also help secure your network from accidental or malicious damage by limiting the membership of administrator groups. Delegated administration helps to ease the administrative burden of managing your network by distributing routine administrative tasks to multiple users. WWW.ISLAMSC. or an administrative assistant the right to reset passwords. With delegated administration. By delegating administration. you give groups in your organization more control of their local network resources. STUDENT USE PROHIBITED What Is Delegation of Control? Key Points Delegation of control is the ability to assign management responsibility of Active Directory objects to another user or group. you could give OU administrators the right to add or remove user or computer objects. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

Grant permissions to create or modify some types of objects in a specific organizational unit or at the domain level. STUDENT USE PROHIBITED The Delegation of Control Wizard You can define the delegation of administrative control in the following four ways: • • • • Grant permissions to create or modify all objects in a specific organizational unit or in the domain. (such as granting the permission to reset passwords on a user account) in a specific organizational unit or at the domain level.Configuring Active Directory Objects and Trusts 5-9 MCT USE ONLY.COM . Grant permissions to modify specific attributes of an object. Grant permissions to create or modify a specific object in a specific organizational unit or at the domain level.ISLAMSC. WWW.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.5-10 Configuring. STUDENT USE PROHIBITED Discussion: Scenarios for Delegating Control Discussion Questions • • What are the benefits of delegating administrative permissions? How would you use delegation of control in your organization? Discuss these scenarios with the classroom. led by your instructor.ISLAMSC. WWW.COM .

Use the Delegation of Control Wizard to delegate the administration of individual attributes.COM . Use a Microsoft Windows® PowerShell™ script to delegate the Password Reset task.Configuring Active Directory Objects and Trusts 5-11 MCT USE ONLY. WWW.ISLAMSC. STUDENT USE PROHIBITED Demonstration: Configuring Delegation of Control Key Points • • • Use the Delegation of Control Wizard to delegate permissions to manage user and computer accounts.

The organization would like to automate the user and group management tasks. to assign permissions to a variety of network resources. and delegate some administrative tasks to junior administrators. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.5-12 Configuring. STUDENT USE PROHIBITED Lab A: Configuring Active Directory Delegation Scenario To optimize the use of AD DS administrator time. The organization also requires AD DS groups that will be used. Woodgrove Bank would like to delegate some administrative tasks to interns and junior administrators. User accounts must also be configured with a standard configuration. These administrators will be granted access to manage user and group accounts in different OUs.COM .

Assign full control of users and groups in the Toronto OU. STUDENT USE PROHIBITED Exercise 1: Delegating Control of AD DS Objects In this exercise. Assign rights to reset passwords and configure private user information in the Toronto OU.ISLAMSC. click Launch. point to Microsoft Learning. Log on to 6419A-NYC-DC1 as Administrator with the password Pa$$w0rd. you will delegate control of AD DS objects for other administrators. and then log on 1. 2. WWW. run the Delegation of Control Wizard on the Toronto OU. next to 6419A-NYC-DC1. On your host machine. and then click 6419A. On NYC-DC1. Task 1: Start the virtual machine. but cannot perform other actions. 5. the branch managers must be able to create and manage user and group accounts. delete and manage groups to the Tor_BranchManagersGG. delete and manage user accounts and the Create. You will also test the delegate permissions to ensure that administrators can perform the required actions. Assign the right to Create. 4. Verify the effective permissions assigned for the Toronto OU. Task 2: Assign full control of users and groups in the Toronto OU 1. point to All Programs. 4.COM . click Start. Test the delegated permissions for the Toronto OU. The customer service personnel must be able to reset user passwords and configure some user information. Start the virtual machine and log on.Configuring Active Directory Objects and Trusts 5-13 MCT USE ONLY. Minimize the Lab Launcher window. 3. In the Lab Launcher. The main tasks are as follows: 1. In this office. 2. Woodgrove Bank has decided to delegate administrative tasks for the Toronto office. The Lab Launcher starts. 2. 3. such as phone numbers and addresses.

2.ISLAMSC.5-14 Configuring. On NYC-DC1. Task 4: Verify the effective permissions assigned for the Toronto OU 1. Helge is a member of the Tor_CustomerServiceGG group. enable viewing of Advanced Features. 4. Verify that Matt has permissions to create and delete user and group accounts. Assign the right to Reset user passwords and force password change at next logon to the Tor_CustomerServiceGG group. run the Delegation of Control Wizard on the Toronto OU. 3. 4. WWW. Check the effective permissions for Sven Buck. Access the advanced security settings for Matt Berg. 3. Sven is a member of the Tor_BranchManagersGG group. 2. Choose the option to create a custom task. located in the CustomerService OU in the Toronto OU. In Active Directory Users and Computers. Verify that Sven has permissions to create and delete user and group accounts. Verify that Helge has permissions to reset passwords and permission to write personal attributes. Run the Delegation of Control Wizard again. Check the effective permissions for Helge Hoening. 5. Assign the Tor_CustomerServiceGG group permission to change personal information only for user accounts. STUDENT USE PROHIBITED Task 3: Assign rights to reset passwords and configure private user information in the Toronto OU 1.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Access the Advanced Security Settings for the Toronto OU.

you will have delegated the administrative tasks for the Toronto office. Start Active Directory Users and Computers. Result: At the end of this exercise. Log on to NYC-DC1 as Sven with the password of Pa$$w0rd.Configuring Active Directory Objects and Trusts 5-15 MCT USE ONLY.COM . STUDENT USE PROHIBITED Task 5: Test the delegated permissions for the Toronto OU 1. such as the office and telephone number. 4. verify that Helge does not have permissions to create any new objects in the Toronto OU. 5. Log off NYC-DC1. 6. and verify that Sven can create a new user in the Toronto organizational unit. Verify that Sven can create a new group in the Toronto OU. In Active Directory Users and Computers. 3. and then log on as Helge with the password Pa$$w0rd. 2.ISLAMSC. 7. Verify that Helge can reset user passwords and configure user properties. Verify that Sven cannot create a user in the ITAdmins OU. WWW.

or organizations that need to enable access to resources in other organizations or business units. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW. However.COM . larger organizations.5-16 Configuring. may deploy several domains in the same Active Directory forest or a separate forest.ISLAMSC. This lesson describes how to configure and manage trusts in an Active Directory environment. STUDENT USE PROHIBITED Lesson 2: Configure Active Directory Trusts Many organizations that deploy AD DS will deploy only one domain. For users to access resources between the forests. you must configure the forests with trusts.

Question: What does a trust existing between two domains provide? WWW. and Microsoft Windows NT® Local Area Network (LAN) Manager (NTLM). a user can be authenticated in their domain.ISLAMSC.COM . When you configure a trust between domains. The two protocol options for configuring trusts are the Kerberos protocol version 5. while the resources are located in the trusting domain. and their security credentials can then be used to access resources in a different domain.Configuring Active Directory Objects and Trusts 5-17 MCT USE ONLY. • • • Trusts can be defined as transitive or non-transitive. STUDENT USE PROHIBITED What Are AD DS Trusts? Key Points Trusts allow security principals to traverse their credentials from one domain to another. The user accounts are located in the trusted domain. and are necessary to allow resource access between domains.

what type of trust would you need to configure? Question: If you need to share resources between domains. Therefore. Question: If you were going to configure a trust between a Windows Server 2008 domain and a Windows NT 4. two-way trusts. STUDENT USE PROHIBITED AD DS Trust Options Key Points All trusts in Microsoft Windows 2000 Server. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. how could provide access to the shared resources? WWW. and Microsoft Windows Server 2008 forests are transitive.5-18 Configuring. and a one-way trust between domains E and A and domains B and Q. Microsoft Windows Server 2003.COM .0 domain. both domains in a trust relationship are trusted. but do not want to configure a trust. This diagram illustrates a two-way trust between Forests 1 and 2.ISLAMSC. however one-way trusts can be configured.

The TDO stores information about the trust such as the trust transitivity and type. or with an external realm. A trusted domain object (TDO) stores this information. STUDENT USE PROHIBITED How Trusts Work Within a Forest Key Points When you set up trusts between domains either within the same forest. a new TDO is created and stored in the System container in the trust’s domain. information about these trusts is stored in AD DS so you can retrieve it when necessary. across forests.COM . Whenever you create a trust. Question: In this slide Domain B and Domain C have what type of Trust in this forest? What are the limitations? WWW.Configuring Active Directory Objects and Trusts 5-19 MCT USE ONLY.ISLAMSC.

Question: Why would clients not able to access resources in a domain outside the forest? WWW. which allow users in one forest to access resources in another forest. After the resource is located. AD DS must first locate the resource.COM . STUDENT USE PROHIBITED How Trusts Work Between Forests Key Points Windows Server 2008 supports cross-forest trusts. the user can be authenticated and allowed to access the resource. When a user attempts to access a resource in a trusted forest.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.5-20 Configuring.

what information will need to be available in DNS in order for the forest trust to work? WWW.ISLAMSC.Configuring Active Directory Objects and Trusts 5-21 MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Reviewing Trusts Key Points • Review the Active Directory Domains and Trusts MMC.COM . Question: When you set up a forest trust.

You can use the other domains in the network. suzan@WoodgroveBank. which in this example is suzan.5-22 Configuring.com. • • The user principal name prefix. which are separated by the @ sign. Question: Provide a couple scenarios where UPNs would be useful? WWW. By default. STUDENT USE PROHIBITED What Are User Principal Names? Key Points A user principal name (UPN) is a logon name that is used only to log on to a Windows Server 2008 network.ISLAMSC.COM .com. you may want to configure a suffix to create user logon names that match users’ e-mail addresses. to configure other suffixes for users. The user principal name suffix. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. the suffix is the domain name in which the user account was created. which in this example is WoodgroveBank. For example. There are two parts to a UPN. for example. or additional suffixes that you created.

Question: Provide a scenario where it would be appropriate to enable selective authentication? WWW.ISLAMSC.COM .Configuring Active Directory Objects and Trusts 5-23 MCT USE ONLY. With selective authentication. STUDENT USE PROHIBITED What Are the Selective Authentication Settings? Key Points Another option for restricting authentication across trusts in a Windows Server 2008 forest is selective authentication. you can restrict which computers in your forest can be accessed by another forest’s users.

Some users in each organization must be able to access resources in the other organization. STUDENT USE PROHIBITED Lab B: Configuring Active Directory Trusts Scenario Woodgrove Bank also has established a partner relationship with another organization. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.5-24 Configuring. the access between organizations must be limited to as few users and as few servers as possible. However.ISLAMSC. WWW.COM .

On VAN-DC1. Configure selective authentication for the forest trust to enable access to only NYC-DC2. and the Preferred DNS server to 10. In the Lab Launcher. the Default gateway to 10. 2. In the Lab Launcher.10.ISLAMSC.com. Task 2: Configure the Network and DNS Settings to enable the forest trust 1.110. click Launch. 6.0. 2. Only users from Fabrikam should be able to access shares on NYC-SVR1. Minimize the Lab Launcher window. 2. 3.1.110. click Launch. Start the virtual machines.COM . Synchronize the time on VAN-DC1 with NYC-DC1. In the Lab Launcher.com and Fabrikam. next to 6419A-NYC-CL1.0. Users at Woodgrove Bank will need to have access to several file shares and applications running on several servers at Fabrikam. STUDENT USE PROHIBITED Exercise 1: Configuring AD DS Trusts In this exercise.0. 4. and then click OK. The main tasks are as follows: 1. 5. click Launch. Test the selective authentication. 4. next to 6419A-VAN-DC1. next to 6419A-NYC-DC2.10. Configure a forest trust between WoodgroveBank. 5. Close all virtual machines and discard undo disks. and then log on 1.Configuring Active Directory Objects and Trusts 5-25 MCT USE ONLY.10. Configure the Network and DNS Settings to enable the forest trust. WWW. 3. Task 1: Start the virtual machines. you will configure trusts based on a trust-configuration design that the enterprise administrator provides. and then log on. You also will test the trust configuration to ensure that the trusts are configured correctly. modify the Local Area Network properties to change the IP address to 10. Log on to 6419A-VAN-DC1 as Administrator with the password Pa$$w0rd. Woodgrove Bank has initiated a strategic partnership with Fabrikam.

3.0.com permission to authenticate to this server. On the Security tab.COM . Accept the default s setting of domain-wide authentication for both domains. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In Active Directory Domains and Trusts.10. access NYC-DC2’s properties.5-26 Configuring. 3. in the DNS Manager console.com to 10. Confirm both trusts. raise the domain and forest functional level to Windows Server 2003. 2. Close the DNS Manager console. start Active Directory Domains and Trusts from the Administrative Tools folder. In Active Directory Users and Computers. 6. 2.com to use selective authentication. On NYC-DC1. Right-click WoodgroveBank. Start the New Trust Wizard and configure a forest trust with Fabikam.com to verify the trust. 5. On NYC-DC1.0. add a conditional forwarder to forward all queries for Woodgrovebank. 5.com to 10.10. WWW. Task 4: Configure selective authentication for the forest trust to enable access to only NYC-DC2 1.10.com permission to authenticate to this workstation. Access NYC-CL1’s properties. On the Security tab. 6. 4. STUDENT USE PROHIBITED 3.com. In Active Directory Domains and Trusts.com and Fabrikam. modify the incoming trust from Fabriakm.com and then click Properties. Task 3: Configure a forest trust between WoodgroveBank. Use Administrator@Fabrikam. grant the MarketingGG group from Fabrikam. Configure both sides of the trust.ISLAMSC. add a conditional forwarder to forward all queries for Fabrikam. grant the MarketingGG group from Fabrikam. 4.com 1.110. In DNS Manager.

select Turn off machine and discard changes.ISLAMSC. In the Close box. 2. WWW.com domain because of the trust between the two forests and because he has been allowed to authenticate to NYC-CL1. Task 6: Close all virtual machines and discard undo disks 1.Configuring Active Directory Objects and Trusts 5-27 MCT USE ONLY. 3.COM . close the Virtual Machine Remote Control window. For each running virtual machine. Close the 6419A Lab Launcher. 2. and then click OK. He is able to log on to a computer in the WoodgroveBank.com using the password Pa$$w0rd. Note: Adam is a member of the MarketingGG group at Fabrikam. Adam should not be able to access the folder because the server is not configured for selective authentication. Result: At the end of this exercise. Adam should be able to access the folder. Try to access the \\NYC-DC1\Netlogon folder. 3. STUDENT USE PROHIBITED Task 5: Test the selective authentication 1. you will have configured trusts based on a trust configuration design. Try to access the \\NYC-DC2\Netlogon folder. Log on to the NYC-CL1 virtual machine as Adam@fabrikam.

Users in both organizations must be able to access resources in each other’s forest. but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. What type of trust do you create between the forest root domain of each forest? 2. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .ISLAMSC. If a there is a trust within a forest. and the resource is not in the user’s domain how does the domain controller use the trust relationship to access the resource? The BranchOffice_Admins group has been granted full control of all user accounts in the BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was moved from the BranchOffice_OU to the HeadOffice_OU? Your organization has a Windows Server 2008 forest environment. WWW.5-28 Configuring. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. 3.

Configuring Active Directory Objects and Trusts 5-29 MCT USE ONLY. you need to plan how you will create user logon names and devise your group-naming strategy.ISLAMSC. you may want to implement an account group/resource group strategy if the organization has an aggressive growth strategy or is likely to establish key partnerships that may require forest trusts.com and Fabrikam. It can take considerable time to create csvde and ldifde files. One strategy for determining what tasks to delegate is to analyze what tasks take the most time for AD DS administrators. When planning the group strategy. If mundane tasks. such as creating user accounts.com to access a shared folder in Contoso. take a significant amount of time. However. once these tools are in place. Another option for decreasing workload for AD DS administrators is to delegate tasks. Even if the organization only has a small number of users in a single domain. For example.com. It is much easier to plan the naming strategies early in the AD DS deployment rather than change the names after deployment. what permissions are required over the source file or folder and over the destination folder? Considerations for Configuring Active Directory Objects Supplement or modify the following best practices for your own work situations: • Create a naming scheme for AD DS objects before starting the AD DS deployment. resetting passwords. consider delegating those specific tasks to other users. they can save a great deal of time.com.COM . Describe the steps for configuring this access. STUDENT USE PROHIBITED Real-World Issues and Scenarios Scenario: Your organization has two domains: Contoso. consider the organization’s plans for future growth. Question: How could you remove Write share permissions from a single file that is located inside a folder that is inheriting Write permissions from shared folder in which it is located? Question: When moving a folder in an NTFS partition. You need to allow users from Fabrikam. or updating user information. • • • WWW. or to write VBScript or Windows PowerShell scripts. Look for opportunities to automate AD DS management tasks. Plan your AD DS group strategy before deploying AD DS.

point to Administrative Tools.COM .ISLAMSC. and then click Active Directory Domains and Trusts. STUDENT USE PROHIBITED Tools Use the following tools when configuring AD DS objects and trusts: Tool Server Manager Use for Where to find it Click Start. Command line tools (including Csvde and Ldifde) Windows PowerShell • Creating and configuring AD DS objects • Writing scripts that can automate AD DS object management WWW. These are installed by default and are accessible at a command prompt. • Accessing the AD DS management tools in a single console. Active Directory Users and Computers • Creating and configuring all AD DS objects. point to Administrative Tools. Click Start. Click Start. and then click Active Directory Users and Computers. Windows PowerShell is available as a download from Microsoft and can be installed as a feature in Windows Server 2008. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. After installing Windows PowerShell. and then click Server Manager. Active Directory Domains and Trusts • Creating and configuring trusts. point to Administrative Tools.5-30 Configuring. all cmdlets are accessible through the Windows PowerShell command shell.

COM .ISLAMSC. STUDENT USE PROHIBITED Module 6 Creating and Configuring Group Policy Contents: Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policy Lab A: Creating and Configuring GPOs Lab B: Verifying and Managing GPOs 6-3 6-18 6-31 6-37 6-47 6-51 6-57 WWW.Creating and Configuring Group Policy 6-1 MCT USE ONLY.

6-2 Configuring. such as data entry. thus simplifying administrative tasks and reducing IT costs.COM . STUDENT USE PROHIBITED Module Overview Administrators face increasingly complex challenges in managing the Information Technology (IT) infrastructure.ISLAMSC. With Group Policy and AD DS. and distribute software consistently across a given site. administrators can efficiently implement security settings. domain. Group Policy and the Active Directory® Domain Services (AD DS) infrastructure in Microsoft® Windows Server® 2008 enable IT administrators to automate user and computer management. enforce IT policies. They must deliver and maintain customized desktop configurations for a greater variety of employees. or range of organizational units (OUs). WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. or others assigned to strictly defined tasks. such as mobile users. information workers.

Creating and Configuring Group Policy 6-3 MCT USE ONLY. You will learn how Group Policy Objects (GPOs) are structured and applied. STUDENT USE PROHIBITED Lesson 1 Overview of Group Policy This lesson introduces you to how to use Group Policy to simplify managing computers and users in an Active Directory environment. This lesson also discusses Group Policy features that are included with Windows Server 2008.COM . which also will help simplify computer and user management. WWW. and about some of the exceptions of how GPOs are applied.ISLAMSC.

WWW. STUDENT USE PROHIBITED What Is Group Policy? Key Points Group Policy is a Microsoft technology that supports one-to-many management of computers and users in an Active Directory environment.6-4 Configuring. desktop environment. including the registry. you can manage potentially thousands of computers or users by changing a single GPO. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and so on. you can centrally manage specific configuration parameters. software installation and restriction. Group Policy can control many aspects of a target object’s environment. NTFS file system security. By editing Group Policy settings and targeting a Group Policy Object (GPO) at the intended users or computers. audit and security policy.ISLAMSC. In this way. A Group Policy object is the collection of settings that are applied to selected users and computers. logon/logoff scripts.COM .

Conversely. particularly under Security Settings. through linking. whether or not they are part of an Active Directory environment or a networked environment.Creating and Configuring Group Policy 6-5 MCT USE ONLY. Local Group Policy objects contain fewer settings than nonlocal Group Policy objects. Question: When would local Group Policy be useful in a domain environment? WWW.COM . Group Policy settings are stored on individual computers. multiple GPOs may link to one container. Local Group Policy objects do not support Folder Redirection or Group Policy Software Installation.ISLAMSC. STUDENT USE PROHIBITED One GPO can be associated with multiple containers in AD DS. In these objects. Each computer running a Microsoft Windows® operating system has a local Group Policy object.

ISLAMSC. many of the new settings that came with the Microsoft Windows XP Professional operating system. If a computer has a setting applied that it cannot process. These settings can affect nearly every area of the computing environment. For example. many of the hundreds of new settings only apply to the Microsoft Windows°Vista® operating system and Windows Server 2008. You cannot apply all of the settings to all versions of Microsoft Windows operating systems.COM .6-6 Configuring. STUDENT USE PROHIBITED Group Policy Settings Key Points Group Policy has thousands of configurable settings (approximately 2. WWW. Service Pack (SP) 2. it simply ignores it. Equally. only applied to that operating system. such as software restriction policies. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.400).

STUDENT USE PROHIBITED Group Policy structure Group Policy is split into two distinct areas: Group Policy area Computer configuration User configuration What it does Affects the HKEY_Local_Machine registry hive. Software deployed to the computer is available to all users of that computer. and Internet Explorer® maintenance for the user configuration. Configuring Group Policy settings Each area has three sections: Section Software settings Description Software can be deployed to either the user or the computer. Contain script settings and security settings for both user and computer. Windows settings Administrative templates WWW. Contain hundreds of settings that modify the registry to control various aspects of the user or computer environment.COM . Software deployed to a user is specific to that user. Affects the HKEY_Current_User registry hive.Creating and Configuring Group Policy 6-7 MCT USE ONLY.ISLAMSC.

Sets up network wireless policies. STUDENT USE PROHIBITED Group Policy areas in Windows Vista and Server 2008 Many areas of Group Policy have been enhanced to include new features. Disables Windows Feedback for any or all components.ISLAMSC. They include: Feature Antivirus Client Help Deployed Printer Connections Internet Explorer 7 Function Manages attachments behavior. Wireless Configuration Terminal Services (TS) Windows Error Reporting New areas of Group Policy include: Feature Removable storage device management Function Controls installation of hardware classes. Controls Windows Firewall advanced configurations. Power management User Account Control Network Access Protection Windows Defender Windows Firewall with Advance Security WWW. Internet Authentication Service. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Determines where users can access help systems. Configures Windows Defender settings. Manages Health Registration Authority. Controls all power management settings using Group Policy.COM . Automates printer deployment. and Network Access Protection. Replaces and expands the current Internet Explorer Maintenance extension. Controls the behavior of the User Account Control feature. Enhances security and manageability of TS remote connections. and the read/write capabilities of removable storage devices.6-8 Configuring.

STUDENT USE PROHIBITED Group Policy examples Example 1: As the domain administrator. and the computer setting will be applied. point to Administrative Templates. point to Local Policies.Creating and Configuring Group Policy 6-9 MCT USE ONLY. Offline file or Windows Messenger settings. for example. Example 2: As the domain administrator. point to Removable Storage Access. point to Windows Settings. You will need to restart the clients to accept the setting. you want to disable the User Account Control prompt for Administrators: In the Group Policy Editor. Note: A number of settings appear in both the user and the computer configuration. Question: Which of the new features will you find the most useful in your environment? WWW. the user settings will be ignored. point to System.COM . point to Computer Configuration.ISLAMSC. With few exceptions. and then set the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Elevate without prompting. and then enable the Removable Disks: Deny write access setting. point to Computer Configuration. in case of a conflict between the user and computer setting. point to Security Settings. point to Security Options. you want to disable the write ability for removable disks in a GPO: In the Group Policy Editor.

the gpsvc service passes the list of GPOs that must be processed to each Group Policy client-side extension. Question: What would be some advantages and disadvantages to lowering the refresh interval? WWW. the client component interprets the policy.COM . As GPOs are processed.6-10 Configuring. when applicable. These components are known as Group Policy client-side extensions. The extension then uses the list to process the appropriate policy. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and then makes the appropriate environment changes. When Group Policy is applied to a user or computer.ISLAMSC. STUDENT USE PROHIBITED How Group Policy Is Applied Key Points Clients initiate Group Policy application by requesting GPOs from AD DS.

COM .Creating and Configuring Group Policy 6-11 MCT USE ONLY. Also. Question: How is Network Location Awareness (NLA) better than Internet Control Message Protocol (ICMP) in the proper application of Group Policy? WWW. different types of connections or operating systems handle Group Policy processing differently. STUDENT USE PROHIBITED Exceptions to Group Policy Processing Key Points Different factors can change the normal Group Policy processing behavior.ISLAMSC. such as logging on using a slow connection.

STUDENT USE PROHIBITED Group Policy Components Key Points You can use Group Policy templates to create and configure Group Policy settings. multiple policies may link to one container. one policy may be associated with multiple Active Directory containers through linking. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In this way.ISLAMSC. Group Policy has three major components: • • • Group Policy templates Group Policy container Group Policy objects Question: Think of at least one example of how your organization can benefit by using the Group Policy components. The SYSVOL container acts as a central repository for the GPOs. WWW. Conversely. The GPOs in turn are stored in the System Volume (SYSVOL) container in AD DS. which are stored by the GPOs.6-12 Configuring.COM .

ADM files use their own markup language. ADMX Files Windows Vista and Windows Server 2008 introduce a new format for displaying registry-based policy settings.Creating and Configuring Group Policy 6-13 MCT USE ONLY. These new files replace ADM files. WWW. Each successive Windows operating system and service pack has included a newer version of these files. Because of this. it is difficult to customize ADM files. Registry-based policy settings are defined using a standards-based XML file format known as ADMX files.COM . ADM files have been used to define the settings the administrator can configure through Group Policy. STUDENT USE PROHIBITED What Are ADM and ADMX Files? Key Points ADM Files Traditionally. The ADM templates are located in the %SystemRoot%\Inf folder.ISLAMSC. but will ignore any ADM file that ADMX files have superseded. Group Policy tools on Windows Vista and Server 2008 will continue to recognize custom ADM files you have in your existing environment.

STUDENT USE PROHIBITED Question: How could you tell if a GPO was created or edited using ADM or ADMX files? Question: List one benefit of the ADMX format with Group Policy Objects. WWW.COM .ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.6-14 Configuring.

the domain controller can be a server with Microsoft Windows 2000. and ignores the ones stored locally. If the domain controller is not available. The use of ADMX files is dependant on the computer’s operating system where you are creating or editing the GPO. WWW. Microsoft Windows Server°2003. STUDENT USE PROHIBITED What Is the Central Store? Key Points For domain-based enterprises. then the local store is used. or Windows Server 2008. and then update it manually on a domain controller. The File Replication Service (FRS) will replicate the domain controller to that domain’s other controllers. administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs. Therefore.Creating and Configuring Group Policy 6-15 MCT USE ONLY.ISLAMSC. The GPO Editor on Microsoft Windows Vista and Windows Server 2008 automatically reads and displays Administrative Template policy settings from ADMX files that the central store caches.COM . You must create the central store.

Question: What would be the advantage of creating the central store in your environment? WWW. The PolicyDefinitions folder on the Windows Vista-based computer stores all .com domain.6-16 Configuring.adml files.adml files for all languages that are enabled on the client computer.Com\Policies Copy all files from the PolicyDefinitions folder on a Windows Vista-based client computer to the PolicyDefinitions folder on the domain controller.Microsoft. to create a Central Store for the Test.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.Microsoft. create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies Note: FQDN is a fully qualified domain name. For example. create a PolicyDefinitions folder in the following location: \\Test.Com\SYSVOL\Test. STUDENT USE PROHIBITED To create a Central Store for . The PolicyDefinitions folder on a Windows Vista-based computer resides in the same folder as Windows Vista.ISLAMSC.admx files and .admx and .Microsoft.

COM . prevent the last logon name from displaying. and hide the Screen Saver tab. In the user configuration. and prevent Windows Installer from running. Question: When you open the GPMC on your Windows XP computer. In the computer configuration. you do not see the new Windows Vista settings in the Group Policy Object Editor.Creating and Configuring Group Policy 6-17 MCT USE ONLY. Why not? WWW. remove the Search menu from the Start menu. Create a new Group Policy named Desktop in the Group Policy container. STUDENT USE PROHIBITED Demonstration: Configuring Group Policy Objects Key Points • • • • Open the Group Policy Management Console (GPMC).ISLAMSC.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. security filtering. In this lesson.COM . blocking inheritance. You can control the default processing order of policy through enforcement.6-18 Configuring. or using the loopback processing feature.ISLAMSC. WWW. STUDENT USE PROHIBITED Lesson 2: Configuring the Scope of Group Policy Objects There are several techniques in Group Policy that allow administrators to manipulate how Group Policy is applied. Windows Management Instrumentation (WMI) filters. you will learn about these techniques.

STUDENT USE PROHIBITED Group Policy Processing Order Key Points The GPOs that apply to a user or computer do not all have the same precedence. You want to apply a Group Policy to all users in two different domains. their processing occurs in the order that the administrator specifies on the Linked Group Policy Objects tab for the organizational unit in the Group Policy Management Console (GPMC). This order means that settings that are processed first may be overwritten by settings that are processed later. Question: Your organization has multiple domains spread over multiple sites. GPOs are applied in a particular order. a policy that restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the OU level for that particular OU. If you link several GPOs to an organizational unit.COM .ISLAMSC.Creating and Configuring Group Policy 6-19 MCT USE ONLY. What is the best way to accomplish this? WWW. For example.

COM . STUDENT USE PROHIBITED What Are Multiple Local Group Policy Objects? Key Points In Microsoft operating systems prior to Windows Vista. That configuration was applied to all users logged on from the local computer. but Windows Vista and Windows Server 2008 have an added feature. In Windows Vista and Windows Server 2008.6-20 Configuring. Question: When would multiple local Group Policy objects be useful in a domain environment? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Domain administrators can disable Local Group Policy objects processing on clients running Windows Vista or Windows Server 2008 by enabling the “Turn off Local Group Policy objects processing” policy setting in a domain GPO. although there remains only one computer configuration available that affects all users. This is still true. it now is possible to have different user settings for different local users. there was only one user configuration available in the local Group Policy.ISLAMSC.

all Group Policy settings apply to the Authenticated Users group in a given container. or organizational units. • • • Using block inheritance prevents the child level from automatically inheriting GPOs linked to higher sites. Security group filtering will override enforcement. you can modify that behavior through various methods. However. By default. For example. you can control which users. certain users or groups may need to be exempt from restrictive Group Policy settings. or computers actually receive the GPO settings. WWW. STUDENT USE PROHIBITED Options for Modifying Group Policy Processing Key Points There may be occasions when the normal behavior of Group Policy is not desirable. or a GPO should be applied only to computers with certain hardware or software characteristics.ISLAMSC. groups.COM . GPO-links that are enforced cannot be blocked from the parent container.Creating and Configuring Group Policy 6-21 MCT USE ONLY. By denying or granting the Apply Group Policy permission. domains.

domain. or organizational unit by disabling that container’s GPO link.6-22 Configuring. How would you ensure that all users in the Finance department receive your desktop policy? WWW. You can completely block the application of a GPO for a given site. and decisions about the application of Group Policy are made based on the results. • • Question: You have created a restrictive desktop policy and linked it to the Finance OU. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED • WMI provides access to properties of almost every hardware and software object in the computing environment. these properties can be evaluated. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions.COM . Through WMI scripts. You can use the Group Policy loopback feature to apply GPOs that only depend on to what computer the user logs on.ISLAMSC.

Disable the computer or user side of the policy.ISLAMSC. altering the settings for one of those links will only affect that container. • Question: True or false – if a GPO is linked to multiple containers. Log on as one of the Toronto users to test the results. Disable the entire policy. Doing this gives some performance advantage by not processing parts of the policy that are known to be empty. STUDENT USE PROHIBITED Demonstration: Configuring Group Policy Object Links Key Points • • • Link the policy you created in the previous demo to the Toronto OU.COM . Occasionally you may need to do this for troubleshooting policies.Creating and Configuring Group Policy 6-23 MCT USE ONLY. WWW.

GPO1 and GPO2. Turn off enforcement and inheritance blocking.6-24 Configuring. but GPO2 should not affect two of the OUs.ISLAMSC. Test the settings. Test the settings. In the Default Domain policy. enable the setting to remove the Help menu from the Start menu. Enforce the Default Domain policy. STUDENT USE PROHIBITED Demonstration: Configuring Group Policy Inheritance Key Points • • • • • Create a new OU and a new user in the OU. Test the settings. Question: Your domain has two domain-level policies. You need to ensure that all OUs receive GPO1. Block inheritance for the new OU. How could you accomplish this? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .

Use security filtering to exempt the new user from the GPO setting.Creating and Configuring Group Policy 6-25 MCT USE ONLY. Log on as the new and test that the Help menu link appears because security filtering is in place. Log on as the first and test that there is no Help menu link. Question: You want to ensure that a specific policy linked to an OU will only affect the members of the Managers global group. How would you accomplish this? WWW.ISLAMSC. STUDENT USE PROHIBITED Demonstration: Filtering Group Policy Objects Using Security Groups Key Points • • • • • Create a new user in the OU that you created for the last demo. Create a link between the OU and the GPO that removes the Search link from the Start menu.COM .

STUDENT USE PROHIBITED Demonstration: Filtering Group Policy Objects Using WMI Filters Key Points • Use the GPMC to create a new WMI filter that targets only XP Professional clients: Root\CimV2. Assign the WMI to the software GPO. What is the best way to accomplish this? WWW. Select * from Win32_OperatingSystem where Caption = “Microsoft Windows XP Professional” • • Use the GPMC to create a new GPO named software. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.6-26 Configuring.COM . Question: You need to deploy a software application that requires computers to have more than 1 GB or RAM.ISLAMSC.

However.Creating and Configuring Group Policy 6-27 MCT USE ONLY.ISLAMSC. such as the computers in public areas or classrooms. Loopback processing ensures that the computer objects policy takes precedence over the user objects group policy settings. STUDENT USE PROHIBITED How Does Loopback Processing Work? Key Points User policy settings are normally derived entirely from the GPOs associated with the user account. When you apply loopback. it will affect all users except local ones.COM . WWW. Loopback processing is intended for special-use computers where you must modify the user policy based on the computer being used. Loopback processing directs the system to apply an alternate set of user settings for the computer to any user who logs on to a computer affected by this policy. Both the user objects and the computer objects can potentially have different group policy settings applied (depending upon where each object resides in AD). based on its AD DS location.

STUDENT USE PROHIBITED Loopback operates using the following two modes: • • Merge mode Replace mode Question: List one of the benefits of using Loop Processing? WWW.6-28 Configuring.ISLAMSC.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

Creating and Configuring Group Policy 6-29 MCT USE ONLY. Within the Head Office site.ISLAMSC. but there is a SQL server. The Toronto site is connected to the Head Office site across a high-speed link. There are five users in the Winnipeg office. This office is connected to Head Office across a slow link. Head Office and Toronto. STUDENT USE PROHIBITED Discussion: Configuring the Scope of Group Policy Processing Scenario Use the following scenario information for your discussion. there is a branch office in Winnipeg. This organization has deployed both Windows XP Professional and Windows Vista computers. WWW. Physical structure Woodgrove bank has a single domain that spans two sites. There is no domain controller in the Winnipeg office.COM .

ISLAMSC. Read the instructions. The computer accounts for all servers other than domain controllers will be located in the server’s OU or in a nested OU inside the Servers OU. and then click Implementing Group Policy. Their computer accounts are located in their respective branches’ OU. open the Web page on the Student Materials CD. The Administrators group will be exempt from this restriction. All servers must have baseline security settings applied. and then click the Effects of Group Policy Settings tab to begin the activity. This computer needs to be locked down so that the user cannot change any settings.COM . Both branches will have a kiosk computer available in the lobby for public Internet access. Both the Winnipeg and Toronto branch users will have further desktop restrictions applied. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.6-30 Configuring. Domain users should not have access to the desktop display properties. Question: How would you construct a Group Policy scheme to satisfy the requirements? WWW. STUDENT USE PROHIBITED Requirements All domain computers that have Windows XP Professional installed will have a small software application distributed through Group Policy. click Multimedia. To access the activity. Multimedia activity The "Implementing Group Policy" activity includes multiple choice and drag-anddrop exercises that test your knowledge. SQL servers must have additional security settings applied.

WWW. This information is essential when planning Group Policy for a network.Creating and Configuring Group Policy 6-31 MCT USE ONLY. and the many types of Group Policy settings that can exist. domains. Further complicating the task are securitygroup filtering. blocking.COM . and enforcement.exe) command-line tool and the GPMC provide reporting features to simplify these tasks. and GPO inheritance. STUDENT USE PROHIBITED Lesson 3: Evaluating the Application of Group Policy Objects System administrators need to know how Group Policy settings affect computers and users in a managed environment. and organizational units that are possible. Obtaining the information can be a complex task when you consider the many combinations of sites.ISLAMSC. and when debugging existing GPOs. The Group Policy Results (GPResult.

WWW. STUDENT USE PROHIBITED What Is Group Policy Reporting? Key Points Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting easier.6-32 Configuring. they each provide different information.exe command-line tool. Although these tools are similar. so ironically. such a policy is the only one we definitely cannot force to firewall-enabled remote computers. and the Group Policy Results Wizard in the GPMC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Two main reporting tools are the GPResult. The built in Windows firewall must be configured to allow the incoming traffic we want by using a Group Policy Object (GPO). The Group Policy Results feature allows administrators to determine the resultant policy set that was applied to a given computer and/or user that logged on to that computer.ISLAMSC.COM .

Creating and Configuring Group Policy 6-33 MCT USE ONLY.ISLAMSC. Which utility would you use to find that out? WWW. STUDENT USE PROHIBITED The policy setting that needs to be enabled for all the mentioned methods is the following: Computer Settings | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile | "Windows Firewall: Allow remote administration exception".COM . Question: You want to know which domain controller delivered Group Policy to a client.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. You also can specify slow-link detection. and the effects of moving user or computer objects to a different OU or site.6-34 Configuring. Because the wizard never queries the client computer. Group Policy Modeling also simulates such things as security group membership.COM . WWW. STUDENT USE PROHIBITED What Is Group Policy Modeling? Key Points Another method for testing Group Policy is to use the Group Policy Modeling Wizard in the GPMC to model environment changes before you actually make them. The Group Policy Modeling process actually runs on a domain controller in your Active Directory domain. it cannot take local policies into account. or both when using the Group Policy Modeling Wizard. loopback processing. WMI filter evaluation. The Group Policy Modeling Wizard calculates the simulated net effect of GPOs.

Loopback processing Moving a user to a different domain in the same forest Security group filtering d. c. Slow link detection e. a.Creating and Configuring Group Policy 6-35 MCT USE ONLY. WMI filtering All of the above WWW. b. STUDENT USE PROHIBITED Question: What simulations can be performed with the Group Policy Modeling Wizard? Choose all that apply.COM . f.ISLAMSC.

STUDENT USE PROHIBITED Demonstration: How to Evaluate the Application of Group Policy Key Points • • • • Login using the WOODGROVEBANK\Administrator account. Question: A user reports that they are unable to access Control Panel. Use the GPMC to run the Group Policy Reporting Wizard for a User.6-36 Configuring. Other users in the department can access Control Panel. and then compare the differences.ISLAMSC. Run GPResult. Use the GPMC to run the Group Policy Modeling Wizard to simulate what would happen if the User moved to a different OU. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and save the report as an HTML file.COM . What tools might you use to troubleshoot the problem? WWW. Examine the output.

STUDENT USE PROHIBITED Lesson 4: Managing Group Policy Objects GPMC provides mechanisms for backing up. and deployment phases. both from the same domain and across domains. WWW.Creating and Configuring Group Policy 6-37 MCT USE ONLY. Part of your ongoing Group Policy operations plan should include regular backups of all GPOs. testing. restoring. It helps you avoid manually recreating lost or damaged GPOs. and copying existing GPOs. migrating.ISLAMSC. GPMC also provides for copying and importing GPOs. and having to again go through the planning.COM . This is very important for maintaining your Group Policy deployments in the event of error or disaster.

Importing a GPO allows you to transfer settings from a backed-up GPO to an existing GPO.COM . You can copy GPOs using the GPMC. • • • You can back up GPOs individually or as a whole with the GPMC. The restore interface provides the ability for you to view the settings stored in the backed-up version before restoring it. The GPMC not only provides the basic backup and restore options. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you must back up GPOs to protect the integrity of AD DS and GPOs. STUDENT USE PROHIBITED GPO Management Tasks Key Points Like critical data and Active Directory-related resources.ISLAMSC.6-38 Configuring. • WWW. It does not modify the existing security or links on the destination GPO. both in the same domain and across domains. but also provides additional control over GPOs for administrative purposes.

the imported settings will overwrite all existing settings. STUDENT USE PROHIBITED Note: It is not possible to merge imported settings with the current target GPO settings. An administrator has inadvertently changed a number of settings on the wrong GPO.COM . What is the quickest way to fix the problem? WWW.Creating and Configuring Group Policy 6-39 MCT USE ONLY. Note: It is not possible to copy settings from multiple GPOs into a single GPO.ISLAMSC. Question: You perform regular backups of GPOs.

When you create a new GPO from a Starter GPO. WWW.Cab files for easy distribution. Starter GPOs only contain Administrative Templates.ISLAMSC. Individual Starter GPOs can be exported into . You then can import these cab files back into the GPMC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: List one of the benefits of using Starter GPOs. You can import and export Starter GPOs to distribute them to other areas of your enterprise. Starter GPOs act as templates for creating GPOs. which helps provide consistency in distributed environments.COM . In this way. The GPMC stores Starter GPOs in a folder named StarterGPOs.6-40 Configuring. STUDENT USE PROHIBITED What Is a Starter GPO? Key Points Starter GPOs store a collection of Administrative Template policy settings in a single object. the new GPO has all the Administrative Template settings that the Starter GPO defined. which is located in SYSVOL.

in all 24 languages in which Windows Vista and Windows XP SP2 are available. and then click Open. click Starter GPOs. The Starter GPO will be created in the shared SYSVOL folder found on domain controllers. Click the name of the Starter GPO cabinet file that you want to install.COM . STUDENT USE PROHIBITED Demonstration: Starter GPOs Key Points • • • • • • • Open the Group Policy Management console. and then click Load Cabinet. confirm that the name of the Starter GPO that you installed appears in the list of Starter GPOs. WWW.Creating and Configuring Group Policy 6-41 MCT USE ONLY.ISLAMSC. confirm that the correct Starter GPO cabinet file is specified. click the Contents tab. In the results pane. In the GPMC console tree. and then click OK. In the Load Starter GPO dialog box. In the Load Starter GPO dialog box. On the Contents tab. click Browse for CAB.

ISLAMSC.COM . Rename the resulting GPO with the name of your choice.6-42 Configuring. Question: What is the advantage of copying a GPO and linking it to an OU over linking the original GPO to multiple OUs? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: How to Copy a GPO Key Points • • Use the GPMC to copy the Desktop policy that you created in the previous demonstration.

Delete one of the GPOs from the Group Policy folder.Creating and Configuring Group Policy 6-43 MCT USE ONLY. Question: What permissions are required to back-up a GPO? WWW. Back up an individual GPO. STUDENT USE PROHIBITED Demonstration: Backing Up and Restoring GPOs Key Points • • • • • Create a folder named GPO_Back to hold the backed up GPOs. Restore the GPO from the backup version.ISLAMSC. Back up all GPOs.COM .

Import the policy settings from the Redirect policy to the Imported policy. Create a new GPO named Imported. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Configure the Redirect policy to redirect the My Documents folder to a UNC path of \\server\share. Backup the Redirect policy.ISLAMSC.COM .6-44 Configuring. WWW. STUDENT USE PROHIBITED Demonstration: Importing a GPO Key Points • • • • • Create a new GPO named Redirect.

ISLAMSC. • Question: What is the purpose of a migration table? WWW.COM . create a new migration table that changes the UNC path from \\server\share to \\Srv1\docs. and show that the UNC path for My Documents has changed from \\server\share to \\Srv1\docs.Creating and Configuring Group Policy 6-45 MCT USE ONLY. STUDENT USE PROHIBITED • When the scan discovers the settings that may need to be modified. Finish the Import Wizard.

Converted files are saved into the user’s documents folder by default. Once you create the new files. The associated ADML file is also created. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.6-46 Configuring. The new Administrative Templates then become available in the GPMC.COM . WWW. Question: List at least one benefit of using the ADMX Migrator utility. and copy the ADML file into the appropriate subfolder.ISLAMSC. copy the ADMX file into the PolicyDefinitions folder. or the central store. STUDENT USE PROHIBITED Migrating Group Policy Objects Key Points The ADMX Migrator allows you to convert custom ADM templates into ADMX templates.

WWW.COM .ISLAMSC. it is common to have different groups delegated to perform different administrative tasks. Group Policy management is one of the administrative tasks that you can delegate. STUDENT USE PROHIBITED Lesson 5: Delegating Administrative Control of Group Policy In a distributed environment.Creating and Configuring Group Policy 6-47 MCT USE ONLY.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. while another group performs reporting and analysis duties. STUDENT USE PROHIBITED Options for Delegating Control of GPOs Key Points Delegation allows the administrative workload to be distributed across the enterprise.COM . or OU Performing Group Policy Modeling analyses on a given domain or OU Reading Group Policy Results data for objects in a given domain or OU Creating WMI filters in a domain WWW.ISLAMSC. The following Group Policy tasks can be independently delegated: • • • • • • Creating GPOs Editing GPOs Managing Group Policy links for a site. A separate group might be in charge of WMI filters. domain.6-48 Configuring. One group could be tasked with creating and editing GPOs.

Question: List one of the benefits of the administrator delegating rights to create new Group Policies. STUDENT USE PROHIBITED The Group Policy Creator Owners group lets its members create new GPOs.Creating and Configuring Group Policy 6-49 MCT USE ONLY.ISLAMSC.COM . and edit or delete GPOs that they have created. WWW.

What is the best way to accomplish this? WWW.6-50 Configuring. and to use the Group Policy reporting tools. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: How to Delegate Administrative Control of GPOs Key Points • • • Use the Delegation of Control Wizard to delegate to a user the right to link an existing GPO.ISLAMSC. Use the GPMC to delegate the user the right to edit the desktop policy. Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. Use the GPMC to delegate a different user the right to create Group Policy.COM .

Executives will not have access to the desktop display settings. with additional OUs within each location OU for different departments.COM . STUDENT USE PROHIBITED Lab A: Creating and Configuring GPOs Scenario The Woodgrove Bank has decided to implement Group Policy to manage user desktops and to configure computer security. Server computer accounts are spread throughout various OUs. Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings and may not always follow best practices. The policy will apply to all users except users in the IT Admin OU. Group Policy Requirements • • Domain users will not have access to the Run menu.ISLAMSC. User accounts are in the same container as their workstation computer accounts.Creating and Configuring Group Policy 6-51 MCT USE ONLY. WWW. The organization already implemented an OU configuration that includes top-level OUs by location.

COM . Log on to NYC-DC1as Administrator with the password Pa$$w0rd. Users in the administrators group will have the URL for Microsoft support added to their Favorites.6-52 Configuring. 3. Exercise 1: Creating and Configuring Group Policy Objects You will create and link the GPOs that the enterprise administrator’s design specifies. next to 6419A-NYC-DC1. Minimize the Lab Launcher window. click Launch. point to Microsoft Learning. and creating policy settings linked to specific OUs and sites. click Start. Task 1: Start the virtual machines and then log on 1. 3. The Lab Launcher starts. Configure GPOs. All domain computers will have a mandatory baseline security policy applied that does not display the name of the last logged on user. Computers running Windows Vista or Windows XP will have additional settings applied to wait for the network at startup. In the Lab Launcher. 4.ISLAMSC. On your host machine. 2. The main tasks are as follows: 1. 2. Kiosk computers in the branch offices will have Loopback processing enabled. Tasks include modifying the default domain policy. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Start and log on to NYC-DC1. Miami and Toronto branch users will not have access to the Control Panel. 4. WWW. Create the GPOs. and then click 6419A. Link the GPOs. STUDENT USE PROHIBITED • • • • • The NYC. point to All Programs. All branch managers will be exempt from this restriction.

Edit the Restrict Control Panel GPO (User Configuration\Policies \Administrative Templates\Control Panel\Prohibit access to the Control Panel) to prevent user access to Control Panel. 3. Create a GPO named Baseline Security. 4. Edit the Baseline Security GPO (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\ Interactive logon: Do not display last user name) so that the name of the last logged on user is not displayed.Creating and Configuring Group Policy 6-53 MCT USE ONLY. WWW. Task 3: Configure the policy settings 1. 2.microsoft. and to hide and disable all items on the desktop for the logged on user. Create a GPO named Restrict Run Command. Edit the Restrict Desktop Display GPO (User Configuration\Policies \Administrative Templates\Control Panel\Display\Remove Display in Control Panel) to prevent access to the desktop display settings. Create a GPO named Vista and XP Security. STUDENT USE PROHIBITED Task 2: Create the group policy settings • Use the GPMC to perform the following: • • • • • • • Create a GPO named Restrict Control Panel.ISLAMSC.COM . 5. Create a GPO named Restrict Desktop Display.com) in the Internet Favorites. Edit the Admin Favorites GPO (User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\URLs\Favorites and Links) to include the URL for Microsoft tech support (http://support. Edit the Kiosk Computer Security GPO (Computer Configuration\Policies \Administrative Templates\System\Group Policy\User Group Policy loopback processing mode) to use loopback processing. Create a GPO named Admin Favorites. Create a GPO named Kiosk Computer Security.

Link the Restrict Control Panel GPO to the NYC. STUDENT USE PROHIBITED 6. Link the Restrict Desktop Display GPO to the Executive OU. Edit the Restrict Run Command GPO (User Configuration\Policies \Administrative Templates\Start Menu and Taskbar\Remove Run Menu from the Start Menu) to prevent access to the Run menu. WWW.6-54 Configuring.COM . Link the Admin Favorites GPO to the ITAdmins OU. 7. you will have created and configured GPOs.ISLAMSC. Miami and Toronto OUs. Task 4: Link the GPOs to the appropriate containers • Use the GPMC to perform the following: • • • • • • • Link the Restrict Run Command GPO to the domain container. Link the Vista and XP Security GPO to the domain container Link the Kiosk Computer Security GPO to the domain container. Edit the Vista and XP Security GPO (Computer Configuration\Policies \Administrative Templates\System\Logon\Always wait for the network at computer startup and logon) to ensure that computers wait for the network at startup. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Link the Baseline Security GPO to the domain container. Result: At the end of this exercise.

COM . 3. you will configure the scope of GPO settings based on the enterprise administrator’s design. and the disable the User side of the policy. Task 1: Configure Group Policy management for the domain container 1. and applying filtering based on security groups and WMI filters.ISLAMSC. Task 2: Configure Group Policy management for the IT Admin OU • Block inheritance at the IT Admin OU. 3. Tasks include disabling portions of GPOs. 2. Use security group membership filtering to configure the Kiosk Computer Security GPO to apply only to the Kiosk Computers global group. 4. Configure Group Policy management for the branch OUs. Create and apply a WMI filter for the Vista and XP Security GPO. to exempt the ITAdmins users from the Restrict Run Command GPO. 2. WWW.Creating and Configuring Group Policy 6-55 MCT USE ONLY. The main tasks are as follows: 1. Configure the Baseline Security link to be Enforced. Configure Group Policy management for the IT Admin OU. blocking and enforcing inheritance. STUDENT USE PROHIBITED Exercise 2: Managing the Scope of GPO Application In this exercise. Configure the Vista and XP Security link to be Enforced. Configure Group Policy management for the domain container.

COM . 2. STUDENT USE PROHIBITED Task 3: Configure Group Policy management for the branch OUs • Use security group membership filtering to configure the Restrict Control Panel GPO to deny the Apply Group Policy permission to the following groups: • • • Mia_BranchManagersGG NYC_BranchManagersGG Tor_BranchManagersGG Task 4: Create and apply a WMI filter for the Vista and XP Security GPO 1. Result: At the end of this exercise.ISLAMSC. WWW. Create a new WMI query to retrieve users from the Windows XP and Windows Vista operating systems. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Write a query to retrieve Windows XP and Windows Vista users in the WMI Query box. you will have configured the scope of GPO settings.6-56 Configuring. 3. Open GPMC and create a new WMI Filter.

WWW.ISLAMSC.Creating and Configuring Group Policy 6-57 MCT USE ONLY.COM . STUDENT USE PROHIBITED Lab B: Verifying and Managing GPOs Scenario The enterprise administrator has created a GPO deployment plan. You also want to create policy settings that will apply only to subsets of the domain’s objects. You have been asked to create GPOs so that certain policies can be applied to all domain objects. Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings and may not always follow best practices. You must delegate GPO administration to administrators within each company location. and you want to have separate policies for computer settings and user settings. Some policies are considered mandatory.

Verify that a user in the Executive OU user is receiving the correct policy. Verify that a Miami Branch Manager is receiving the correct policy. All domain computers will have a mandatory baseline security policy applied that does not display the name of the last logged on user. Verify that a user in the IT Admin OU is receiving the correct policy. 5. 3.ISLAMSC. WWW. The policy will apply to all users except users in the IT Admin OU. Users in the administrators group will have the URL for Microsoft support added to their Favorites.COM . 2. Executives will not have access to the desktop display settings. The main tasks are as follows: 1. and also use Group Policy Modeling and Resultant Set of Policy (RSoP) to verify that GPOs are being applied correctly. The NYC. Start NYC-CL1. All branch managers will be exempt from this restriction. STUDENT USE PROHIBITED Group Policy Requirements • • • • • • • Domain users will not have access to the Run menu. 7.6-58 Configuring. Verify that the username does not appear. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Kiosk computers in the branch offices will have Loopback processing enabled. you will test the application of GPOs to ensure that the GPOs are being applied as the design specifies. Students will log on as specific users. Use Group Policy modeling to test kiosk computer settings. Exercise 1: Verifying GPO Application In this exercise. 4. Miami and Toronto branch users will not have access to the Control Panel. 6. Computers running Windows Vista or Windows XP will have additional settings applied to wait for the network at startup. Verify that a Miami branch user is receiving the correct policy.

Task 4: Verify that a user in the IT Admin OU is receiving the correct policy 1. open the Favorites pane. Launch Internet Explorer. Ensure that a link to Control Panel appears on the Start menu. 2. Log off. 3. Log on to NYC-CL1 as WOODGROVEBANK\Betsy with the password Pa$$w0rd. STUDENT USE PROHIBITED Task 1: Start NYC-CL1 • Log on to NYC-CL1 as WOODGROVEBANK\Anton with the password Pa$$w0rd. Ensure that there is no link to the Run menu in the Accessories folder on the Start menu. WWW. 3. 4. Log off.Creating and Configuring Group Policy 6-59 MCT USE ONLY. Ensure that a link to Control Panel appears on the Start menu. Ensure that there is no link to the Run menu in the Accessories folder on the Start menu. Ensure that a link to the Run menu appears in the Accessories folder on the Start menu.COM . Task 3: Verify that a Miami Branch Manager is receiving the correct policy 1. Task 2: Verify that a Miami branch user is receiving the correct policy 1. Log off. Ensure that there is no link to Control Panel on the Start menu. 4. 3.ISLAMSC. and then ensure that the link to Tech Support appears. 2. 2. 5. Log on to NYC-CL1 as WOODGROVEBANK\Roya with the password Pa$$w0rd.

ISLAMSC. type Kiosk Computers. Log off.6-60 Configuring. In the WMI Filters for Computers screen. Ensure that there is no access to the desktop display settings. 5. 6. Task 7: Use Group Policy modeling to test kiosk computer settings 1. On the User and Computer Selection screen. 2. 3. you will have tested and verified a GPO application. Hint: When you attempt to access display settings you will receive a message informing you that this has been disabled. In the Select Groups dialog box. Log on to NYC-CL1 as Chase with the password Pa$$w0rd. In the Computer Security Groups screen. and then click Next. WWW. Ensure that there is no link to the Run menu in the Accessories folder on the Start menu. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. 2. STUDENT USE PROHIBITED Task 5: Verify that a user in the Executive OU user is receiving the correct policy 1. and then click Next twice. click Next twice. Ensure that a link to Control Panel appears on the Start menu. click Computer and enter Woodgrovebank\NYC-CL1. 4. 5. Task 6: Verify that the last logged on username does not appear • Verify that the last logged on username does not appear. right-click the Group Policy Modeling folder. 4. Launch the GPMC. and click then Next three times.COM . Result: At the end of this exercise. click Finish and then view the report. click Group Policy Modeling Wizard. 3. click Add.

and import GPOs. Right-click the Admin Favorites policy and then click Delete.Creating and Configuring Group Policy 6-61 MCT USE ONLY. 5. Task 2: Back up all GPOs 1. 2. Right-click the Group Policy Objects folder and then click Manage Backups. 3. you will use the GPMC to back up. Task 1: Backup an individual policy 1. 3. 3. Confirm the deletion. 4. Create a folder named C:\GPOBackup. STUDENT USE PROHIBITED Exercise 2: Managing GPOs In this exercise. Delete and restore an individual GPO. Browse to C:\GPOBackup. Confirm that the Admin Favorites policy appears in the Group Policy Objects folder.COM . Right-click the Restrict Control Panel policy. Right-click the Group Policy Objects folder and then click Back Up All. Ensure that C:\GPOBackup is the backup location. and then click OK after the backup succeeds. Back up all GPOs. WWW. 4. The main tasks are as follows: 1. 2. 2. Restore the Admin Favorites GPO. Task 3: Delete and restore an individual GPO 1. open the Group Policy Objects folder. 2. Backup an individual policy. Import a GPO. and then click Backup. Click Yes and then click OK when the deletion succeeds.ISLAMSC. restore. In the GPMC. Click Backup. 4.

Finish the Import Settings wizard. 6. On the Source GPO screen. and then ensure that the Restrict Access to Control Panel setting is Enabled. and imported GPOs. 2. and then click Next. Create a new GPO named Import in the Group Policy Objects folder. 4. Result: At the end of this exercise. 5.COM . click Next.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. restored. click Next. STUDENT USE PROHIBITED Task 4: Import a GPO 1. and then click Import Settings. click Restrict Control Panel. Click Import GPO. Right-click the Import GPO. 7. 3. In the Import Settings Wizard. you will have backed up. click the Settings tab.6-62 Configuring. 8. On the Backup GPO window. WWW. Ensure the Backup folder location is C:\GPOBackup.

The main tasks are as follows: 1. type Betsy in the Object name field. In the Select Users dialog box. Delegate the right to link GPOs to the Executives OU to Betsy. and then click Add. select Edit Settings from the dropdown list. Enable Domain Users to log on to domain controllers. click the Delegation tab. 4.ISLAMSC. In the Group Policy Objects folder. You will then test the permissions configuration.Creating and Configuring Group Policy 6-63 MCT USE ONLY. Select the Group Policy Objects folder and then click the Delegation tab. 2. WWW. In the Select Users dialog box. and then click OK. Tasks include configuring permissions to create. 5. and then click OK. STUDENT USE PROHIBITED Exercise 3: Delegating Administrative Control of GPOs In this exercise. Close all virtual machines and discard undo disks. 2. Grant Betsy the right to create GPOs in the domain. In the Add Group or User dialog box. Delegate the right to edit the Import GPO to Betsy. edit and link GPOs. type Betsy in the Object name field and then click OK. Test the delegation. select Import GPO. Task 2: Delegate the right to edit the Import GPO to Betsy 1. 2. 3.COM . Task 1: Grant Betsy the right to create GPOs in the domain 1. and then click Add. 6. you will delegate administrative control of GPOs based on the enterprise administrator design. 3.

and then click New. In the Add Group or User dialog box select This container only. the click the Delegation tab. In the Select Users dialog box. 4.6-64 Configuring. start Group Policy Management. Open a command prompt. Task 4: Enable Domain Users to log on to domain controllers Note: This step is included in the lab to enable you to test the delegated permissions. type Betsy in the Object name field. 2. Double-click Allow log on locally. Grant the Domain Users group the log on locally right. 1. STUDENT USE PROHIBITED Task 3: Delegate the right to link GPOs to the Executives OU to Betsy 1. Right-click Import GPO. you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers. click Add User or Group. 3. Log on to NYC-CL1 as Betsy. Create a new policy named Test. 5. and then edit the Default Domain Controllers Policy.ISLAMSC. WWW. 5. 3. and then click Edit.COM . 2. This operation will succeed. and then click OK. Task 5: Test the delegation 1. 3. 4. Select the Executives OU. 2. In the Allow log on locally Properties dialog box. and then click Add. On NYC-DC1. Create a Group Policy Management Console. As a best practice. Right-click the Group Policy Objects folder. This operation will succeed. and then click OK. access the User Rights Assignment folder. type GPUpdate /force. In the Group Policy Management Editor window. and then press ENTER. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

and then click OK. WWW. STUDENT USE PROHIBITED 6. and attempt to edit it.COM . Close the 6419A Lab Launcher. Result: At the end of this exercise. and discard undo disks 1. select Turn off machine and discard changes.Creating and Configuring Group Policy 6-65 MCT USE ONLY. This operation will succeed. restored. In the Close box. This operation is not possible. and imported GPOs. For each virtual machine that is running. and link the Test GPO to it. Task 6: Close all virtual machines. close the Virtual Machine Remote Control window. Right-click the Admin Favorites policy. Right-click Executives OU. you will have backed up.ISLAMSC. 2. 8. 7. 3. Close the GPMC.

STUDENT USE PROHIBITED Module Review and Takeaways Considerations Keep the following considerations in mind when creating and configuring Group Policy: • • • • Create multiple local Group Policy objects when necessary Upgrade and replace ADM files or use ADMX and ADML files for better extensibility Utilize different methods to control Group Policy. inheritance.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. enforcement Use the correct Group Policy tools and reporting to enhance Group Policy Maintenance WWW.ISLAMSC.6-66 Configuring. filtering.

You want to force the application of certain Group Policy settings across a slow link. Can you use Group Policy to do this? 3. WWW. How would you accomplish this? You want all GPOs that contain user settings to have certain Administrative Templates enabled. STUDENT USE PROHIBITED Review Questions 1.COM . What is the best approach? You want to control access to removable storage devices on all client workstations through Group Policy.ISLAMSC. What can you do? You need to ensure that a domain level policy is enforced. but the Managers global group needs to be exempt from the policy. You need to be able to send those policy settings to other administrators in the enterprise. 4. 2.Creating and Configuring Group Policy 6-67 MCT USE ONLY.

STUDENT USE PROHIBITED WWW.COM .ISLAMSC.MCT USE ONLY.

Configure User and Computer Environments By Using Group Policy 7-1 MCT USE ONLY.COM . STUDENT USE PROHIBITED Module 7 Configure User and Computer Environments By Using Group Policy Contents: Lesson 1: Configuring Group Policy Settings Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy Lab A: Configuring Logon Scripts and Folder Redirection Using Group Policy Lesson 3: Configuring Administrative Templates Lab B: Configuring Administrative Templates Lesson 4: Deploying Software Using Group Policy Lab C: Deploying Software with Group Policy Lesson 5: Configuring Group Policy Preferences Lab D: Configuring Group Policy Preferences Lesson 6: Introduction to Group Policy Troubleshooting Lesson 7: Troubleshooting Group Policy Application Lesson 8: Troubleshooting Group Policy Settings Lab E: Troubleshooting Group Policy Issues 7-3 7-7 7-13 7-17 7-23 7-28 7-36 7-39 7-44 7-48 7-55 7-67 7-71 WWW.ISLAMSC.

this module provides the skills and knowledge that you need to use Group Policy to configure Folder Redirection. or lack of policy application to the computer or user.ISLAMSC.7-2 Configuring. You will learn the knowledge and skills necessary for troubleshooting these issues. These troubleshooting procedures may include incorrect or incomplete policy settings. and how to deploy software using Group Policy. as well as how to use scripts. WWW. You also will learn how Administrative Templates affect Microsoft® Windows Vista® and Windows Server® 2008. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Module Overview This module introduces the job function of configuring the user environment using Group Policy. Specifically.COM . This module also describes troubleshooting procedures for Group Policy processing clients and computers.

COM . while others are more complex to configure. In addition. This lesson will describe how to configure the various Group Policy settings. WWW. Some setting are simply a matter of “turning them on”. Group Policy can be used to deploy software to some or all users in an organization. STUDENT USE PROHIBITED Lesson 1 Configuring Group Policy Settings Group Policy can deliver many different types of settings. Using Group Policy to deploy software can reduce the effort required to keep computers up to date with required software.ISLAMSC.Configure User and Computer Environments By Using Group Policy 7-3 MCT USE ONLY.

COM . and that particular Group Policy will have no effect on that setting. Not Configured: A Group Policy setting that is set to Not Configured means that the normal default behavior will be enforced.ISLAMSC. They are: • • Enabled: For example.7-4 Configuring. you would enable the policy setting Prohibit access to the Control Panel. you specifically are allowing access to Control Panel. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. • WWW. you must configure it. STUDENT USE PROHIBITED Options for Configuring Group Policy Settings Key Points For a Group Policy setting to have an effect. Disabled: For example. Most Group Policy settings have three states. if you disable the Prohibit access to the Control Panel at the child container level. to prevent access to Control Panel.

STUDENT USE PROHIBITED You also must configure values for some Group Policy settings. Question: A domain level policy restricts access to the Control Panel.Configure User and Computer Environments By Using Group Policy 7-5 MCT USE ONLY. but you do not want to block inheritance.ISLAMSC. to configure restricted group-membership you need to provide values for the groups and users. How could you accomplish this? WWW.COM . You want the users in the Admin organizational unit (OU) to have access to the Control Panel. For example.

STUDENT USE PROHIBITED Demonstration: Configuring Group Policy Settings Using the Group Policy Editor Key Points • • Create and link a GPO to configure Windows Update settings. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .7-6 Configuring. Question: How could you prevent a lower-level policy from reversing the setting of a higher-level policy? WWW. Log on to client computer and test results.ISLAMSC.

STUDENT USE PROHIBITED Lesson 2 Configuring Scripts and Folder Redirection Using Group Policy Windows Server 2008 enables you to use Group Policy to deploy scripts to users and computers.COM . from the user’s local hard disks to a central server. You can also redirect folders that the user’s profile includes.Configure User and Computer Environments By Using Group Policy 7-7 MCT USE ONLY.ISLAMSC. WWW.

STUDENT USE PROHIBITED What Are Group Policy Scripts? Key Points You can use Group Policy scripts to perform any number of tasks. Map drives or printers. Set environment variables. Question: You keep logon scripts in a shared folder on the network.ISLAMSC.COM . you can use scripts to: • • • • Clean up desktops when users log off and shut down computers. Group Policy Preferences is covered in more detail later in this module.7-8 Configuring. For example. Delete the contents of temporary directories. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. There may be actions that you need performed every time a computer starts or shuts down. using Group Policy Preferences is a better alternative to configuring them in Microsoft Windows® images or using logon scripts. How could you ensure that the scripts will always be available to users from all locations? WWW. For many of these settings. or when users log off or on.

ISLAMSC. Question: What other method could you use to assign logon scripts to users? WWW.COM .Configure User and Computer Environments By Using Group Policy 7-9 MCT USE ONLY. Log on to client computer and test results. Create and link a GPO to configure a logon script using the script you just created. STUDENT USE PROHIBITED Demonstration: Configuring Scripts with Group Policy Key Points • • • Create a login script that uses the command net use t: \\nyc-dc1\data.

STUDENT USE PROHIBITED What Is Folder Redirection? Key Points Folder Redirection makes it easier for you to manage and back up data. WWW. After you redirect a folder to a file server.ISLAMSC. Question: List some disadvantages of folder redirection. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . it still appears to the user as if it is stored on the local hard disk. you can ensure user access to data regardless of the computers to which they log on. By redirecting folders.7-10 Configuring. • • When you redirect folders. you change the folder’s storage location from the user’s computer local hard disk to a shared folder on a network file server.

Configure User and Computer Environments By Using Group Policy 7-11 MCT USE ONLY.ISLAMSC. What folder redirection setting would you choose? WWW. They also need the data to be private. • • Basic folder redirection is for users who must redirect their folders to a common area or users who need their data to be private. Advanced redirection allows you to specify different network locations for different Active Directory security groups. STUDENT USE PROHIBITED Folder Redirection Configuration Options Key Points There are three available settings for Folder Redirection: none. They need access to their My Documents folder. Question: Users in the same department often log on to different computers.COM . and advanced. basic.

Folder Redirection can create the user’s redirected folders for you. you must know the correct permissions. Question: What steps could you take to protect the data while it is in transit between the client and the server? WWW. • • When you use this option.7-12 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. If you manually create folders. the correct permissions are set automatically. STUDENT USE PROHIBITED Security Settings for Redirected Folders Key Points While you must manually create a shared network folder in which to store the redirected folders.COM .

You have been tasked to create a script that will map a network drive to the shared folder named Data on NYC-DC1. Then you will use Group Policy to assign the script to all users in Toronto.COM . STUDENT USE PROHIBITED Lab A: Configuring Logon Scripts and Folder Redirection Using Group Policy Exercise 1: Configure Logon Scripts and Folder Redirection Scenario Woodgrove Bank has decided to implement Group Policy to manage user desktops. Miami.Configure User and Computer Environments By Using Group Policy 7-13 MCT USE ONLY.ISLAMSC. and NYC OUs. The Documents folder for all members of the Executive OU will be redirected there. with additional OUs within each location for different departments. The organization has already implemented an organizational unit (OU) configuration that includes top-level OUs grouped by location. WWW. You also will set permissions to share and secure a folder on NYC-DC1. The script needs to be stored in a highly available location.

Windows Settings. Observe the applied settings while logged on as a user in the Executives OU. Task 2: Review the logon script to map a network drive 1. 5. On NYC-DC1. 4. Configure the Logon Script GPO with the following settings: • • Under User Configuration. Start the 6419A-NYC-DC1 virtual machine and log. 3.bat script. Review the logon script to map a network drive. 6. WWW. 7.com domain. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and then log on as WOODGROVEBANK\Tony. Start the 6419A-NYC-CL1 virtual machine. Configure and link the Logon Script GPO. 2. 2. Task 3: Configure and link the Logon Script GPO 1.COM . and then copy it to the clipboard.bat logon script from the clipboard. Paste the Map. and then create a new GPO named Logon Script. Scripts (Logon/Logoff). and then log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd.ISLAMSC. double-click Logon. Review the Map. browse to E:\Mod07\LabFiles\Scripts. Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator • Start NYC-DC1.7-14 Configuring. Open Group Policy Management. Policies. STUDENT USE PROHIBITED The main tasks for this exercise are: 1. Redirect the Documents folder for the Executives group. Share and secure a folder for the Executives group. 2. linked to the WoodgroveBank.

click Advanced. WWW. Add the Executives_WoodgroveGG group and apply the settings to this folder only. For Executives_WoodgroveGG. Windows Settings. Select the Basic . STUDENT USE PROHIBITED Task 4: Share and secure a folder for the Executives group 1. Remove all users and groups except for CREATOR OWNER and SYSTEM. linked to the Executives OU. allow the List folder / read data and Create folders / append data permissions.Configure User and Computer Environments By Using Group Policy 7-15 MCT USE ONLY. In the Group Policy Management window. Add the Executives_WoodgroveGG group with full control. browse to E:\Mod07\Labfiles. create a new GPO named Executive Redirection.ISLAMSC. type \\NYC-DC1\ExecData. In Windows Explorer. On the Security tab. Folder Redirection. Polices. In the Root Path field.COM . Task 5: Redirect the Documents folder for the Executives group 1. modify Documents. Configure the Executives GPO with the following settings: • • • Under User Configuration.Redirect everyone's folder to the same location option. 2. Share the ExecData folder and set the following permissions: • • • • • • Remove the Everyone group. 2.

7-16 Configuring. verify the location is \\NYC-DC1\ExecData\Tony. and then log on as WOODGROVEBANK\Tony using the password Pa$$w0rd. and then log on as WOODGROVEBANK\Tony • Start NYC-CL1. Result: At the end of this exercise. 2. Task 7: Observe the applied settings while logged on as a user in the Executives OU 1. WWW. In Documents Properties. you will have configured logon scripts and folders redirection.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Verify that the J: drive is mapped to the Data share on NYC-DC1.ISLAMSC. STUDENT USE PROHIBITED Task 6: Start the 6419A-NYC-CL1 virtual machine.

COM . WWW. STUDENT USE PROHIBITED Lesson 3 Configuring Administrative Templates The Administrative Template files provide the majority of available policy settings. the use of registry-based policy that the Administrative Template files deliver is the simplest and best way to support centralized management of policy settings.ISLAMSC. For many applications. This is known as registry-based policy. In this lesson. you will learn how to configure Administrative Templates. which are designed to modify specific registry keys.Configure User and Computer Environments By Using Group Policy 7-17 MCT USE ONLY.

COM .) and user (the HKEY_CURRENT_USER hive in the registry) portions of the Registry.ISLAMSC. STUDENT USE PROHIBITED What Are Administrative Templates? Key Points Administrative Templates allow you to control the environment of the operating system and user experience. you can deploy hundreds of modifications to the computer (the HKEY_LOCAL_MACHINE hive in the registry.7-18 Configuring. By using the administrative template sections of the GPO. There are two sets of Administrative Templates: one for users. Question: What sections of the Administrative Templates will you find most useful in your environment? WWW. • • • Administrative Templates are the primary means of configuring the client computer’s registry settings through Group Policy. Administrative Templates are a repository of registry-based changes. and one for computers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

edit the Demo GPO. log on as WOODGROVEBANK\Administrator and then review the settings. hide the Screen Saver tab.COM .ISLAMSC. under Internet Explorer. Under Computer Configuration. How could you use Administrative Templates to implement this? WWW.Configure User and Computer Environments By Using Group Policy 7-19 MCT USE ONLY. Question: You need to ensure that Windows Messenger is never allowed to run on a particular computer. STUDENT USE PROHIBITED Demonstration: Configuring Administrative Templates Key Points • • • • On NYC-DC1. Under User Configuration. On NYC-CL1. disable the ability to delete browsing history.

• • There are programs that are XML-aware. STUDENT USE PROHIBITED Modifying Administrative Templates Key Points Because ADMX files are XML based.ISLAMSC. and create your own customized versions for custom settings. you need only to place it in the Policy Definitions folder. you can use any text editor to edit or create new ADMX files. or in the Central Store. Once you have a valid ADMX file. Tip: Leave the default ADMX files untouched.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW. if one exists.7-20 Configuring. (such as Microsoft Visual Studio.) that administrators or developers can use to create or modify ADMX files.

Review custom ADMX files.ISLAMSC.Configure User and Computer Environments By Using Group Policy 7-21 MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Adding Custom Administrative Templates Key Points • • • Add a custom ADM file. Question: Can you still use custom ADM files to deliver Group Policy settings in Windows Server 2008? Question: What are two differences between ADM and ADMX files? WWW. Copy sample ADMX files to the central store.COM .

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. • WWW. To hide settings and options that might take up too much of users' time. A policy setting created for this purpose allows administrators to manage the introduction of new features until after user training has taken place.COM . To hide or disable a user interface that can lead users into a situation in which they must call the helpdesk for support. STUDENT USE PROHIBITED Discussion: Options for Using Administrative Templates Key Points You should consider creating a policy setting for the following purposes: • • • To help administrators manage and increase security of their desktop computers. To hide or disable new behavior that might confuse users.ISLAMSC.7-22 Configuring.

Create and assign a GPO to prevent the installation of removable devices. Modify the Default Domain Policy to allow remote administration through the firewall for all domain computers. 3. Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users. You'll also modify the Default Domain Policy to allow remote administration through the firewall. STUDENT USE PROHIBITED Lab B: Configuring Administrative Templates Exercise 1: Configure Administrative Templates Scenario You have been asked to configure several Group Policy settings to control the user environment and make the desktop more secure.ISLAMSC.COM . Create and assign a GPO to encrypt offline files for executive computers.Configure User and Computer Environments By Using Group Policy 7-23 MCT USE ONLY. 2. allowing you to run Group Policy Results queries against target computers in the domain. 5. Create and assign a domain-level GPO for all domain users. 4. The main tasks for this exercise are: 1. WWW.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you will have enabled remote administration through the firewall. Device Installation Restrictions. Under System. Network Connections. and Toronto OUs. System. linked to the Miami. Task 2: Create and assign a GPO to prevent the installation of removable devices 1. Network. Administrative Templates. Task 3: Create and assign a GPO to encrypt offline files for executive computers 1. enable Prevent installation of removable devices. Administrative Templates. Administrative Templates. • Result: At the end of this task. in the Group Policy Management console pane. Configure the Prevent Removable Devices GPO with the following settings: • Under Computer Configuration. Policies. This allows the Group Policy Results Wizard to query target computers.7-24 Configuring. Offline Files. In the Group Policy Management window. Policies. enable Encrypt the Offline Files cache. enable Windows Firewall: Allow inbound remote administration exception. Domain Profile. configure the Default Domain Policy GPO with the following settings: • Under Computer Configuration. Configure the Encrypt Offline Files GPO with the following settings: • Under Computer Configuration. 2. create a new GPO named Encrypt Offline Files. Windows Firewall. NYC. Polices. In the Group Policy Management window. 2.COM . WWW. enable Group Policy slow link detection and assign a Connection speed value of 800 Kbps.ISLAMSC. create a new GPO named Prevent Removable Devices. linked to the Executives OU. Device Installation. Group Policy. Network. STUDENT USE PROHIBITED Task 1: Modify the Default Domain Policy allow remote administration through the firewall for all domain computers • On NYC-DC1.

Configure the All Users Policy GPO with the following settings: • • Under User Configuration. linked to the Miami. In the Group Policy Management window. Configure the Branch Users Policy GPO with the following settings: • Under User Configuration. • WWW. create a new GPO named All Users Policy. Under Windows Components. enable Limit profile size and assign a Max Profile size of 1000000 KB. enable Turn off Windows Sidebar. System. User Profiles. Administrative Templates. STUDENT USE PROHIBITED Task 4: Create and assign a domain-level GPO for all domain users 1.com domain. System. linked to the WoodgroveBank. Under Start Menu and Taskbar. Policies. 2.COM . create a new GPO named Branch Users Policy.Configure User and Computer Environments By Using Group Policy 7-25 MCT USE ONLY. enable Remove Clock from the system notification area. Task 5: Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users 1. Administrative Templates. and Toronto OUs. NYC. enable Prevent access to registry editing tools. Windows Sidebar. Policies. 2.ISLAMSC. In the Group Policy Management window.

verify that the clock is not displayed. verify that you do not have the option to display the clock. 4. Use the Group Policy Results Wizard to review Group Policy application for a target user and computer.ISLAMSC. they will not be applied until the next time the user is logged on. 2. Log on as a user in a Branch Office and observe the applied settings. 3. 3. WWW. Task 1: Verify that the settings for Executives have been applied 1. 6. 4. Verify that the Windows Sidebar is not displayed. and Software Installation settings. 5. 5. Log off NYC-CL1. Verify that you do not have access to registry editing tools. on the Notification Area tab. verify the location is C:\Users\Roya. In the notification area. STUDENT USE PROHIBITED Exercise 2: Verify GPO Application The main tasks for this exercise are: 1. verify that the clock is not displayed. 2. log on as WOODGROVEBANK\Tony. double-click the Available profile space icon and review the information. In the Taskbar Properties. 2. In the notification area. Verify that the preferences have been applied. These include roaming user profile path. In the notification area. On NYC-CL1. Note: Some user settings can only be applied during logon or may not apply due to cached credentials. Folder Redirection path. Task 2: Log on as a user in a Branch Office and observe the applied settings 1. log on as WOODGROVEBANK\Roya.7-26 Configuring. Verify that the Windows Sidebar is not displayed. 3. If the user is already logged on when these settings are detected. On NYC-CL1. In Documents Properties. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .

and then expand each of the settings. STUDENT USE PROHIBITED 6.ISLAMSC.Configure User and Computer Environments By Using Group Policy 7-27 MCT USE ONLY. On NYC-DC1. Review the list of applied computer and user GPOs. in the Group Policy Management window. click Administrative Templates. run the Group Policy Results Wizard against NYC-CL1 for the user Tony.COM . 7. WWW. under Computer Configuration. expand each of the settings. 2. Log off NYC-CL1 Task 3: Use the Group Policy Results Wizard to review Group Policy application for a target user and computer 1. you will have configured several Administrative Templates policy settings for various OUs in the organization and then verified successful GPO application. Question: Which GPOs were applied to the computer? Question: Which GPOs were applied to the user? 3. Question: What settings were delivered to the user? Result: At the end of this exercise. Question: What settings were delivered to the computer? 4. On the Settings tab. 8. Verify that the J: drive is mapped to the Data share on NYC-DC1. Verify that you do not have access to registry editing tools. Under User Configuration.

maintain.7-28 Configuring.ISLAMSC. WWW. Group Policy. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . STUDENT USE PROHIBITED Lesson 4 Deploying Software Using Group Policy Windows Server 2008 includes a feature called Software Installation and Maintenance that AD DS. and the Microsoft Windows® Installer service use to install. and remove software on your organization’s computers.

By applying Group Policy settings to software. STUDENT USE PROHIBITED Options for Deploying and Managing Software Using Group Policy Key Points The software life cycle consists of four phases: preparation. Question: What types of applications would you deploy via Group Policy in your environment? WWW. you can manage the various phases of software deployment without deploying software on each computer individually. domain.ISLAMSC. or remove software. deployment.COM . maintenance. and removal.Configure User and Computer Environments By Using Group Policy 7-29 MCT USE ONLY. • • You can apply Group Policy settings to users or computers in a site. or an organizational unit to automatically install. upgrade.

This component automates the installation and removal of applications by applying a set of centrally defined setup rules during the installation process.COM . Question: What are some disadvantages of deploying software through Group Policy? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.7-30 Configuring. STUDENT USE PROHIBITED How Software Distribution Works Key Points To enable Group Policy to deploy and manage software. Windows Server 2008 uses the Windows Installer service.

• • • WWW. All users need their own instance of the application. meaning an application you install for one user through Group Policy will not be available to that computer’s other users. When you assign software to a user. the user’s Start menu advertises the software when the user logs on.ISLAMSC. Installation does not begin until the user double-clicks the application's icon or a file that is associated with the application.Configure User and Computer Environments By Using Group Policy 7-31 MCT USE ONLY. the application is installed the next time the computer starts. When you assign an application to a computer.COM . STUDENT USE PROHIBITED Options for Installing Software Key Points There are two deployment types available for delivering software to clients. Administrators can either install software for users or computers in advance. or give users the option to install the software when they require it. The application will be available to all users of the computer. • Users do not share deployed applications.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED • The Control Panel's Programs applet advertises a published program to the user. Applications cannot be published to computers. who can install the application by using the Programs applet. • • Question: What is an advantage of publishing an application over assigning it? WWW.7-32 Configuring.COM . Applications that user's do not have permission to install are not advertised to them. or you can set it up so the application is installed by document activation.ISLAMSC.

ISLAMSC. • • • WWW.COM .Configure User and Computer Environments By Using Group Policy 7-33 MCT USE ONLY. STUDENT USE PROHIBITED Options for Modifying the Software Distribution Key Points Software Installation in Group Policy includes options for configuring deployed software.MST files (also called transform files). • You use software categories to organize published software into logical groups so that users can locate applications easily in the Programs and Features applet in Control Panel. To determine which software users install when they double click a file. or . to deploy several configurations of one application. You can create software categories to arrange different applications under specific headings. you can choose a file name extension and configure a priority for installing applications that are associated with it. You can use software modifications. There are no predefined software categories.

7-34 Configuring. • • You may redeploy a package if the original Windows Installer file has been modified. Some users in the organization require the old version.COM . You can remove software packages if they were delivered originally using Group Policy.ISLAMSC. Question: Your organization is upgrading to a newer version of a software package. How would you deploy the upgrade? WWW. The Upgrades tab allows you to upgrade a package using the GPO. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Removal can be mandatory or optional. STUDENT USE PROHIBITED Maintaining Software Using Group Policy Key Points Occasionally a software package will need to be upgraded to a newer version.

STUDENT USE PROHIBITED Discussion: Evaluating the Use of Group Policy to Deploy Software WWW.ISLAMSC.Configure User and Computer Environments By Using Group Policy 7-35 MCT USE ONLY.COM .

com domain. but even those users may need to be able to open and view a document such as a PowerPoint presentation. Configure and review the software deployment GPO.COM . WWW. 2.ISLAMSC. Copy a software package to the Data share.7-36 Configuring. STUDENT USE PROHIBITED Lab C: Deploying Software with Group Policy Exercise 1: Deploy a Software Package with Group Policy Scenario Not all computers have Microsoft Office installed. You need to deploy the Microsoft Office PowerPoint viewer application to all computers in the WoodgroveBank. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The main tasks for this exercise are: 1.

browse to E:\Mod07\LabFiles and copy and paste PPVIEWER. in the Group Policy Management window create a new GPO named Software Deployment. Choose the Assign option.MSI to the Data folder. On NYC-DC1. Software Settings. • 3. Configure the Software Deployment GPO with the following settings: • Under Computer Configuration. STUDENT USE PROHIBITED Task 1: Copy a software package to the Data share • On NYC-DC1.Configure User and Computer Environments By Using Group Policy 7-37 MCT USE ONLY. Task 2: Configure and review the software deployment GPO 1. Software installation. point to New.msi.COM . and then click Package. 2. Policies. and type \\NYC-DC1\Data\ppviewer.com domain. linked to the WoodgroveBank. right-click Software installation.ISLAMSC. Open the Microsoft Office PowerPoint Viewer 2003 package properties and review the options on the following tabs: • • • • • • General Deployment Upgrades Categories Modifications Security WWW.

On NYC-CL1. log on as WOODGROVEBANK\Administrator. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 5.ISLAMSC. 6. Uninstall Microsoft Office PowerPoint Viewer 2003. Notice that the Microsoft Office PowerPoint Viewer 2003 program has been successfully installed. 4. type GPUpdate /force and then restart the computer when prompted. Result: At the end of this exercise.COM . click Uninstall a program. When the process completes. 2. WWW. 7. press F5 and notice that even though you can uninstall the program. log on as WOODGROVEBANK\Administrator. it comes back because the program is assigned through Group Policy. From a Command Prompt window. Task 1: Verify that the software package has been installed 1. Verify that the software package has been installed. STUDENT USE PROHIBITED Exercise 2: Verify Software Installation The main task for this exercise is: 1. When the computer restarts.7-38 Configuring. In the Control Panel window. 3. you will have successfully deployed an assigned software package using Group Policy.

COM . This allows many common settings to be delivered through Group Policy. These settings were usually delivered through logon scripts or imaging solutions. Windows Server 2008 includes the new Group Policy preferences built-in to the Group Policy Management Console (GPMC). Additionally.Configure User and Computer Environments By Using Group Policy 7-39 MCT USE ONLY.ISLAMSC. administrators can configure preferences by installing the Remote Server Administration Tools (RSAT) on a computer running Windows Vista Service Pack 1 (SP1). WWW. mapped drives. for example. STUDENT USE PROHIBITED Lesson 5 Configuring Group Policy Preferences Many common settings that affect the user and computer environment could not be delivered through Group Policy.

7-40 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . but policy settings prevent users from changing them. STUDENT USE PROHIBITED What Are Group Policy Preferences? Key Points Group Policy preference extensions are more than twenty Group Policy extensions that expand the range of configurable settings within a GPO. • • The main difference between policy settings and preference settings is that preference settings are not enforced. WWW. The end user can change any preference setting that is applied through Group Policy.ISLAMSC.

If both settings are configured and applied to the same object. WWW.COM . the same setting can be configured through a policy setting as well as a preference item.ISLAMSC. • • • In some cases. STUDENT USE PROHIBITED Difference Between Group Policy Settings and Preferences Key Points The key difference between preferences and Group Policy settings is enforcement. the value of the policy setting always applies. Policy settings have a higher priority than preference settings.Configure User and Computer Environments By Using Group Policy 7-41 MCT USE ONLY.

Update: Modify an existing item on the targeted computer. • WWW. Replace: Delete and recreate an item on the targeted computer. The result is that Group Policy preferences replace all existing settings and files associated with the preference item. Delete: Remove an existing item from the targeted computer. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.7-42 Configuring. STUDENT USE PROHIBITED Group Policy Preferences Features Key Points Most Group Policy preference extensions support the following actions for each preference item: • • • Create: Create a new item on the targeted computer.COM .

STUDENT USE PROHIBITED Deploying Group Policy Preferences Key Points Group Policy preferences do not require you to install any services on servers. • • Windows Server 2008 includes Group Policy preferences by default as part of the Group Policy Management Console (GPMC). Administrators can configure and deploy Group Policy preferences in a Windows Server 2003 environment by installing the RSAT on a computer running Windows Vista with SP1.Configure User and Computer Environments By Using Group Policy 7-43 MCT USE ONLY.COM . Group Policy Client Side Extensions must be downloaded and installed. Client Side Extensions are available through Windows Update. • • WWW. On Windows XP and Windows Vista client computers.ISLAMSC.

including eliminating the need for logon scripts to map drives. 3. The main tasks for this exercise are: 1. WWW. you have been asked to deploy several Group Policy Preferences settings that will allow for more flexibility for corporate users. Remove old Logon Script GPO. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Configure drive mapping.COM .7-44 Configuring. STUDENT USE PROHIBITED Lab D: Configuring Group Policy Preferences Exercise 1: Configure Group Policy Preferences Scenario In an effort to simplify Group Policy management.ISLAMSC. Create a new folder named Reports on the C: drive of all computers running Windows Server 2008. Add a shortcut to Notepad on the desktop of NYC-DC1. 2. 4.

configure item-level targeting for the Windows Server 2008 operating system. WWW. Task 2: Create a new folder named Reports on the C: drive of all computers running Windows Server 2008 1. 4. In the New Shortcut Properties dialog box.ISLAMSC. STUDENT USE PROHIBITED Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1 1. Preferences.exe in the All Users Desktop location. configure item-level targeting for the computer NYC-DC1. On the Common tab. create the C:\Reports folder. create a shortcut for Notepad. In the New Folder Properties dialog box. On the Common tab. 3. and then click Shortcut.COM . Under Computer Configuration. Leave the Group Policy Management Editor window open for the next task.Configure User and Computer Environments By Using Group Policy 7-45 MCT USE ONLY. configure the Default Domain Policy GPO with the following settings: • • • 2. Windows Settings. rightclick Shortcuts. and then click Folder. point to New. Leave the Group Policy Management Editor window open for the next task. point to New. 2. In the Group Policy Management Editor window. On NYC-DC1. under Windows Settings. right click Folders. in the Group Policy Management window.

Task 4: Remove old Logon Script GPO • In the Group Policy Management window. Note: You aren’t actually deleting the GPO. WWW. Create a new mapped drive labeled Data for \\NYC-DC1\Data.COM . Drive Maps. and then click Mapped Drive.ISLAMSC. point to New. just the link to it in the domain. using the drive letter P. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. right-click Drive Maps. STUDENT USE PROHIBITED Task 3: Configure drive mapping 1. Preferences.com domain. Windows Settings. under User Configuration. and select the Reconnect option. In the Group Policy Management Editor window. 2. delete the Logon Script link for the WoodgroveBank.7-46 Configuring.

STUDENT USE PROHIBITED Exercise 2: Verify Group Policy Preferences Application The main tasks for this exercise are: 1. For each virtual machine that is running. you will have configured and tested Group Policy Preferences and verified their application.COM . log off. Verify that the P: drive is mapped to the Data share on NYC-DC1. Verify that the preferences have been applied. WWW. Task 2: Close all virtual machines and discard undo disks 1 2. and then click OK. In the Close dialog box. 3. Result: At the end of this exercise.ISLAMSC. Close all virtual machines and discard undo disks. you must download and install Group Policy Preference Client Side Extensions for Windows Vista (KB943729). and then log back on as WOODGROVEBANK\Administrator. close the Virtual Machine Remote Control window. 2. Note: It may take a few moments for this folder to appear. select Turn off machine and discard changes. Note: To apply Group Policy preferences to Windows Vista computers. Verify that the C:\Reports folder exists. 2.Configure User and Computer Environments By Using Group Policy 7-47 MCT USE ONLY. Task 1: Verify that the preferences have been applied 1. On NYC-DC1.

This lesson provides details about Group Policy processing and common problem areas.COM . and sometimes a setting can cause unintended consequences for users or computers. WWW.ISLAMSC. and describes some of the troubleshooting tools available. STUDENT USE PROHIBITED Lesson 6 Introduction to Group Policy Troubleshooting Group Policy can be complex to deploy and manage. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.7-48 Configuring.

) must be processed.Configure User and Computer Environments By Using Group Policy 7-49 MCT USE ONLY.ISLAMSC. Client side extension (CSE) processing. Folder Redirection. Disk Quota. When a client begins to process Group Policy. Security Settings.COM . The core Group Policy engine calls the CSEs that are required to process the settings that apply to the client. Policy settings are grouped into different categories. The settings in each category require a specific CSE to process them. and Software Installation. and each CSE has its own rules for processing settings. STUDENT USE PROHIBITED Scenarios for Group Policy Troubleshooting Key Points Group Policy processing has two distinct phases: • Core Group Policy processing. The core Group Policy engine performs the processing of this in the initial phase. such as Administrative Templates. whether any Group Policy objects (GPOs) have changed. it must determine whether it can reach a domain controller. • WWW. and what policy settings (based on client-side extension.

you should check for physical issues.7-50 Configuring.COM . or hardware or operating system failures. like incorrect configurations. For example. STUDENT USE PROHIBITED Preparing to Troubleshoot Group Policy Key Points Group Policy issues may be a symptom of unrelated issues. or Domain Name Service (DNS) configuration errors.ISLAMSC. authentication problems. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. You should begin the troubleshooting process by determining the scope of the issue. These issues are usually easy to diagnose. is the issue widespread. such as network connectivity. or affecting a single client only? If the issue affects a single client. WWW. domain controller availability.

Once you narrow down your problem area.ISLAMSC. and application and service logs. you can use other diagnostic tools to pursue the issue. Log entries often direct you to the area in which to begin your investigation.Configure User and Computer Environments By Using Group Policy 7-51 MCT USE ONLY. which can provide valuable information about the root cause of issues.COM . Windows logs. your first real troubleshooting step is to check Event Viewer entries. Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host Configuration Protocol (DHCP) address issued to a client computer? WWW. STUDENT USE PROHIBITED Once you eliminate these causes.

STUDENT USE PROHIBITED Tools for Troubleshooting Group Policy Key Points There are a number of diagnostic tools and logs that you can use to verify whether you can trace a problem to core Group Policy: • Group Policy reporting – RSoP: used to see how multiple Group Policy objects affect various combinations of users and computers. Gpotool: used to traverse all of your domain controllers and check for consistency between the Group Policy container (that is. information contained in the SYSVOL share on the domain controller). including security settings.ISLAMSC.COM . • • • WWW. information contained in the directory service) and the Group Policy template (that is. or to predict the effect of Group Policy settings on the network. GPResult: used to display the Resultant Set of Policy (RSoP) information for a remote user and computer. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Gpupdate: used to refresh local and Active Directory-based Group Policy settings.7-52 Configuring.

COM . Question: What diagnostic tool will quickly display the current Group Policy slow link threshold? WWW. Log files can be generated on both the client and the server to provide detailed information. GPOLogView: used to export Group Policy event data from the system and operational log into a text.Configure User and Computer Environments By Using Group Policy 7-53 MCT USE ONLY. Group Policy Management Scripts: used to demonstrate the scripting functionality of the Group Policy Management Console. or XML file. you can enable verbose logging and examine the resulting log files. HTML.ISLAMSC. Group Policy log files: used to obtain information about Group Policy events. Group Policy Logging If other tools do not provide the information you need to identify the problems affecting Group Policy application. STUDENT USE PROHIBITED • • • • Dcgpofix: used to recreate the two default Windows Server GPOs and creates security settings based on the operations that are performed during Dcpromo.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Review the GPLogView tool available as a free download from Microsoft. Run GPLogView in monitor mode. Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer? WWW.COM . Run GPUpdate and review the command line parameters. Review the GPOTool included with the Windows Server 2008 Resource Kit.7-54 Configuring. STUDENT USE PROHIBITED Demonstration: Using Group Policy Diagnostic Tools Key Points • • • • • Run GPResult in regular and verbose mode.ISLAMSC.

STUDENT USE PROHIBITED Lesson 7 Troubleshooting Group Policy Application When troubleshooting Group Policy issues. WWW. and the ways in which you manage.Configure User and Computer Environments By Using Group Policy 7-55 MCT USE ONLY.ISLAMSC. and apply Group Policy objects.COM . you need a firm understanding of the interactions between Group Policy and its supporting technologies. deploy.

Each category’s settings require a specific CSE to process them. Security Settings. Some CSEs behave differently under different circumstances. STUDENT USE PROHIBITED How Client Side Extension Processing Works Key Points CSEs are dynamic-link libraries (DLLs) that perform the actual processing of Group Policy settings. For example. The core Group Policy process calls the appropriate CSEs to process those settings. and Software Installation.ISLAMSC. Disk Quota. • Policy settings are grouped into different categories.7-56 Configuring. • • • WWW. a number of CSEs do not process if a slow link is detected. such as Administrative Templates. Folder Redirection. and each CSE has its own rules for processing settings.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

You want folder redirection to be applied to them even across the slow link. and you cannot turn them off. You can control the behavior of other CSEs across slow links. • Question: Users in a branch office log on across a slow modem connection. As Group Policy is processed. the Winlogon process passes the list of GPOs that must be processed to each Group Policy client-side extension. STUDENT USE PROHIBITED • Security settings and Administrative Templates are always applied.ISLAMSC.COM .Configure User and Computer Environments By Using Group Policy 7-57 MCT USE ONLY. How would you accomplish this? WWW.

7-58 Configuring. WWW. it may be due to inheritance blocking. and the GPOs that are being blocked. GPMC interface provides a visual indicator of a blue exclamation mark when inheritance is blocked. Group Policy results reporting (RSoP) lists the GPOs that are being applied.ISLAMSC.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Troubleshooting Group Policy Inheritance Key Points The following four settings can be used to alter the default inheritance of GPO processing: • • • • Block policy inheritance GPO enforcement GPO filtering of the access control list (ACL) Windows Management Instrumentation (WMI) Filters If none of the users or computers in an OU or entire subtree of OUs are receiving policies that were linked to higher levels.

STUDENT USE PROHIBITED You can run the Gpresult command from the target computer to get an idea about whether any of these settings are prohibiting the policies from applying.COM . removing the setting returns Group Policy processing to normal.ISLAMSC. If inheritance is blocked incorrectly.Configure User and Computer Environments By Using Group Policy 7-59 MCT USE ONLY. Question: Are there scenarios in your organization that would benefit from blocking inheritance? WWW.

Any Windows Management Instrumentation (WMI) filters on the GPO. they will not receive policies that other users in the same OU receive. or computers have filtering applied. open Group Policy Objects node. groups. user or computer you want to review. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Select the security group.ISLAMSC. The Security Filtering and WMI Filtering panels show the current filtering configuration. select the GPO you are troubleshooting. select the Delegation tab and then click Advanced. • • WWW.7-60 Configuring. Group Policy filtering may appear to look like inconsistent application of policies in an OU. and then in the right pane select the Scope tab. To check filtering on a GPO. If some users. groups and computers. In GPMC.COM . To see the exact set of permissions for users. Group Policy object (GPO) filtering is based on two factors: • • • The security filtering on the GPO. STUDENT USE PROHIBITED Troubleshooting Group Policy Filtering Key Points Group Policy filtering determines which users and computers will receive the GPO’s settings.

If a WMI filter is deleted.Configure User and Computer Environments By Using Group Policy 7-61 MCT USE ONLY. user or computer. • Question: You have applied security filtering to limit the GPO to apply only to the Managers group. the GPO with that link will not be processed until the link is removed or the filter is restored. None of the managers are receiving the GPO settings. What is the problem? WWW. If there is a link to a non-existent WMI filter. You did this by setting the following GPO permissions: • • Authenticated Users are denied the Apply Group Policy permission. The Managers group has been granted Read and Apply Group Policy permission. STUDENT USE PROHIBITED • If the policy object should be applied to the security group. the minimum permissions should be set to allow Read and Apply Group Policy.ISLAMSC. the links to the WMI filter are not automatically deleted.COM .

from one domain controller to another. then you must determine if the problem is with the FRS or AD DS replication.ISLAMSC. and general replication information. Group Policy information takes time to propagate.7-62 Configuring. which can provide information about Group Policy synchronization status. STUDENT USE PROHIBITED Troubleshooting Group Policy Replication Key Points In a domain that contains more than one domain controller. and see if it replicates to other domain controllers. Another tool is Readmin. or replicate. The GPOTool can check for consistency of policies across all domain controllers.COM . Once you determine that replication is the issue. • • Replication issues are most noticeable in remote sites with slow connections where there is long replication latency. A simple test for SYSVOL replication is to put a small test file into the SYSVOL directory. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. • • WWW.

Configure User and Computer Environments By Using Group Policy 7-63 MCT USE ONLY.COM . Question: What tool can be used to force replication across all domain controllers in the domain? WWW. such as an OU.ISLAMSC. and see if it replicates to other domain controllers. STUDENT USE PROHIBITED • • Likewise. just waiting for normal replication cycles to complete resolves the problem. a simple way to test AD DS replication is to create a test object. In many cases.

• During Group Policy refresh. Group Policy reporting provides information about when the last Group Policy refresh occurred. • • WWW. STUDENT USE PROHIBITED Troubleshooting Group Policy Refresh Key Points Group Policy refresh refers to a client’s periodic retrieval of GPOs. The report also tells you if the loopback setting is enabled. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.7-64 Configuring. GPOs are processed at the computer only if the version number of at least one GPO has changed on the domain controller that the computer is accessing. By default. on the summary page. the domain controller provides a list of all the appropriate GPOs. the client contacts an available domain controller.ISLAMSC. If any GPOs changed.COM .

What is the first step you should take to resolve the problem? WWW. STUDENT USE PROHIBITED Question: You have implemented folder redirection for a particular OU.COM .ISLAMSC.Configure User and Computer Environments By Using Group Policy 7-65 MCT USE ONLY. Some users report that their folders are not redirecting to the network share.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .ISLAMSC. STUDENT USE PROHIBITED Discussion: Troubleshooting Group Policy Configuration Question: One user is getting settings applied that no one else is receiving. What might be the issue and how would you start troubleshooting? WWW.7-66 Configuring.

COM . STUDENT USE PROHIBITED Lesson 8: Troubleshooting Group Policy Settings Group Policy settings issues are usually due to slow-link detection or incorrect configuration. Understanding how Client Side Extension Processes work and how slow links are determined assists in troubleshooting these issues.ISLAMSC. WWW.Configure User and Computer Environments By Using Group Policy 7-67 MCT USE ONLY.

7-68 Configuring.COM .ISLAMSC. You have configured the Administrative Template to remove the games link from the Start menu. However. the administrator must undo the preference explicitly by specifying a value in a GPO. STUDENT USE PROHIBITED Troubleshooting Administrative Template Policy Settings Key Points Administrative Templates may not be applied because the operating system is not capable of interpreting the policy setting. but only the Windows Vista computers are enforcing the setting. What is the problem? WWW. Many of the newer policy settings apply only to particular operating systems. then the true policies are removed. If the GPO that delivers true policies is unlinked. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: Your network has a mixture of Windows XP and Windows Vista computers.

Configure User and Computer Environments By Using Group Policy 7-69 MCT USE ONLY. it might mean only that the script’s location is placed in the registry.ISLAMSC. if a script specified in a Script setting has an error that prevents it from completing. • • When a CSE reports success. STUDENT USE PROHIBITED Troubleshooting Script Policy Settings Key Points The Scripts CSE updates the registry with the location of script files so that the UserInit process can find those values during its normal processing. the CSE does not detect an error. For example. there could be problems preventing the setting from being applied to the client. Even though the setting is in the registry. WWW.COM .

COM . What is the problem? WWW.7-70 Configuring.ISLAMSC. but some users report that they get an access-denied message when they try to access the mapped drive. STUDENT USE PROHIBITED • Group Policy processes a GPO and stores the script information in the registry. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The script executes properly for all users. in these locations: • • HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User Scripts) HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine Scripts) Question: A logon script is assigned to an OU.

ISLAMSC. and troubleshoot any issues with the policy. and is backed up. You are responsible for resolving issues related to Group Policy application and configuration.Configure User and Computer Environments By Using Group Policy 7-71 MCT USE ONLY. one of your primary tasks is troubleshooting AD DS issues that have been escalated to you from the company’s help desk.COM . WWW. The GPO is already created. As the AD DS administrator. You will restore and apply the GPO that delivers that policy to the domain. All domain users will have a drive mapping to a shared folder named Data. STUDENT USE PROHIBITED Lab E: Troubleshooting Group Policy Issues Exercise 1: Troubleshoot Group Policy Scripts Scenario Woodgrove Bank has completed its deployment of Windows Server 2008.

Windows Firewall. Logon. Domain Profile. open Group Policy Management. add http://WoodGroveBank. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Create and link a domain Desktop policy. Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator. Start Menu and Taskbar. Troubleshoot the GPO. Resolve the issue and test the resolution. and then log on as WOODGROVEBANK\Administrator. Under Network. Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator • Start NYC-DC1. Start NYC-CL1 and log on as WOODGROVEBANK\Administrator.ISLAMSC. linked to the WoodgroveBank. Administrative Templates.com domain. enable Always wait for the network at computer startup and logon. and then create a new GPO named Desktop. Under User Configuration. Windows Settings. On NYC-DC1. 8. enable Windows Firewall: Allow inbound remote administration exception. Policies. 4. 2. • • • WWW. 6. Internet Explorer Maintenance.7-72 Configuring. Link the Lab7A GPO to the domain. System.com as a customized home page URL. 2. 3. STUDENT USE PROHIBITED The main tasks for this exercise are: 1. 7. Task 2: Create and link a domain Desktop policy 1. Policies. 5. in Important URLS.COM . Under Administrative Templates. Test the GPO. Restore the Lab7A GPO. Network Connections. enable Force classic Start Menu. Configure the Desktop GPO with the following settings: • Under Computer Configuration.

6. Task 5: Start NYC-CL1 and log on as WOODGROVEBANK\Administrator 1. STUDENT USE PROHIBITED Task 3: Restore the Lab7A GPO • In the Group Policy Management window. 8. 2.com. Notice that the J: drive is not mapped to the Data share on NYC-DC1. verify that the home page opens to http://WoodgroveBank. restore the Lab 7A GPO from E:\Mod07\LabFiles\GPOBackup. Disable the Windows Firewall on NYC-CL1.Configure User and Computer Environments By Using Group Policy 7-73 MCT USE ONLY. Review the list of applied computer and user GPOs.COM . link the Lab 7A GPO to the WoodgroveBank. In Windows Internet Explorer. 7. Notice that the settings for both the Desktop GPO and the Lab 7A GPO were applied successfully. 5. Log off NYC-CL1. Verify that you see the classic Start menu. Task 6: Test the GPO 1. Verify that the J: drive is mapped to the Data share on NYC-DC1. 2. Start NYC-CL1. Task 4: Link the Lab7A GPO to the domain • In the Group Policy Management window.ISLAMSC. 4. 3. On NYC-DC1. run the Group Policy Results Wizard against NYC-CL1 for the user Roya. Task 7: Troubleshoot the GPO 1. in the Group Policy Management window. 2. and then log back on as WOODGROVEBANK\Roya. In Internet Explorer. Verify that you see the classic Start menu. WWW.com domain.com. verify that the home page opens to http://WoodgroveBank. and then log on as WOODGROVEBANK\Administrator. Log off.

WWW. you could configure a mapped drive in Group Policy Preferences. Review the permissions on the share and make sure that Authenticated Users have permission to access the share. 5. Log off NYC-CL1. Log off NYC-CL1. 4. If you filter the view to show events that Roya generates. notice that the Lab 7A GPO was applied correctly. On NYC-DC1. 2. 5. Verify that the J: drive is now mapped to the Data share on NYC-DC1. Note: If time permits. STUDENT USE PROHIBITED 3. 4. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and then review the error. 6. under User Configuration. 3. On the Settings tab. Attempt to access the \\NYC-DC1\Scripts share. On NYC-CL1.ISLAMSC. Therefore. Group Policy is unaware if the user has access to the location.7-74 Configuring. or to eliminate the need for such a logon script altogether. log on as WOODGROVEBANK\Roya. log on as WOODGROVEBANK\Roya.COM . Logon. You would have to audit Object Access for the scripts folder to determine access issues. Scripts. Note: Another way to resolve the issue would be to move the script to the Netlogon share. Task 8: Resolve the issue and test the resolution 1. you can view the Group Policy operational log as Administrator on NYC-CL1. Result: At the end of this exercise. you will have resolved a Group Policy scripts issue. The write to the registry was successful. This is because the GPO only sets a registry value that defines the location of the scripts folder. On NYC-CL1. the Group Policy log does not see any errors. browse to E:\Mod07\Labfiles\Scripts. you would see that the log does not detect any errors or warnings for this user. Windows Settings.

a Miami branch manager. while others do not. You will restore and apply the GPO that delivers that policy to the Miami OU. has access to Control Panel. However. 5. Resolve the issue and test the resolution. Roya. STUDENT USE PROHIBITED Exercise 2: Troubleshoot GPO Lab-7B Scenario Domain users in the Miami OU and all sub OUs should not have access to Control Panel.COM . restore the Lab 7B GPO from backup. Task 2: Link the Lab7B GPO to the Miami OU • In the Group Policy Management window.Configure User and Computer Environments By Using Group Policy 7-75 MCT USE ONLY. 4. The main tasks in this exercise are: 1. some users do have access to Control Panel. in the Group Policy Management window. In particular. Task 1: Restore the Lab7B GPO • On NYC-DC1. 2.ISLAMSC. Test the GPO. Troubleshoot the GPO. Link the Lab7B GPO to the Miami OU. link the Lab 7B GPO to the Miami OU. The local onsite technician has submitted a help-desk ticket and escalated the following issue to the server team: • Description of problem: No users should be able to access the Control Panel. Restore the Lab7B GPO. This ticket has been escalated to the server team for resolution. 3. WWW.

6. Notice that even though the GPO should prevent it. 4. 5. In the report summary. Log off NYC-CLI.COM . Task 4: Troubleshoot the GPO 1. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Log off NYC-CL1. STUDENT USE PROHIBITED Task 3: Test the GPO 1.7-76 Configuring. Note: Rich is a member of the Miami OU. 8. in the Group Policy Management window. run the Group Policy Results Wizard against NYC-CL1 for the user Rich. notice that the Lab 7B GPO was applied.com. 7. Verify that the J: drive is mapped to the Data share on NYC-DC1. 5. 3. In Internet Explorer. the Control Panel is still present on the desktop and Start menu. In the report summary. WWW. log on as WOODGROVEBANK\Rich. This is a setting from the Lab 7B GPO that was applied to the Miami OU. Verify that you see the classic Start menu. notice that the Lab 7B GPO has not been applied. 4. and then log back on as WOODGROVEBANK\Roya. On NYC-DC1. under User Configuration.ISLAMSC. Review the denied GPOs and notice that the Lab 7B GPO is listed amongst the denied GPO. 2. 2. Notice that the Control Panel does not appear on the desktop or Start menu. 3. notice that the policy setting to prohibit access to the Control Panel is enabled. On NYC-CL1. 6. On the Settings tab. verify that the home page opens to http://WoodgroveBank. Rerun the query for Roya on NYC-CL1.

log on as WOODGROVEBANK\Roya. On NYC-CL1. review the permissions for MIA_BranchManagerGG. review the Delegation tab for the Lab 7B GPO. you will have resolved a Group Policy objects issue.ISLAMSC. 2. Remove the MIA_BranchManagerGG group from the permission list. 6. WWW. Under Advanced settings. Log off NYC-CL1. 3. STUDENT USE PROHIBITED Task 5: Resolve the issue and test the resolution 1.Configure User and Computer Environments By Using Group Policy 7-77 MCT USE ONLY. Notice that the Control Panel now correctly does not appear on the desktop or Start menu. Result: At the end of this exercise. In the Group Policy Management window. and notice that the Apply group policy setting is set to Deny. 5. 4.COM .

Task 2: Link the Lab7C GPO to the Miami OU • In the Group Policy Management window. log on as WOODGROVEBANK\Roya. restore the Lab 7C GPO from backup. but all users in the Miami OU have access to the Run command. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. On NYC-CLI. link the Lab 7C GPO to the Miami OU. 2. You will restore and link the Lab 7C GPO to apply this setting. Task 3: Test the GPO 1. The local desktop technician has escalated the following issue to the server team: • Description of problem: No users should be able to access the Run command on the Start menu. Link the Lab7C GPO to the Miami OU.ISLAMSC. and then notice the presence of the Run command. 2. It is not supposed to be there. in the Group Policy Management window. 3. Restore the Lab7C GPO.COM . Task 1: Restore the Lab7C GPO • On NYC-DC1. Test the GPO. Troubleshoot the GPO. Resolve the issue and test the resolution. 3. 4. The main tasks in this exercise are: 1. Click Start. STUDENT USE PROHIBITED Exercise 3: Troubleshoot GPO Lab-7C Scenario Users in the Miami OU should not have access to the Run command on the Start menu. 5. WWW.7-78 Configuring. Log off NYC-CL1.

2. you will have resolved a Group Policy objects issue. Edit the Lab 7C GPO. log on as WOODGROVEBANK\Roya. Task 5: Resolve the issue and test the resolution 1.Configure User and Computer Environments By Using Group Policy 7-79 MCT USE ONLY. rerun the query for Roya on NYC-CL1. and then click OK. and then click OK.ISLAMSC. notice that the Lab 7C GPO is being applied. notice that the Add the Run command to the Start Menu setting is enabled. and notice that the Run command is no longer present. On the Settings tab. STUDENT USE PROHIBITED Task 4: Troubleshoot the GPO 1. In the report summary. 2. On NYC-DC1. Do not log off NYC-CL1. Click Start.COM . under User Configuration. Policies. 4. 3. 6. in the Group Policy Management window. under User Configuration Summary. Result: At the end of this exercise. 3. In the Group Policy Management Editor window. Administrative Templates. change Add the Run command to the Start Menu to Not Configured. under User Configuration. WWW. On NYC-CL1. Start Menu and Taskbar. 5. Change Add the Run command to the Start Menu to Enabled.

6. open Active Directory Users and Computers. Task 1: Create a new OU named Loopback 1.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 3. Troubleshoot the GPO. 7. 4. Restore the Lab7D GPO. 5. WWW. restore the Lab 7D GPO from backup. Roya no longer has the classic Start menu or drive mapping. in the Group Policy Management window. Test the GPO.com named Loopback. The main tasks in this exercise are: 1. Task 2: Restore the Lab7D GPO • On NYC-DC1. On NYC-DC1.COM . Resolve the issue and test the resolution. 2.7-80 Configuring. STUDENT USE PROHIBITED Exercise 4: Troubleshoot GPO Lab-7D Scenario You will restore the Lab 7D GPO and link it to the Loopback folder. Move NYC-CL1 to the Loopback OU. A user in the Miami OU has submitted the following helpdesk ticket: • Description of problem: Since the application of the GPO. This GPO is designed to enhance security. and no longer can run Internet Explorer. Link the Lab7D GPO to the Loopback OU. 2. Create a new Organizational Unit under WoodgroveBank. Create a new OU named Loopback.

You can use the Group Policy loopback feature to apply GPOs that depend only on which computer the user logs on to. log on as WOODGROVEBANK\Roya. Task 6: Troubleshoot the GPO 1. However. 2. in the Group Policy Management window. These changes are not intentional. Click Start and notice that the Run command is present once again. under Computer Configuration. 2. review the applied GPOs and notice that the Lab 7D GPO has been applied. STUDENT USE PROHIBITED Task 3: Link the Lab7D GPO to the Loopback OU • In the Group Policy Management window. in some cases. Restart NYC-CL1. Notice also that the Control Panel is present on the desktop and Start menu. link the Lab 7D GPO to the Loopback OU. users may need policy applied to them based on the location of the computer object alone. 5. under Computer Configuration. Task 5: Test the GPO 1. Task 4: Move NYC-CL1 to the Loopback OU • In Active Directory Users and Computers.COM . When the computer restarts. 3.ISLAMSC. rerun the query for Roya on NYC-CL1. Open Windows Internet Explorer and notice that Internet Explorer does not launch. Note: Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. On the Settings tab. move the NYC-CL1 computer from the Computers container to the Loopback OU. On NYC-DC1. WWW. notice that loopback processing mode is enabled. In the summary report. 4.Configure User and Computer Environments By Using Group Policy 7-81 MCT USE ONLY. 3.

Notice that the Control Panel is again absent from the desktop and Start menu. Open Internet Explorer and notice that Internet Explorer again opens properly. log on as WOODGROVEBANK\Roya. and then click OK. Click Start and notice that the Run command is no longer present. Restart NYC-CL1. Note: Another alternative would be to disable loopback processing in the GPO itself.7-82 Configuring. 3. Result: At the end of this exercise. 6. especially if there were other settings in the GPO that you did wish to have applied. Task 8: Close all virtual machines and discard undo disks 1.ISLAMSC. 2. WWW. In the Close dialog box. When the computer restarts. you will have resolved a Group Policy objects issue. In the Group Policy Management window.COM . 2. Close the 619A Lab Launcher. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 3. close the Virtual Machine Remote Control window. disable the link for the Lab 7D GPO. 5. For each virtual machine that is running. select Turn off machine and discard changes. STUDENT USE PROHIBITED Task 7: Resolve the issue and test the resolution 1. 4.

5. What might be some causes? What log will give folder redirection details? What visual indicator in the GPMC designates that inheritance has been blocked? What GPO settings are applied across slow links by default? Given a choice between a small number of GPOs with many settings or a large number of GPOs with fewer settings.Configure User and Computer Environments By Using Group Policy 7-83 MCT USE ONLY. Some users in the OU receive the script.COM .ISLAMSC. You have assigned a logon script to an OU via Group Policy. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. WWW. while others do not. which is preferable? Can you deliver Windows security updates through Group Policy? 2. 6. 4. The script is located in a shared network folder named Scripts. 3.

Policy settings that are Not Configured are not affected by Group Policy. Different security groups can be redirected to different network locations. Software can be published to users or assigned to users or computers. Software can be modified and maintained through Group Policy.COM . consider the following: • • • • • • • • • • • • • • • • Policy settings that are Enabled enforce a setting. Certain folders can be redirected from the users profile to a shared folder on the network. Software can be distributed via Group Policy through . Scripts can be applied to the user or computer via Group Policy.ISLAMSC. Software assigned to users is specific to that user. Storing scripts in the NetLogon share makes them highly available. Software assigned to computers is available to all users on that computer. Policy settings that are Disabled reverse a setting. Software can be removed through Group Policy. ADMX files can be customized. Scripts can be written in multiple languages. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.7-84 Configuring. Administrative Templates apply settings by modifying the registry for the user and computer. STUDENT USE PROHIBITED Considerations When configuring user environments using Group Policy.MSI files.

Security principles need permission to access script locations. You can modify the registry to enable other CSE logs. Windows Vista logs to operational logs in Event Viewer. so that they can execute scripts. Not all CSEs process across a slow link. unless those policies are enforced. Windows Vista and later versions use network awareness to determine link speed.COM . configurable intervals. Group Policy replicates these objects on separate schedules using different mechanisms. Computer startup scripts run synchronously by default. or WMI scripts.Configure User and Computer Environments By Using Group Policy 7-85 MCT USE ONLY. GPO version numbers determine if a Group Policy has changed. You can filter Group Policy to apply only to certain security principles by using security settings. STUDENT USE PROHIBITED Consider the following when implementing an AD DS monitoring plan: • • • • • • • • • Client-side extensions handle application of Group Policy at regular. Windows XP and earlier versions log to the Userenv log for most Group-Policy issues. and Group Policy containers. Many users’ settings will require two logons because of this. Group Policy is made up of two parts: Group Policy templates. Security settings refresh every 16 hours. User logon scripts run asynchronously by default. • • • • • WWW.ISLAMSC. Windows XP and later versions log on users with cached credentials by default. Windows XP and earlier use the ICMP to determine link speed. Blocking inheritance will block all higher level polices from being applied.

ISLAMSC. Restoring the default Group Policy objects to their original state after initial installation. setting. Exporting Group Policy-related events from the system and operational logs into text. For use with Windows Vista and later versions. A command-line utility that displays RSoP information.COM . HTML. Displaying. Sample scripts that perform a number of different troubleshooting and maintenance tasks. or removing environment variables. Refreshing local and AD DS-based Group Policy settings. GPResult Dcgpofix GPOLogView Group Policy Management scripts WWW. Checking Group Policy object stability. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Tools Use the following tools when troubleshooting Group Policy issues: Tool Ping NSlookup DCdiag Set Kerbtray Group policy reporting RSoP GPResult GPOTool Use Testing network connectivity. or XML files. Reporting information about the current policies being delivered to clients. and monitors policy replication.7-86 Configuring. Testing domain controllers. Testing DNS lookups. Displaying Kerberos ticket information.

COM . STUDENT USE PROHIBITED Module 8 Implementing Security Using Group Policy Contents: Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lab A: Implementing Security Using Group Policy Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security Using Security Templates Lab B: Configuring and Verifying Security Policies 8-3 8-15 8-20 8-26 8-34 8-43 WWW.Implementing Security Using Group Policy 8-1 MCT USE ONLY.ISLAMSC.

You must implement the policy for it to be effective.ISLAMSC. STUDENT USE PROHIBITED Module Overview Failure to have adequate security policies can lead to many risks for an organization. WWW. A well designed security policy helps to protect an organization’s investment in business information and internal resources. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. like hardware and software.COM . however.8-2 Configuring. You can leverage Group Policy to standardize security to control the environment. Having a security policy in itself is not enough.

Implementing Security Using Group Policy 8-3 MCT USE ONLY. WWW. For example.COM . In this lesson. STUDENT USE PROHIBITED Lesson 1 Configuring Security Policies Group Policy provides settings you can use to implement and manage security in your organization. you will learn the knowledge and skills necessary to configure security policies. and permissions for system services. startup.ISLAMSC. you can use Group Policy settings to secure passwords.

STUDENT USE PROHIBITED What Are Security Policies? Key Points Security policies are rules that protect resources on computers and networks.COM . Group Policy allows you to configure many of these rules as Group Policy settings. WWW.ISLAMSC. you can apply security consistently across organizational units (OUs) in Active Directory® Domain Services (AD DS) by defining security settings in a Group Policy object that is associated with a site.8-4 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. This way. domain. or OU. For example. Group Policy has a large security section to configure security for both users and computers. you can configure password policies as part of Group Policy.

Configuring these policy settings at any other Active Directory level only affects local accounts on member computers at those levels. How would you configure account policies to accomplish this? WWW.COM .ISLAMSC. Question: You must ensure that all users change their password exactly every 30 days. In Microsoft® Windows® operating systems. The policy settings under Account policies should always be configured at the domain level. Securing your network environment requires that all users utilize strong passwords. and many other operating systems. Password policy settings control the complexity and lifetime of passwords. STUDENT USE PROHIBITED What Are Account Policies? Key Points Account policies protect your organization’s accounts and data by mitigating the threat of brute force guessing of account passwords. the most common method for authenticating a user’s identity is to use a secret password.Implementing Security Using Group Policy 8-5 MCT USE ONLY. You can configure password policy settings through Group Policy.

In this object.ISLAMSC. while standard users change their passwords every 21 days. The LGPO is stored in a hidden folder named %windir%\system32\Group Policy. STUDENT USE PROHIBITED What Are Local Policies? Key Points Every Windows°2000 Server or later computer has exactly one Local Group Policy Object (LGPO). Group Policy settings are stored on individual computers. You want to force the Administrators to change their passwords every seven days. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. How would you configure the local policy to achieve this? WWW. regardless of whether they are part of an Active Directory environment.COM .8-6 Configuring. This folder does not exist until you configure an LGPO. Question: You have a Microsoft Windows Vista® client that is not joined to the domain.

STUDENT USE PROHIBITED What Are Network Security Policies? Key Points Automating client computer configuration settings is an essential step to reduce the cost of deploying networking security. you were able to automate client wireless configuration using the Wireless Networking Policies settings in Group Policy. and minimize support issues that result from incorrectly configured settings.COM . Question: How does your organization implement group policy to restrict access to wireless networks? WWW.Implementing Security Using Group Policy 8-7 MCT USE ONLY.ISLAMSC. Starting with Windows Server 2003. Microsoft Windows Server® 2008 and Windows Vista include new features for network policies. and Group Policy support for 802.1X authentication settings for wired and wireless connections.

ISLAMSC. Predefined rule: Windows includes a number of Windows functions that you can enable. Custom rule: A custom rule allows you to create a rule that you may not be able to create using the other types of rules.COM . Creating a predefined rule actually creates a group of rules that allows the specified Windows functionality to access the network. You can identify the program by program path and executable name. Port rule: This type of rule allows traffic on a particular TCP or User Datagram Protocol (UDP) port number or range of port numbers. such as File and Printer Sharing. The new Windows Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration. STUDENT USE PROHIBITED Windows Firewall with Advanced Security Key Points Windows Vista and Windows Server 2008 include a new and enhanced version of Windows Firewall. and Windows Collaboration. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Remote Assistance. Windows Firewall with Advanced Security allows you to create the following rules: • • • Program rule: This type of rule allows traffic for a particular program.8-8 Configuring. • WWW.

STUDENT USE PROHIBITED The default behavior of the new Windows Firewall is to: • • Block all incoming traffic unless it is solicited or it matches a configured rule. Allow all outgoing traffic unless it matches a configured rule. Question: You want to ensure that users are not allowed to use the Telnet service to connect to any other computers.Implementing Security Using Group Policy 8-9 MCT USE ONLY.COM .ISLAMSC. How would you accomplish this? WWW.

and see the options available. Question: You need to ensure that a particular service is not allowed to run on any of your network servers. Demonstrate the Windows Firewall with advanced security options.8-10 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Create a Windows Vista wireless network policy.ISLAMSC.COM . Create some different types of rules as examples. Demonstrate how you can control services. How would you accomplish this? WWW. Explore some of the predefined rules. STUDENT USE PROHIBITED Demonstration: Overview of Additional Security Settings Key Points • • • • • Create a wired network policy and see the available options. Demonstrate how you can control registry and file-system permissions.

Implementing Security Using Group Policy 8-11 MCT USE ONLY. This policy generally affects only domain controllers. In which of the default policies should you configure this setting? WWW. because by default. STUDENT USE PROHIBITED Default Domain Controller Policies Key Points Default Domain Controllers Policy is linked to the Domain Controllers OU. Question: Provide at least one example of a default controller policy that your organization has customized? Question: You need to grant an ordinary user the right to log on locally to domain controllers.COM . computer accounts for domain controllers are kept in the Domain Controllers OU.ISLAMSC.

the policy with the highest priority will win. Note: Although you typically configure the Default Domain Policy to deliver Account Policies. STUDENT USE PROHIBITED What Is the Default Domain Security Policy? Key Points The default domain policy is linked to the domain. If you configure multiple domain-level policies to provide Account Policies.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and therefore affects all objects in the domain unless a GPO that you applied at a lower level blocks or overrides these settings. This policy has very few settings configured by default.ISLAMSC. Question: If multiple policies are configured at the domain level.8-12 Configuring. what determines the processing priority? WWW. any domain-level policy is capable of delivering Account Policies to the domain.

Explore the default audit policy. STUDENT USE PROHIBITED Demonstration: What Is the Default Domain Controller Security Policy? Key Points • • • • • Open the default domain controller policy. Explore the security options. Discuss the differences from the default domain policy.ISLAMSC. Explore the user rights configuration. Question: What is the default Group Policy refresh interval for domain controllers? WWW.Implementing Security Using Group Policy 8-13 MCT USE ONLY.COM .

such as password policies. restricted groups.ISLAMSC. and so on. STUDENT USE PROHIBITED Characteristics of Security Policy Settings Key Points Security policies protect the integrity of the computing environment by controlling many aspects of it. even across slow connections. services. security options. What is the problem? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. network policies. Question: You have configured a password policy in a GPO and linked that policy to the Research OU.COM . public key policies. Security policies are always processed. Characteristics of Security Policies • • Security policies are refreshed every 16 hours even if they have not changed. The policy is not affecting domain users in the OU.8-14 Configuring.

you can allow different password requirements and account lockout policies for different Active Directory users or groups.Implementing Security Using Group Policy 8-15 MCT USE ONLY. In this lesson. WWW.COM . you will learn the knowledge and skills to implement fine-grained password policies.ISLAMSC. STUDENT USE PROHIBITED Lesson 2 Implementing Fine-Grained Password Policies In Windows Server 2008. using fine-grained password policies.

If you do not implement finegrained passwords. Question: How would you use fine-grained passwords in your environment? WWW. STUDENT USE PROHIBITED What Are Fine-Grained Password Policies? Key Points In previous versions of AD DS. This is desirable when you want different sets of users to have different password requirements. Fine-grained password policies allow you to have different password requirements and account lockout policies for different Active Directory users or groups. but do not want separate domains. the Domain Admins group may need strict password requirements to which you do not want to subject ordinary users. For example. then the normal default domain account policies apply to all users. you could apply only one password and account lockout policy to all users in the domain. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.8-16 Configuring.ISLAMSC.COM .

Windows Server 2008 includes two new object classes in the Active Directory schema. Question: How could you view the Password Settings Container in Active Directory Users and Computers? WWW.ISLAMSC. They are: • • Password Settings Container (PSC) Password Settings Object (PSO) The PSC object class is created by default under the System container in the domain. which stores that domain’s PSOs. move. or delete this container. STUDENT USE PROHIBITED How Fine-Grained Password Policies Are Implemented Key Points To store fine-grained password policies.Implementing Security Using Group Policy 8-17 MCT USE ONLY.COM . You cannot rename.

COM .8-18 Configuring.ISLAMSC. You need to ensure that all these users have strict account polices enforced. a number of users deal with confidential files on a regular basis. and add the appropriate users. Create PSOs for all defined password policies. Apply PSOs to the appropriate users or global security groups. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: In your organization. The user accounts are scattered across multiple OUs. STUDENT USE PROHIBITED Implementing Fine-Grained Password Policies Key Points There are three major steps involved in implementing fine-grained passwords: • • • Create necessary groups. How would you accomplish this with the least administrative effort? WWW.

a.COM . Use the values given in the step-by-step guide to fill in the ADSI edit wizard.ISLAMSC. ADSI edit GPMC CSVDE d.Implementing Security Using Group Policy 8-19 MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Implementing Fine-Grained Password Policies Key Points • • Follow the steps in the step-by-step guide to create a PSO named 7Days that forces the administrator to change passwords every seven days. LDIFDE e. c. f. b. NTDSUtil Active Directory Users and Computers WWW. Question: What utilities can be used to manage PSOs? Choose all that apply.

COM . servers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Lab A: Implementing Security Using Group Policy Scenario Woodgrove Bank has decided to implement Group Policy to configure security for users and computers in the organization. The organization wants to utilize Group Policy to implement security settings for the workstations. and users. and all of the servers to Windows Server 2008.ISLAMSC. WWW. The company recently upgraded all of the workstations to Windows Vista. Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings. and may not always follow best practices.8-20 Configuring.

The Lab Launcher starts. In the Lab Launcher. Start the virtual machine. WWW. You also will configure a local policy on the Windows Vista client that enables the local Administrator account. Minimize the Lab Launcher window. Create an account policy for the domain. STUDENT USE PROHIBITED Exercise 1: Configuring Account and Security Policy Settings You have been tasked to implement a domain account policy with the following criteria: • • • • Domain passwords will be eight characters. Configure local policy settings for a Windows Vista client. Configure a GPO that prohibits a service on all domain controllers. Create a wireless network GPO for Windows Vista clients.ISLAMSC. and then log on 1.Implementing Security Using Group Policy 8-21 MCT USE ONLY. 3.COM . On your host machine. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. click Launch. 4. next to 6419A-NYC-DC1. Passwords will be changed exactly every 20 days. 4. and prohibits access to the Run menu for NonAdministrators. This profile will define 802. and then click 6419A. Finally. 3.1x as the authentication method. Task 1: Start the virtual machines. Accounts will be locked out for 30 minutes after five invalid logon attempts. 2. Strong passwords will be enforced. Then you will create a wireless network policy for Windows Vista that creates a profile for the Corp wireless network. and log on as Administrator. click Start. you will configure a policy to prevent the Windows Installer service from running on any domain controller. point to Microsoft Learning. 5. point to All Programs. 2. The main tasks in this exercise are: 1. This policy also will deny access to a wireless network named Research.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Open Computer Configuration’s Windows Settings. expand WoodgroveBank. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd.8-22 Configuring. expand Policies. In the Group Policy Management console pane. expand Security Settings. In the Group Policy Management Editor. 2. open Local Policies. open Security Settings. open Security Options. 2. Account lockout policy: Account Lockout Threshold: 5 invalid logon attempts Account lockout duration: 30 minutes Lockout counter: reset after 30 minutes Task 3: Configure local policy settings for a Windows Vista client 1.ISLAMSC. 4. expand Forest: WoodgroveBank.com. 4. and then expand Account Policies.COM . WWW. Add the Group Policy Object Editor snap-in to the MMC again and then click Browse. and then enable the Accounts: Administrator Account Status setting. and then add the snap-in for the Group Policy Object Editor for the Local Computer. In the details pane. 3.com. Create a new MMC. expand Domains. expand Windows Settings. and then click Edit. 5. right-click Default Domain Policy. and then click Group Policy Objects. Launch the Group Policy Management Console. Edit the Account Policy in the Default Domain Policy with the following values: • Password Policy: • • • • • • • • Domain passwords: 8 characters in length Strong passwords: enforced Minimum password age: 19 days Maximum password age: 20 days 3. under Computer Configuration. STUDENT USE PROHIBITED Task 2: Create an account policy for the domain 1.

1X. and then click OK twice. 4. set the Permission to Deny.COM . Policies. and System Services. Computer Configuration. In the New Vista Wireless Network Policy dialog box. 5. Administrative Templates. Close the Group Policy Management Editor. Security Settings. Edit the following to disable the Windows Installer service: Default Domain Controller Policy. select the Non-Administrators group. Result: At the end of this exercise. 6. Click the Security tab. 3. click the Start Menu and Taskbar folder. and then click Add. Type Research in the Network Name (SSID): field. On NYC-DC1. you will have configured account and security policy settings. create a new GPO named Vista Wireless. and then enable the Remove Run from Start Menu setting. Close the MMC without saving the changes. change the Authentication method to Open with 802. and then leave the GPMC open. click OK. type Corp. Task 5: Configure a policy that prohibits a service on all domain controllers 1. in the GPMC. and then Finish. Create a new profile named Corporate. and then click Infrastructure. click Add. 8. 2. Click the Users tab. Click the Network Permissions tab.ISLAMSC. 7. 7.Implementing Security Using Group Policy 8-23 MCT USE ONLY. and then clicking Create a New Windows Vista Policy. WWW. Open User Configuration. Task 4: Create a wireless network GPO for Windows Vista clients 1. Edit the GPO by right-clicking Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies. 6. STUDENT USE PROHIBITED 5. Windows Settings. and then click OK. and then in the Network Name (SSID) field. Close the Group Policy Management Editor and leave the GPMC open. 2.

CN=System. In the msDS-PasswordReversibleEncryptionEnabled value. You will create a fine-grained password policy to enforce these policies for the IT Admins global group. right-click CN=Password Settings Container. and then create a new object. DC=com. type adsiedit. 6. type TRUE. in the Run menu. Accounts will be locked out for 30 minutes after three invalid logon attempts. 4. WWW.COM . 3.8-24 Configuring. Domain passwords will be 10 characters. type 10. 2. 7. Assign the ITAdmin PSO to the IT Admins global group. 8.ISLAMSC. In the msDS-PasswordHistoryLength value. On NYC-DC1. Right-click ADSI Edit. 2. In Value box type ITAdmin. 5. type 30. STUDENT USE PROHIBITED Exercise 2: Implementing Fine-Grained Password Policies Your corporate security policy dictates that members of the IT Administrative group will have strict password policies. The main tasks are as follows: 1. CN=Password Settings Container. Strong passwords will be enforced. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In the msDS-PasswordComplexityEnabled value. Task 1: Create a PSO using ADSI edit 1. In the msDS-PasswordSettingsPrecedence value. click Connect to. Passwords will be changed every seven days exactly. In the Create Object dialog box. The passwords must meet the following criteria: • • • • • • 30 passwords will be remembered in password history. and then press ENTER. Create a PSO using ADSI Edit.msc. Navigate to DC=woodgrovebank. and then click OK to accept the defaults. click msDS-PasswordSettings. and then click Next. 9. Passwords will not be stored with reversible encryption. type FALSE.

select the msDS-PSOAppliesTo attribute. 16. and then click Edit. In the msDS-LockoutDuration value. that has passed since 12:00 AM January 1. Integer8 is a 64-bit number that represents the amount of time. Click the Attribute Editor tab. type 10. 11. 1601. 14. Open Active Directory Users and Computers.Implementing Security Using Group Policy 8-25 MCT USE ONLY. Result: At the end of this exercise. type -6040000000000. 12. right-click the ITAdmin PSO. In the msDS-LockoutThreshold value. In the msDS-MinimumPasswordLength value. 13. 7. STUDENT USE PROHIBITED 10. 3. WWW. 6. In the msDS-MaximumPasswordAge value. Task 2: Assign the ITAdmin password policy to the IT Admins global group 1. Add the ITAdmins_WoodgroveGG group. In the msDS-LockoutObservationWindow value. In the msDS-MinimumPasswordAge value. 2.COM . 15. 5. type -5184000000000. Note: PSO values are time-based values entered using the integer8 format. scroll down.ISLAMSC. 4. and then click Properties.com. type -18000000000 and then click Finish. and then click Advanced Features. type -18000000000. in 100-nanosecond intervals. expand System. and then click Password Settings Container. you will have implemented fine-grained password policies. In the details pane. Close the ADSI Edit MMC without saving changes. Expand Woodgrovebank. type 3. Close Active Directory Users and Computers. Click View.

STUDENT USE PROHIBITED Lesson 3 Restricting Group Membership and Access to Software In a large network environment.COM . WWW.ISLAMSC. Another concern is preventing access to unauthorized software on workstations.8-26 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. one of the challenges of network security is controlling the membership of built-in groups in the directory and on workstations.

ISLAMSC. STUDENT USE PROHIBITED What Is Restricted Group Membership? Key Points In some cases. you should use this setting primarily to configure membership of critical groups like Enterprise Admins and Schema Admins. You also can use this setting to control the membership of built-in local groups on workstations and member servers. you may want to control the membership of certain groups in a domain to prevent addition of other user accounts to those groups. Although you can control domain groups by assigning Restricted Groups policies to domain controllers. This can include default members. such as the local administrators group.COM . any current member of a group that is not on the Restricted Groups policy members list is removed. you can place the Helpdesk group into the local Administrators group on all workstations. You can use the Restricted Groups policy to control group membership. Use the policy to specify what members are placed in a group. For example. WWW. If you define a Restricted Groups policy and refresh Group Policy. such as domain administrators.Implementing Security Using Group Policy 8-27 MCT USE ONLY.

The only exception is that the local Administrators account will always be in the local Administrators group. Any local users who currently are in the local group that the policy controls will be removed.8-28 Configuring. You want to grant all the users in the global group named Web_Backup the right to backup and restore the web servers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. The Web servers' computer accounts are all located in a single OU. How could you use Group Policy to accomplish this? WWW.COM . STUDENT USE PROHIBITED You cannot specify local users in a domain GPO. Question: Your company has five Web servers physically located across North America.

Question: You created a Group Policy that adds the Helpdesk group to the local Administrators group and you linked the policy to an OU. STUDENT USE PROHIBITED Demonstration: Configuring Restricted Group Membership Key Points • • • • Create and link a new Group Policy to the ITAdmins OU. What is the most likely problem and how would you solve it? WWW. Configure the Administrators group membership to include Domain Admins and the ITAdmins_WoodgroveGG global group. Now the Domain Administrators no longer have any administrative authority on the computers in that OU.COM . Move the Windows Vista client into an ITAdmins OU.ISLAMSC. and then force the update of Group Policy on the client. Add the administrators group to the GPO restricted groups list.Implementing Security Using Group Policy 8-29 MCT USE ONLY.

COM .ISLAMSC. How would you accomplish this? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Software restriction policy provides administrators with a policy-driven mechanism for identifying software and controlling its ability to run on a client computer.8-30 Configuring. STUDENT USE PROHIBITED What Is a Software Restriction Policy? Key Points You may want to restrict access to software to prevent users from running particular applications or types of applications. like VBscripts. You need to restrict access to a certain application so that only members of the Administrators group are allowed to launch the application. Question: You have a number of computers in a workgroup.

Next you identify it as an exception to the default policy setting of Unrestricted or Disallowed.Implementing Security Using Group Policy 8-31 MCT USE ONLY.COM .ISLAMSC. you first identify the application. Unrestricted security level allows all software to run according to the users’ normal permissions. but can still access resources accessible by normal users. The enforcement engine queries the rules in the software restriction policy before allowing a program to run. except for software that is identified specifically as an exception to the rule. When you create a rule. Basic security level allows programs to execute as a user that does not have Administrator access rights. WWW. STUDENT USE PROHIBITED Options for Configuring Software Restriction Policies Key Points Software Restriction policies use rules to determine whether an application is allowed to run.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. It can be difficult to manage because each allowed application must be identified individually.8-32 Configuring.COM . What type of rule should you use? WWW. and because you might need to update the policy each time a service pack is applied to a software package. Question: You need to restrict access to a certain application no matter into what directory location the application is installed. STUDENT USE PROHIBITED Disallowed security level does not allow any software to run on the client computer except for software that is identified specifically as an exception to the rule. Note: You should apply Disallowed security level only in very high-security or lockeddown environments.

STUDENT USE PROHIBITED Demonstration: Configuring Software Restriction Policies Key Points • • Create a hash rule to disallow Microsoft Internet Explorer®.ISLAMSC. Question: You want to ensure that only digitally signed Visual Basic scripts are allowed to run.COM .Implementing Security Using Group Policy 8-33 MCT USE ONLY. What type of rule should you use? WWW. Note: Internet zone rules only apply to software that uses the Windows installer. Log off and log on to test the rule.

or through Group Policy. WWW. You can then use these templates to configure the security settings assigned to computers either manually. and in Active Directory.ISLAMSC. You can use a security policy to establish account and local policies on your local computer.8-34 Configuring. STUDENT USE PROHIBITED Lesson 4 Managing Security Using Security Templates A security policy is a group of security settings that affect a computer’s security. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . You can create security templates to assist in creating security policies to meet your company’s security needs.

You can use predefined security templates as a base to create security policies that you customize to meet your needs. STUDENT USE PROHIBITED What Are Security Templates? Key Points A security template is a collection of configured security settings.ISLAMSC. Question: Provide an example of how Security Templates can help organize your existing security attributes. You apply security templates by using the Security Configuration and Analysis snap-in. WWW. You use the Security Templates snap-in to create or customize templates. After you create a new template or customize a predefined security template. you can use it to configure security on an individual computer or thousands of computers. or you can create new templates.Implementing Security Using Group Policy 8-35 MCT USE ONLY. or by importing the template into Local Security Policy. Security templates contain security settings for all security areas. the secedit command-line tool.COM .

Create an MMC with the Security templates snap-in. Question: You have multiple database servers that are located in different OUs. What is the easiest way to apply consistent security settings to all of the database servers? WWW. Create a new security template named Server Baseline. and then assign it to the servers OU. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. For example. rename the administrator account. configure a restricted group. Create a new GPO named Security Baseline.8-36 Configuring. STUDENT USE PROHIBITED Demonstration Applying Security Templates Key Points • • • • • • Create a new OU named Servers.ISLAMSC. Import the server baseline template into the security baseline GPO. Configure some security settings. and so on.COM .

Question: What types of server roles exist in your organization? WWW.ISLAMSC. configure services. audit policy. The security policies that you create with SCW are XML files that. editing. SCW assists administrators in creating security policies. or rolling back a security policy based on the server’s selected roles. applying. and then disables functionality that is not required. specific registry values. network security. when applied.COM . and determines the minimum functionality that is required for a server’s role or roles. STUDENT USE PROHIBITED What Is the Security Configuration Wizard? Key Points The Security Configuration Wizard (SCW) is an attack-surface reduction tool that was introduced with Windows Server 2003 with Service Pack 1 (SP1). Internet Information Services (IIS).Implementing Security Using Group Policy 8-37 MCT USE ONLY. SCW guides you through the process of creating. and if applicable.

COM . and then create a new policy. Save the policy file as C:\baseline. Explore the security configuration database. Step through the wizard and notice the various options.xml. Complete the wizard. Question: What types of server roles exist in your organization? WWW.ISLAMSC.8-38 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. but choose to apply the policy later. STUDENT USE PROHIBITED Demonstration: Configuring Server Security Using the Security Configuration Wizard Key Points • • • • • Open the Security Configuration Wizard.

exe transform command.COM .ISLAMSC. the SCW includes IIS settings that are not included in any security template. SCW saves its security policies as XML files. security templates can include such items as Software Restriction policies. Some of the settings that you can configure using the SCW partially overlap with the settings that you can configure using security templates alone. The SCW itself does not support GPOs.Implementing Security Using Group Policy 8-39 MCT USE ONLY. Conversely. The scwcmd. For example. Neither set of configuration changes is completely inclusive of the other. which you cannot configure through SCW. Question: What is the main advantage of the SCW? WWW.exe command-line utility allows you to convert these and save them as GPOs by using the scwcmd. STUDENT USE PROHIBITED Options for Integrating the Security Configuration Wizard and Security Templates Key Points Security policies that you create with the SCW can also include custom security templates.

xml /g:Serverbaseline • Open the GPMC and see that the GPO named Serverbaseline exists. Question: You need to open a port on your Windows Vista client computers for a custom application. Should you use the SCW or create a security template and use a GPO? WWW. Use scwcmd. into a GPO named ServerBaseline: Scwcmd transform /p:C:\Baseline.XML policy file that you created in the last demo. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.8-40 Configuring.ISLAMSC.exe to transform the Baseline. STUDENT USE PROHIBITED Demonstration: Importing Security Configuration Policies into Security Templates Key Points • • Launch the command prompt.COM .

ISLAMSC. You also can use Security Configuration and Analysis to configure local system security. You can tune the security levels and. detect any security flaws that may occur in the system over time. Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. STUDENT USE PROHIBITED What Is the Security Configuration and Analysis Tool? Key Points You can use the Security Configuration and Analysis tool to analyze and configure local system security. WWW.COM .Implementing Security Using Group Policy 8-41 MCT USE ONLY. most importantly.

WWW. Import the custom template into the Security Configuration and Analysis Tool. Question: Provide at least one example of how your organization can benefit from using the Security Configuration and Analysis Tool. Run an analysis to compare the current settings to the custom security template. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.8-42 Configuring. STUDENT USE PROHIBITED Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool Key Points • • • Create a custom security template.ISLAMSC.COM .

ISLAMSC.Implementing Security Using Group Policy 8-43 MCT USE ONLY. and additional GPOs for configuring security. The company also wants to automate the configuration of security settings as much as possible. The company wants to have the flexibility to assign different password policies for specific users. STUDENT USE PROHIBITED Lab B: Configuring and Verifying Security Policies Scenario The enterprise administrator created a design that includes modifications to the default domain security policy. WWW.COM .

8-44 Configuring. 2. Navigate to Computer Configuration. The main tasks are as follows: 1. WWW. expand Policies. and then click OK. right-click Restricted Groups. STUDENT USE PROHIBITED Exercise 1: Configuring Restricted Groups and Software Restriction Policies You need to ensure that the ITAdmins global group is included in the local Administrators group for all of the organization’s computers. and Internet Explorer will not be allowed to run on domain controllers. 4. expand Windows Settings. add the following groups: • • 5.ISLAMSC. Woodgrovebank\ITAdmins_WoodgroveGG Woodgrovebank\Domain Admins 3. open the Group Policy Objects folder and then edit the Default Domain Policy. and then click Add Group. In the Administrators Properties dialog box. Add the Administrators group. If required. Configure restricted groups for the local administrators group.COM . open the GPMC. Domain controllers are considered high security. Task 1: Configure restricted groups for the local administrators group 1. 2. You also will prevent any Visual Basic scripts (VBS) from running on the C: drive of domain controllers. Close the Group Policy Management Editor. expand Security Settings. Create a GPO that prohibits Internet Explorer and VBS scripts from running on domain controllers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

7. and then click New Path Rule.Implementing Security Using Group Policy 8-45 MCT USE ONLY. Edit the Default Domain Controllers Policy. 5. STUDENT USE PROHIBITED Task 2: Prohibit Internet Explorer and VBS scripts from running on domain controllers 1. 3. Right-click Additional Rules. and then click New Software Restriction Policy.ISLAMSC.vbs and then click OK. you will have configured restricted groups and software restriction policies. In the Path field. Navigate to Windows Settings. expand Security Settings. Close the Group Policy Management Editor. WWW.exe. and then click New Hash Rule. Right-click Additional Rules. type *. and then click Open. 2. Result: At the end of this exercise. Ensure that the Security level is Disallowed. 6. right-click Software Restriction Policies. 4.COM . Browse and navigate to C:\Program Files\Internet Explorer\iexplore.

Run the Security Configuration Wizard and import the FPSecurity template. 3. The main tasks for this exercise are: 1. 3. You will use the SCW interface to apply the policy to the file and NYC-SVR1print server. On NYC-DC1. STUDENT USE PROHIBITED Exercise 2: Configuring Security Templates You will create a security template for file and print servers that will rename the Administrator account. and then add the snap-in for Security Templates.ISLAMSC. Disable the Windows Firewall. Navigate to Local Polices. Create a security template for the file and print servers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Finally. and disable the Windows Firewall. Name the template FPSecurity. 2. 6.COM . Start NYC-SVR1. You then will use the Security Configuration Wizard to create a security policy that hardens the file and print server. Define the Accounts: Rename administrator account with the value FPAdmin. and includes the security template. 2. 4. Task 1: Create a security template for the file and print servers 1. and then click Save. you will transform the policy into a GPO named FPSecurity. Close the MMC without saving the changes. Start NYC-SVR1 and log on as WOODGROVEBANK\Administrator with the password Pa$$w0rd. 7.8-46 Configuring. Set the Interactive Logon: Do not display last user name to be Enabled. right-click C:\Users\Administrators \Documents\Security\Templates. Transform the FPPolicy into a GPO. WWW. In the folder pane. Task 2: Start NYC-SVR1 and disable the Windows Firewall 1. 5. 4. and does not display the last user name that logged on. 2. right-click FPSecurity. and then click New Template. create a new MMC. Expand Security Templates. and then Security Options.

type FPPolicy at the end of the C:\Windows\security\msscw\policies\ path. click Next. On the Select server Roles screen. 3.woodgrovebank. 11. 6. 13. 16. continue clicking Next until you reach the Security Policy File Name screen. On the Security Policy File Name screen. Select the checkbox beside File Server. click Next. After the configuration databases processes.com. Task 3: Run the Security Configuration Wizard and import the FPSecurity template 1. 17. 14. On the Select Administration and Other Options screen. On the Select Additional Services screen. clear the checkbox beside DNS Server. 8. click Next. click Next. Add the Documents\Security\Templates\FPSecurity policy. 12. click Apply Now. 2. click Next. click Next. 18. 4.Implementing Security Using Group Policy 8-47 MCT USE ONLY. launch the Security Configuration Wizard. On the Role-Based service Configuration screen. click Next. 7. 10. On the Select Server screen type NYC-SVR1. On the Welcome page. Select the checkbox beside Print Server and then click Next. and then click Add.ISLAMSC. 9. Click Include Security Templates.COM . On the Applying Security Policy screen. 15. and then click Next. 5. On the Configuration Action screen. On the Apply Security Policy screen. WWW. STUDENT USE PROHIBITED Note: This step is performed to simplify the lab and is not a recommended practice. On NYC-DC1. and then click Next. and then click Finish. On the Select Client Features screen. On the Handling Unspecified Services screen. click Next.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Open the GPMC if necessary and then open the Group Policy Objects folder. Result: At the end of this exercise. launch the Command Prompt and type scwcmd transform /p:”C:\Windows\security\msscw\Policies\FPpolicy.8-48 Configuring. On NYC-DC1. WWW. 2.ISLAMSC.xml” /g:FileServerSecurity. Close the GPMC and log off NYC-DC1.COM . you will have configured security templates. 3. STUDENT USE PROHIBITED Task 4: Transform the FPPolicy into a GPO 1. Double click the FilesServerSecurity GPO and then examine the settings.

Task 1: Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group 1. 4. Use Group Policy modeling to test the settings on the file and print server. Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group. Ensure that the Run menu does not appear in the Accessories folder on the Start menu. and test the policy 1. Ensure that the Run menu appears in the Accessories folder on the Start menu. 5. WWW. Launch a Command Prompt.ISLAMSC. Open Control Panel. and run the GPupdate /force command.COM . click User Accounts. 3. Close all virtual machines and discard undo disks. 5. 2. click Manage User Accounts. 2. Log on to NYC-CLI as NYC-CL1\administrator with the password Pa$$w0rd. and then ensure that the Domain Admins and the ITAdmins global groups are present. Log on to the Windows Vista computer as an ordinary user and test the account policy. 4. click the Advanced tab. 3. click Groups. 2. The main tasks for this exercise are: 1. Task 2: Log on to the Windows Vista computer as an ordinary user. STUDENT USE PROHIBITED Exercise 3: Verifying the Security Configuration You will log on as various users to test the results of Group Policy. click User Accounts.Implementing Security Using Group Policy 8-49 MCT USE ONLY. click Advanced. Log on to the domain controller as the domain administrator and test software restrictions and services. open the Administrators group. Restart NYC-CL1. Log on to NYC-CL1 as Woodgrovebank\Roya with the password Pa$$w0rd.

4. 8. and then click OK. Press Right-ALT + DELETE.COM . 4. Press Right-ALT + DELETE. Accept all the defaults except on the User and Computer Selection window. and then click OK.ISLAMSC. Log off NYC-CL1. and then launch the Group Policy Modeling Wizard. 3.8-50 Configuring. In the Old Password field. 2.vbs. and ensure that it is set up Disabled. After completing the wizard. observe the policy settings. 3. and then run the GPupdate /force command. 2. Scroll down to the Windows Installer service. 5. and then click Change a password. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. In the New Password and Confirm password fields. Task 3: Log on to the domain controller as the domain administrator. In the New Password and Confirm password fields. read the error message. You will not be able to update the password because the minimum password age has not expired. Launch a Command Prompt. Navigate to E:\mod08\labfiles. read the error message. Attempt to launch Internet Explorer. and test software restrictions and services 1. type pa. double-click Hello. You will not be able to update the password because the minimum password length has not expired. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 7. 4. STUDENT USE PROHIBITED 3. Task 4: Use Group Policy modeling to test the settings on the file and print server 1. and then type Woodgrovebank\NYC-SVR1. Open the GPMC. 5. 6. WWW. type w0rdPa$$. Click Computer. and then click Change a password. Open the Services MMC in Administrative Tools. type Pa$$w0rd.

2.ISLAMSC. select Turn off machine and discard changes. Result: At the end of this exercise. STUDENT USE PROHIBITED Task 5: Close all virtual machines and discard undo disks 1.COM .Implementing Security Using Group Policy 8-51 MCT USE ONLY. and then click OK. 3. you will have verified the security configuration. In the Close box. WWW. For each virtual machine that is running. close the Virtual Machine Remote Control window. Close the 6419A Lab Launcher.

ISLAMSC. Account policies must be implemented at the domain level. Any domain level policy is capable of delivering account policies. Local policies generally affect all users of the local computer. WWW.8-52 Configuring. including domain users. Clients receive account policies from domain controllers.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Network security policies can control wireless configuration for Windows XP and later. STUDENT USE PROHIBITED Module Review and Takeaways Considerations for Implementing Security Using Group Policy Consider the following when implementing security using Group Policy: • • • • • • The Default Domain Policy and the Default Domain Controllers Policy are created by default.

How would you accomplish this? 4. Review Questions 1. You need to restore the policy to its original default settings.ISLAMSC. You want to place a software restriction policy on a new type of executable file. Security templates can be used to provide a consistent set of security settings. What must you do before you can create a rule for this executable code? What setting must you configure to ensure that users are only allowed 3 invalid logon attempts? You want to provide consistent security settings for all client computers in the organization. Network awareness can automatically determine your firewall profile. There are four rule types to control access to software. WWW. What is the best way to provide this? An administrator in your organization has accidentally modified the Default Domain Controller Policy. Windows Firewall supports outbound rules. 3. 2.COM . Both domain and local group membership can be controlled through Group Policy. STUDENT USE PROHIBITED • • • • • • • • • • • • • Network security policies can control wired configuration for Windows Vista and later. Access to software can be controlled through Group Policy. The computer accounts are scattered across multiple OUs. Firewall settings and IPsec settings are now integrated. Fine-grained policies must be created using ADSIedit or LDIFDE. Local administrators can be exempted from software restrictions. The Security Configuration Wizard can be used to assist in creating security policies.Implementing Security Using Group Policy 8-53 MCT USE ONLY. Fine-grained passwords allow different users or global groups to have different account policies. Fine-grained policies are not delivered through Group Policy.

STUDENT USE PROHIBITED WWW.ISLAMSC.MCT USE ONLY.COM .

STUDENT USE PROHIBITED Module 9 Configuring Server Security Compliance Contents: Lesson 1: Securing a Windows Infrastructure Lesson 2: Overview of EFS Lesson 3: Configuring an Audit Policy Lesson 4: Overview of Windows Server Update Services (WSUS) Lesson 5: Managing WSUS Lab: Manage Server Security 9-3 9-9 9-13 9-20 9-32 9-40 WWW.ISLAMSC.COM .Configuring Server Security Compliance 9-1 MCT USE ONLY.

It also details how to configure an audit policy and manage updates using Windows Server Update Services (WSUS). it is important to automate software updates.COM .9-2 Configuring. secure data on servers. and maintain update compliance. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Module Overview This module explains how to secure servers. WWW. Because keeping servers and workstations updated with the most recent software updates helps increase security.ISLAMSC. WSUS helps administrators use automation to deploy software updates with less effort and more control.

Configuring Server Security Compliance 9-3 MCT USE ONLY. and systems. applications. As organizations expand the availability of network data. STUDENT USE PROHIBITED Lesson 1 Securing a Windows Infrastructure This lesson explains how to secure a server role within a Microsoft® Windows® infrastructure. Security technologies in the Microsoft Windows Server® 2008 operating system enable organizations to provide better protection for their network resources and organizational assets in increasingly complex environments and business scenarios. WWW.ISLAMSC. it becomes more challenging to ensure network infrastructure security.COM .

COM .ISLAMSC.9-4 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW. STUDENT USE PROHIBITED Discussion: Challenges of Securing a Windows Infrastructure Key Points Discuss the challenges of securing a Windows infrastructure.

ISLAMSC. area by area. The following list gives an example of what you could address each level of defense: • Data. that you should consider when designing your network’s security defenses. Application.Configuring Server Security Compliance 9-5 MCT USE ONLY. An organization’s primary concerns at this layer are business and legal issues that may arise from data loss or theft and operational issues that vulnerabilities may expose at the host or application layers. or inappropriate gathering of specific system data to pass to someone who can use it for their own purposes. An organization’s primary concerns at this layer are access to the binary files that comprise applications.COM . access to the host through vulnerabilities in the application’s listening services. STUDENT USE PROHIBITED Applying Defense-in-Depth to Increase Security Key Points The layers of defense provide a view of your environment. You can modify the detailed definitions of each layer based on your organization’s security priorities and requirements. • WWW.

An organization’s primary concerns at this layer are preventing access to the binary files that comprise the operating system. if using antivirus systems. ignorance of a risk can lead to a security breach.9-6 Configuring. Internal network. An organization’s primary concern at this layer. In many cases. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and access to the host through vulnerabilities in the operating system’s listening services. The risks to an organization’s internal network largely concern the sensitive data that they transmit via the networks. Physical security. The primary risks at this layer focus on available Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that the network uses. For this reason.ISLAMSC. • • • • Question: What is the most important part of the defense-in-depth security model? WWW. Policies.COM . procedures and awareness. The connectivity requirements for client workstations on these internal networks also pose a number of risks. It is important for you to promote awareness in your organization to all interested parties. Perimeter network. STUDENT USE PROHIBITED • Host. training also should be an integral part of any security model. is to stop infected files from bypassing the perimeter and internal network defenses.

which lessens damage should the account be compromised. Use the Security Configuration Wizard to scan and implement server security based on server roles. and you should integrate them into the standard security configuration of all servers.ISLAMSC. Use Group Policy and security templates to harden servers and lessen the attack footprint. and all available security and critical updates.COM . Some of your core server-security practices should include: • • • • Apply the latest service packs. WWW. you have no security. Restrict scope of access for service accounts.Configuring Server Security Compliance 9-7 MCT USE ONLY. Core server-security practices are relatively easy to adopt. STUDENT USE PROHIBITED Core Server Security Practices Key Points Without physical security.

Restrict physical and network access to servers.9-8 Configuring.COM .ISLAMSC. Question: Does your company have a detailed "build sheet" for all new installations that occur on new hardware? What can you do to lessen the attack footprint on your infrastructure? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED • • Use security options to restrict who can log on locally to server consoles.

Configuring Server Security Compliance 9-9 MCT USE ONLY. BitLocker Drive Encryption can be used to protect operating system files on a server that has been physically compromised. STUDENT USE PROHIBITED Lesson 2 Overview of EFS Data encryption on the filesystem is an important part of securing server data.COM . The Encrypting File System (EFS) integrates with NTFS to provide data encryption for files. Encrypting a file with EFS is straightforward: users can select a checkbox and the file will be encrypted. WWW.ISLAMSC.

ISLAMSC. and Windows Server 2008. EFS generates a unique symmetrical encryption key to encrypt each file. Windows Vista®. Question: Why would EFS be used to encrypt data in addition to using NTFS permissions? WWW. Encrypting or decrypting a file or folder occurs when a user opens advanced properties and checks or clears the Encrypt contents to secure data checkbox. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Windows XP.COM . Windows Server 2003.9-10 Configuring. STUDENT USE PROHIBITED What Is Encrypting File System? Key Points Encrypting Files System (EFS) is a system for encrypting data files that is included as part of Microsoft Windows 2000. The symmetrical key is stored in the file header.

COM .ISLAMSC. Encryption of additional data volumes is also an option. Encryption keys are handled automatically in the background with little overhead. STUDENT USE PROHIBITED What Is BitLocker Drive Encryption? Key Points BitLocker Drive Encryption is a system that encrypts the entire operating system volume.Configuring Server Security Compliance 9-11 MCT USE ONLY. Question: In what scenario would BitLocker be useful on a server? WWW.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. first determine the circumstances under which the error occurs: • • • Does the error affect multiple users or one user? Is the error with a local or remote file? Does the error occur during encryption or decryption? Based on the information you gather about the issue. Question: Have you faced any EFS troubleshooting scenarios in your work environment? If so. you can focus on the probably causes. STUDENT USE PROHIBITED Troubleshooting EFS Key Points When you encounter issues with EFS.COM . how did you approach them? WWW.9-12 Configuring.

Additionally.Configuring Server Security Compliance 9-13 MCT USE ONLY. you should create an audit plan before implementing audit policy. As a best practice.ISLAMSC. WWW. you can monitor security-related activity. STUDENT USE PROHIBITED Lesson 3 Configuring an Audit Policy You can configure an audit policy that records user or system activity in specified event categories. such as who accesses an object. or if changes occur to an auditing policy setting.COM . if a user logs on or off a computer.

ISLAMSC. Question: List three reasons that you may want to audit certain areas of a system or a particular shared resource. such as files and folders. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Management of user and group accounts.COM . WWW.9-14 Configuring. The most common types of events to audit are: • • • Access to objects. STUDENT USE PROHIBITED What Is Auditing? Key Points Auditing is the process that tracks user activity by recording selected events in a server or workstation security log. Users logging on and off the system.

Question: Provide an example of why you would want to log successful events and failure events. For example. if you want to audit any attempts by users to open a particular file. When you implement an audit policy: • • • Specify the categories of events that you want to audit.COM . STUDENT USE PROHIBITED What Is an Audit Policy? Key Points An audit policy determines the security events that are reported to the network administrator. WWW. Audit directory service access or object access by determining for which objects you are monitoring access and what type of access you want to monitor. you can configure auditing policy settings in the object access event category so that both successful and failed attempts to read a file are recorded. Set the size and behavior of the security log.ISLAMSC. as opposed to only failure events.Configuring Server Security Compliance 9-15 MCT USE ONLY.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Types of Events to Audit Key Points Before you implement an auditing policy.COM . You can create an auditing policy that suits your organization’s security needs by defining auditing settings for specific event categories. Auditing settings for the event categories are undefined by default on member servers and workstations that are joined to a domain. you must decide which event categories to audit. Domain controllers turn on auditing by default.ISLAMSC. The auditing settings that you choose for the event categories define your auditing policy.9-16 Configuring. what event categories would you like to see audited in your organization? WWW. Question: What categories of events does your company presently audit? If your company is not auditing.

To confirm this behavior. This behavior can occur for any of the following reasons: • A site. A GPO that overrides the audit policy setting has a higher priority. open the Audit Policy.COM . If the security setting of the policy is No auditing. view the properties of your domain. and view the Security Setting of the policy. a higher-level GPO may be overriding the audit policy setting that you configured. view the higher-level GPO items that are linked to either the organizational unit or to the domain for possible conflicts. To troubleshoot this issue. the service may not work. a domain. Then view the Group Policy Object Links list on the Group Policy tab. • WWW. or an organizational unit policy setting overrides the audit policy that you configured.ISLAMSC. in Active Directory Users and Computers. To troubleshoot this issue. STUDENT USE PROHIBITED Troubleshooting Audit Policy Key Points After you configure auditing.Configuring Server Security Compliance 9-17 MCT USE ONLY. Items that are higher in the list override other lower-level items.

exe command-line utility to force Group Policy to be refreshed. STUDENT USE PROHIBITED If the GPO that contains your audit policy setting is listed below a higherpriority GPO item that turns off auditing. new files and subfolders that are created in that folder inherit auditing. you can edit the auditing settings of the file or folder. The site. To resolve this issue. Question: How often do you think you should check the security log to ensure auditing is happening correctly? WWW. the domain.COM . Then you can look in the event log for the corresponding events. or the organizational unit policy setting that contains the audit policy setting has not replicated to other computers. do one of the following steps: • • • Click the GPO that contains the audit policy setting that you want to use. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. If you do not want the file or folder to inherit auditing from the parent. and then click Up to move it above the higher-priority item in the list. Edit the GPO items that are listed above the GPO that contains the audit policy setting to remove conflicting policy settings.9-18 Configuring.ISLAMSC. use the Secedit. Object Access Auditing • Inheritance affects file and folder auditing. After you set up auditing on a parent folder. You can test an audit rule for a file or folder by opening and closing the file or folder.

expand Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies \Audit Policy. Enable auditing on object access.COM . Edit the Default Domain Controllers Policy located under WoodgroveBank. Click the Explain tab of an auditing policy.Configuring Server Security Compliance 9-19 MCT USE ONLY. Enable one or more auditing policies. • • • • Question: What is the default auditing policy setting for domain controllers? What is the benefit of having this setting as the default setting for domain controllers? WWW.com\Group Policy Objects\Default Domain Controllers Policy. In the Group Policy Management Editor console tree.ISLAMSC. STUDENT USE PROHIBITED Demonstration: How to Configure Auditing Key Points • Open Group Policy Management.

WWW.COM . which is a tool for managing and distributing software updates that resolve security vulnerabilities and other stability issues.9-20 Configuring. WSUS enables you to deploy the latest Microsoft product updates to computers running the Windows operating system. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. STUDENT USE PROHIBITED Lesson 4 Overview of Windows Server Update Services (WSUS) This lesson introduces Windows Server Update Services (WSUS).

ISLAMSC.Configuring Server Security Compliance 9-21 MCT USE ONLY.COM . Windows Vista. STUDENT USE PROHIBITED What Is Windows Server Update Services? Key Points WSUS enables you to deploy the latest Microsoft product updates to computers running Windows Server 2003.0 provides improvements in the following areas: • • • Ease of use Improved deployment options Better support for complex server hierarchies WWW. Windows Server 2008. and Windows 2000 with Service Pack 4 operating systems. WSUS 3. Using WSUS enables you to manage the distribution of updates to your network’s computers that Microsoft Update releases. Microsoft Windows XP with Service Pack 2.

0 affect how you use WSUS? If not.0 using improved application programming interfaces (APIs) Question: Do you currently use WSUS services in your organization? If so. how would implementing WSUS benefit your organization? WWW. how would the improvements to WSUS 3. STUDENT USE PROHIBITED • • Better performance and bandwidth optimization The ability to extend WSUS 3.ISLAMSC.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.9-22 Configuring.

STUDENT USE PROHIBITED Obtaining Updates Key Points At least one WSUS server in your organization must synchronize updates with the Windows Update servers on the Internet. Question: Describe a scenario where an organization would have an isolated network. Additional WSUS servers can synchronize updates with a parent WSUS server.COM . WWW.Configuring Server Security Compliance 9-23 MCT USE ONLY. You can use WSUS on an isolated network by copying update files from a WSUS server that is connected to the Internet.ISLAMSC.

and deploy. as new updates become available that can enhance and protect the production environment. evaluate and plan. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. It is essential to repeat the update management process on an ongoing basis. Question: You need to determine which types of updates to synchronize from Microsoft Update and when to synchronize them. It is important to note that you can employ many of the features in more than one phase. In which phase of the WSUS process would this planning occur. STUDENT USE PROHIBITED Windows Server Update Services Process Key Points It is recommended to implement an ongoing four-phase approach to the update management process: assess.COM .9-24 Configuring. WWW. Each phase has different goals and methods for using WSUS features to ensure success during the update management process. identify.ISLAMSC.

ISLAMSC. You should determine the number of WSUS servers that you require by examining the number of client computers that you must support. A WSUS server hierarchy consists of a parent WSUS server. and the type of WSUS deployment that you choose. which synchronizes with Windows Update. the number of locations that you have. WWW.COM . and downstream WSUS servers that synchronize with the parent WSUS server. which synchronizes updates from Windows Update and distributes them to computers on the network. although it is possible to support isolated network segments that have no connection to the Internet.Configuring Server Security Compliance 9-25 MCT USE ONLY. STUDENT USE PROHIBITED WSUS Deployment Considerations Key Points Deployment considerations include the following: Internet connectivity is required for at least one of your WSUS servers. A simple WSUS deployment consists of a single WSUS server or farm.

You should consider where to store updates before distribution. Question: In your organization.COM . would you use more than one WSUS server? If so. STUDENT USE PROHIBITED You can use computer groups to control whether computers should get different updates. You can also use computer groups to create a limited release-testing group for testing updates before full deployment. You can store the updates on Windows Update servers and use WSUS to control which updates the computers will download or you can store the updates on the WSUS server.9-26 Configuring.ISLAMSC. would you link your WSUS servers together using autonomous mode or replica mode? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

STUDENT USE PROHIBITED Server Requirements for WSUS Key Points The number of client computers that your organization is updating is what drives hardware and database software requirements. You must format both the system partition and the partition on which you install WSUS with the NTFS file system.Configuring Server Security Compliance 9-27 MCT USE ONLY.COM . Question: Does your organization meet the software requirements for WSUS? WWW. A WSUS server using the recommended hardware can support a maximum of 20.ISLAMSC.000 clients.

you can install the WSUS administration console to manage the WSUS server. or if you already have a Web site on port 80. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Once you install the WSUS server. By default. Question: Would you install the WSUS administration console on the same server as the WSUS server in your organization? WWW.9-28 Configuring. STUDENT USE PROHIBITED Installing WSUS Key Points Considerations for installing the WSUS server include: • • • You can store updates locally or you can have client computers connect to Microsoft Update to get approved updates. or you can choose to use an exiting database instance. you can create an alternate site on port 8530 by selecting the second option.ISLAMSC.COM . WSUS offers to install Windows Internal Database. You can use the default IIS Web site on port 80.

In more complex environment. set up more a more frequent schedule for computers to contact the WSUS server. use a GPO linked to an Active Directory container appropriate for your environment. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS settings. link the GPO with the WSUS settings to the domain. To help protect computers against immediate security threats. • Question: What is the risk in allowing users of desktop computers to delay restarts that updates require? WWW. download.ISLAMSC. and install updates. which enables you to have different WSUS policy settings applied to different types of computers.COM . • • In a simple environment. STUDENT USE PROHIBITED WSUS Group Policy Settings Key Points When you configure the Group Policy settings for WSUS.Configuring Server Security Compliance 9-29 MCT USE ONLY. you might have multiple GPOs linked to several organizational units (OUs).

9-30 Configuring. ensuring that the Automatic Updates software you are using is current. The best way to configure Automatic Updates and WSUS environment options depends on your network environment. you might use the Local Group Policy object (GPO) or edit the registry directly. you use Group Policy. and configuring any additional environment settings. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .ISLAMSC. In a non-Active Directory environment. STUDENT USE PROHIBITED Automatic Updates Configuration Key Points You can use Group Policy or the registry to configure Automatic Updates. Configuring Automatic Updates involves pointing the client computers to the WSUS server. In an Active Directory environment. Question: Which method of client configuration would you use in your environment? WWW.

ISLAMSC. In the Group Policy Management Editor window. Enable Configure Automatic Updates.com domain. expand Policies. and then click Windows Update. expand Administrative Templates.COM . Edit the GPO. • Question: Would you enable the Delay Restart for scheduled installations policy in your organization? Why or why not? WWW. under Computer Configuration. STUDENT USE PROHIBITED Demonstration: Configuring WSUS Key Points • • • • • Configure Automatic Update client settings using Group Policy. Open Group Policy Management.Configuring Server Security Compliance 9-31 MCT USE ONLY. Create a new GPO in the WoodgroveBank. expand Windows Components.

and approving the installation of updates for all the computers in your WSUS network or for different computer groups. managing computer groups to target updates to specific computers.ISLAMSC. STUDENT USE PROHIBITED Lesson 5 Managing WSUS This lesson explains how you can manage WSUS by performing administrative tasks using the WSUS 3.COM . WWW.0 administration console.9-32 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

WWW.0.COM . Generate multiple reports with improved precision.ISLAMSC. The WSUS 3. STUDENT USE PROHIBITED WSUS Administration Key Points The WSUS 3. Configure post-setup tasks using a wizard.0 administration console has changed from a Web-based console to a plug-in for MMC version 3.Configuring Server Security Compliance 9-33 MCT USE ONLY. Maintain server health more easily.0 administration console also enables you to: • • • • Manage WSUS remotely.

WWW. Wsusutil.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: Explain why having an MMC console for WSUS makes administration easier.ISLAMSC. STUDENT USE PROHIBITED • You can also manage updates with command-line tools: • • Wuauclt.9-34 Configuring.exe is the command-line tool for managing WSUS.exe can be used to control some aspects of the Windows Update Agent.

you can roll out the updates to the All Computers group. One benefit of creating computer groups is that they enable you to test updates before deploying updates widely. There is no limit to the number of custom groups you can create.ISLAMSC.Configuring Server Security Compliance 9-35 MCT USE ONLY. the server adds that client computer to each of these groups. even a basic one. Question: Describe a benefit of using computer groups in WSUS for deploying updates. There are two default computer groups: All Computers and Unassigned Computers. Computer groups enable you to target updates to specific computers. If testing goes well.COM . You can create custom computer groups. when each client computer initially contacts the WSUS server. WWW. STUDENT USE PROHIBITED Managing Computer Groups Key Points Computer groups are an important part of WSUS deployments. By default.

However. they are scanned automatically for relevance to the server’s client computers. You can approve updates for the All Computers group or for subgroups. you are specifying what WSUS does with it (the options are Install or Decline for a new update).9-36 Configuring.ISLAMSC. STUDENT USE PROHIBITED Approving Updates Key Points After updates have synchronized to your WSUS server. If you do not approve an update. • WWW. • When you approve an update. you must approve the updates manually before they are deployed to your network’s computers. and your WSUS server allows clients to evaluate whether they need the update.COM . its approval status remains Not approved. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

you will not be able to approve updates on your WSUS server.COM . Note: If your WSUS server is running in replica mode. This option is selected by default. You can also specify automatic approval of revisions to existing updates as they become available. • Automatic approval rules will not apply to updates requiring an End User License Agreement (EULA) that has not yet been accepted on the server.Configuring Server Security Compliance 9-37 MCT USE ONLY. Question: Would you choose automatic approval of updates in your organization when automatic approval is available? Explain your reason. If you find that applying an automatic approval rule does not cause all the relevant updates to be approved.ISLAMSC. WWW. you should approve these updates manually. STUDENT USE PROHIBITED You can configure your WSUS server for automatic approval of certain updates.

COM . Question: How do you install an update immediately? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Approve an update to be applied to the computer. STUDENT USE PROHIBITED Demonstration: Managing WSUS Key Points • • Add a computer to the WSUS console.9-38 Configuring.ISLAMSC.

However. these applicability settings also apply to Server Core installations. Question: Do any other management tasks for Server Core differ from the standard full server implementation? WWW. you typically use the command line to locally administer a Server Core installation. Windows Update uses applicability rules so that only computers that have Internet Explorer® 7 install Internet Explorer 7 updates.COM .ISLAMSC.Configuring Server Security Compliance 9-39 MCT USE ONLY. STUDENT USE PROHIBITED Server Core Security Updates Key Points Windows Server 2008 Server Core requires fewer updates than a full server installation of Windows Server 2008.

you have been tasked with configuring and managing server and client security patch compliance as well as implementing an audit policy to track specific events occurring in AD DS. You must ensure systems maintain compliance with corporate standards. The main tasks are as follows: 1. Use the Group Policy Management Console to create and link a GPO to the domain to configure client updates. 3. Use the WSUS administration tool to view WSUS properties.COM . WWW.ISLAMSC. Start the virtual machines. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In this exercise. and then log on.9-40 Configuring. STUDENT USE PROHIBITED Lab: Manage Server Security Exercise 1: Configuring Windows Software Update Services Scenario As the Windows Infrastructure Services Technology Specialist. you will configure WSUS. 2.

3. Log on to each virtual machine as Woodgrovebank\Administrator with the password Pa$$w0rd.COM . click Launch. expand Administrative Templates.ISLAMSC. 6. click Launch. • 7. and then click 6419A. Install an update on the Windows Vista client. Create a computer group. View WSUS reports. Set the intranet update service for detecting updates and the intranet statistics server to http://NYC-SVR1. and then click Windows Update. Enable Automatic Updates detection frequency. next to 6419A-NYC-CL2. next to 6419A-NYC-SVR1. expand Policies. In the Lab Launcher. The Lab Launcher starts. 5. Task 1: Start the virtual machines. In the Lab Launcher. Open the Group Policy Management Editor to edit the WSUS GPO. next to 6419A-NYC-DC1. 6. STUDENT USE PROHIBITED 4. Task 2: Use the Group Policy Management Console to create and link a GPO to the domain to configure client updates 1. On NYC-DC1. open Group Policy Management. 4. Create a new GPO in the WoodGroveBank. and add NYC-CL2 to the new group. Minimize the Lab Launcher window. Approve an update for Windows Vista clients. 3.com domain named WSUS. expand Windows Components. 4. 2. 5. click Start. In the Group Policy Management Editor window. 6. On the host machine. 7. 2. 5. click Launch.Configuring Server Security Compliance 9-41 MCT USE ONLY. Enable Configure Automatic Updates. point to All Programs. Enable Specify intranet Microsoft update service location. under Computer Configuration. point to Microsoft Learning. WWW. and log on 1. In the Lab Launcher.

WWW. 4. expand Computers. 3. In the details pane.com computer object so that it is a part of the HO Computers group.COM . In the Update Services window. and then select All Computers. and name the group HO Computers. view the configuration settings available in WSUS. and add NYC-CL2 to the new group 1. Approve the update for all computers. In the Actions pane. 9. Notice all of the updates available. change both the Approval and Status filters to Any. expand Updates. 3. In the Critical Updates details pane. 2. 3. click Add Computer Group. and then click Security Updates. right-click Security Update for Windows Vista (KB957095). and then click Refresh.9-42 Configuring. Task 3: Use the WSUS administration tool to view WSUS properties 1.0 SP1.woodgrovebank. On NYC-CL2. run the GPUpdate /force command from the command prompt. click Options. Using the details pane. In the list pane. Task 5: Approve an update for Windows Vista clients 1. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 2. in the console pane under NYC-SVR1. Restart NYC-CL2 and log on as WoodgroveBank\Administrator after NYC-CL2 restarts. Task 4: Create a computer group. In the Update Services windows. Change membership of the NYC-CL2. and then click Approve. On NYC-SVR1. STUDENT USE PROHIBITED 8. open Microsoft Windows Server Update Services 3. in the console pane. 2.ISLAMSC.

restart the computer. and then click Approve. 3. WWW.ISLAMSC. Set the deadline to yesterday's date. their date will not correspond with the actual date. Task 7: View WSUS reports • On NYC-SVR1. Note that because these VMs use the Microsoft Lab Launcher environment. Note: Entering yesterday’s date will cause the update to be installed as soon as the client computers contact the server. STUDENT USE PROHIBITED 5. 4. Open Windows Update to review recently installed updates. Log on as Woodgrovebank\administrator with a password of Pa$$w0rd. In the Critical Updates details pane. Once the policy has finished updating. 2. 6. type wuauclt /detectnow. Take note of the VMs configured date and enter a date one day before the VMs configured date. Results: After this exercise. 5. When prompted. type GPUpdate /force. On NYC-CL2. you should have configured WSUS. right-click Security Update for Windows Vista (KB957095). Task 6: Install an update on the Windows Vista client 1.Configuring Server Security Compliance 9-43 MCT USE ONLY. run a Computer Detailed Status report to view updates for NYC-CL2. This is by design. at the command prompt.COM .

Test the policy. you will test the policy.com. WWW. Examine the current state of the audit policy.exe /get /category:* command again. 4. Task 1: Examine the current state of the audit policy • On NYC-DC1. 2. expand Group Policy Objects. expand Local Policies. type Gpupdate. Expand Computer Configuration. and then examine the default audit-policy settings. expand Windows Settings. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. At the Command Prompt. and then click Edit. and then click Audit Policy. 5.COM . run the Auditpol. you have been tasked with implementing an audit policy to track specific events occurring in AD DS. expand Security Settings. First. including the old and new attributes values. 2. The main tasks for this exercise are: 1. you will examine the audit policy’s current state. In the console pane. 3. click WoodgroveBank. Then you will configure auditing as required to track successful and unsuccessful modifications made to Active Directory objects. and then right-click the Default Domain Controllers Policy. Close all virtual machines and discard undo disks.exe /get /category:* and then press ENTER. When the update completes.9-44 Configuring. 3. STUDENT USE PROHIBITED Exercise 2: Configure Auditing Scenario As the network administrator.ISLAMSC. Enable the Audit Directory Service Access policy to audit both Success and Failure. Task 2: Enable Audit Directory Service Access on domain controllers 1. 5. In this exercise you will enable auditing. Finally. Open Group Policy Management. 4. Enable Audit Directory Service Access on domain controllers. Set the SACL for the domain. type the following at the command prompt: Auditpol.

com domain object. 3. 6. 5. Close all open windows. click Advanced Features. you will have configured AD DS Auditing. Audit both Successful and Failed for Write all Properties. Open Active Directory Users and Computers. WWW. Result: At the end of this exercise. 4. Return to Event Viewer. Close the 6419A Lab Launcher. select Turn off machine and discard changes. and then click Security. expand Windows Logs. Enable auditing for the WoodgroveBank. STUDENT USE PROHIBITED Task 3: Set the SACL for the domain 1. For each virtual machine that is running. 2. On the View menu.Configuring Server Security Compliance 9-45 MCT USE ONLY. Task 5: Close all virtual machines and discard undo disks 1. 2. and examine the resulting directory service changes events. • • Enable auditing for Everyone. Task 4: Test the policy 1. Open event 4662 and examine the event. Return to Active Directory Users and Computers. 2. and edit any user account to change the phone number. and then click OK.COM . Rename the Toronto OU to GTA. 3. Open Event Viewer. 3. close the Virtual Machine Remote Control window. In the Close box.ISLAMSC.

ISLAMSC. how should you configure the security log properties in Event Viewer? What must an administrator do before any update is sent to clients and servers via WSUS? What is the reason for setting a deadline for automatic installation to a past date? WWW. 3.9-46 Configuring. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. 4. that may not be as big an issue for a large enterprise? If you decide to put an audit policy in place. What kind of security challenges might a small to medium-sized business experience. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 2.COM .

ISLAMSC. the basic steps for securing it are the same.Configuring Server Security Compliance 9-47 MCT USE ONLY. WWW.COM . Eliminate unnecessary applications and network services. Configure system logging to record significant events. Consider the following best practices for securing an operating system: • • • • • Install all operating system service packs and updates. Verify user account security. STUDENT USE PROHIBITED Best Practices Regardless of the operating system you are using. Keep applications and operating systems up to date.

ISLAMSC.MCT USE ONLY. STUDENT USE PROHIBITED WWW.COM .

STUDENT USE PROHIBITED Module 10 Configuring and Managing Storage Technologies Contents: Lesson 1: Windows Server 2008 Storage Management Overview Lesson 2: Managing Storage Using File Server Resource Manager Lab A: Installing the FSRM Role Service Lesson 3: Configuring Quota Management Lab B: Configuring Storage Quotas Lesson 4: Implementing File Screening Lab C: Configuring File Screening Lesson 5: Managing Storage Reports Lab D: Generating Storage Reports Lesson 6: Understanding Storage Area Networks 10-3 10-13 10-20 10-22 10-29 10-31 10-38 10-40 10-45 10-47 WWW.COM .ISLAMSC.Configuring and Managing Storage Technologies 10-1 MCT USE ONLY.

STUDENT USE PROHIBITED Module Overview File storage is important when managing Microsoft® Windows Server® environments. WWW.COM . This module also describes how to analyze usage trends.ISLAMSC. and describe storage technologies that you can configure and manage to address file-storage problems. plan. and how to implement solutions to meet user requirements while complying with company policy and industry and regulatory standards. This module will explain common capacity and storage management challenges. and implement storage solutions.10-2 Configuring. The Windows Server 2008 operating system includes several tools to help you configure and manage storage technologies. Significant challenges exist when attempting to analyze. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

This lesson will describe common capacity and storage management challenges and will describe how you can use File Server Resources Manager and the Windows Server 2008 operating system storage management to address these challenges.ISLAMSC.COM . WWW. STUDENT USE PROHIBITED Lesson 1 Windows Server 2008 Storage Management Overview Windows Server 2008 operating system storage management and File Server Resources Manager are storage technologies that you can configure and manage to address common capacity and storage management challenges in the enterprise environment.Configuring and Managing Storage Technologies 10-3 MCT USE ONLY.

how much storage space you need for future expansion. STUDENT USE PROHIBITED Common Capacity Management Challenges Key Points Capacity management is the process of planning. Many users tend to use server storage space store large personal multimedia files. such as screensavers and games. so does your need for capacity management. as well as other types of data. such as MP3s or digital photos. Capacity management is also an attempt to control corporate storage misuse.ISLAMSC.10-4 Configuring. analyzing. and how you are using the environment’s storage enables you to meet the storage capacity requirements of your organization. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Keeping track of how much storage capacity is available. As the data that you need to store and access increases. sizing. Question: What capacity management challenges do you face in your work environment? WWW. and optimizing methods to satisfy an organization’s increase in data storage demands.COM .

Some information is critical to the functioning of the business. including e-mail messages. while other information is less critical. Many organizations store 60 to 100 percent of their work data. Question: What are some of the storage challenges in your organization? WWW. Some data also may have specific retention requirements due to industry or regulatory standards.ISLAMSC. Unapproved files and programs also create storage management issues. STUDENT USE PROHIBITED Common Storage Management Challenges Key Points After capacity management. Critical information often must be maintained in a state that allows it to always be available. office documents.COM . Storage management attempts to control this misuse of corporate space. and line-of-business application databases. Many users tend to store non-work-related files and programs that can consume storage.Configuring and Managing Storage Technologies 10-5 MCT USE ONLY. the next challenge is managing the file types that are stored on servers.

and some departments may want to store files in specific ways. For example.10-6 Configuring. Without policies and controls in place. users may often use storage for noncompliant uses. Resource management policies may vary within a company.ISLAMSC. STUDENT USE PROHIBITED Addressing Capacity and Storage Management Challenges Key Points • • • • Knowing how the company is currently using storage makes planning for future storage requirements much more predictable. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. some departments may require more storage than others. Having resource management policies in place allows for more predictability when planning for future capacity.COM .

what tools and strategies are currently used to address capacity and storage management challenges? WWW. and implementing the policies.Configuring and Managing Storage Technologies 10-7 MCT USE ONLY. planning storage policies. Tools such as File Server Resource Manager (FSRM) perform the tasks necessary for analyzing storage usage. and implementing the policies.ISLAMSC. planning storage policies. The final step after analyzing and defining policies is to implement the policies. Question: In your work environment. STUDENT USE PROHIBITED Tools such as File Server Resource Manager (FSRM) perform the tasks necessary for analyzing storage usage.COM .

Windows Server 2008 or Microsoft Windows Storage Server 2008. a full range of storage management solutions can be realized. Microsoft Windows® 2000 Server or Windows NT® Server 4. WWW. The FSMT helps you copy files and folders from servers running Microsoft Windows 2003 Server. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. With the addition of other applications such as Microsoft System Center Operations Manager (SCOM) and the File Server Migration Toolkit (FSMT).COM . The primary benefits of FSMT include: • • • Transparent migration experience for end users. STUDENT USE PROHIBITED Capacity Management Solutions Key Points Windows Server 2008 provides a number of tools and technologies to assist in capacity management tasks.10-8 Configuring.ISLAMSC.0 operating systems to a server running Windows Server 2003. Maintains security settings for migrated files. Windows Storage Server 2003. Consolidates shared folders with the same names from different servers.

The FSMT can be downloaded from the Microsoft web site: http://www.Configuring and Managing Storage Technologies 10-9 MCT USE ONLY. STUDENT USE PROHIBITED • • Supports server clusters as source and target file servers.aspx?FamilyID=d00e3eae-930a42b0-b595-66f462f5d87b&DisplayLang=en Question: How do you currently address these capacity management challenges in your work environment? WWW.COM .com/downloads/details.ISLAMSC.microsoft. Roll-back functionality for failed migrations.

iSCSI or PCI RAID. Virtual Disk Service provides a unified view of all disks and volumes.ISLAMSC. Fiber Channel. regardless of whether they are connected by SCSI. Storage Manager for SANs helps you create and manage logical unit numbers (LUNs) on Fibre Channel and Internet SCSI (iSCSI) disk drive subsystems that support Virtual Disk Service (VDS) in your storage area network (SAN).COM . STUDENT USE PROHIBITED Storage Management Solutions Key Points Windows Server 2008 also provides a number of tools to assist in storage management tasks. • • WWW.10-10 Configuring. These tools include: • Fibre Channel Information Tool helps to gather configuration information on a Fibre Channel SAN for management of Fibre Channel Host Bus Adapters and discovery of SAN resources. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

and clients to provide a comprehensive view of the health of an organization’s IT environment.COM .ISLAMSC.Configuring and Managing Storage Technologies 10-11 MCT USE ONLY. Question: How do you currently address these storage management challenges in your work environment? WWW. STUDENT USE PROHIBITED • Operations Manager monitors up to thousands of servers. applications.

Quota management. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . Provides storage capacity usage reports to meet regulatory requirements that allow the administrators.10-12 Configuring.ISLAMSC. STUDENT USE PROHIBITED What Is File Server Resource Manager? Key Points File Server Resource Manager (FSRM) is a complete set of tools that allows administrators to address the following key file-server management challenges: • • • • Capacity management. Question: Do you currently use FSRM in your work environment? WWW. Monitors usage patterns and utilization levels. security groups and management personnel the ability to perform oversight and auditing functions. Restricts which files are stored on the server. Limits how much data can be stored on the server. Reports. Policy management.

COM . This lesson provides information about how to manage storage using FSRM.ISLAMSC. STUDENT USE PROHIBITED Lesson 2 Managing Storage Using File Server Resource Manager You use FSRM to configure quota management. implement file screening. WWW.Configuring and Managing Storage Technologies 10-13 MCT USE ONLY. and generate storage reports.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED FSRM Functions Key Points File System Resource Manager provides several features to carry out storage management tasks. Enables file filtering based on file extensions. This allows the storage volume to be managed without having to apply quotas every time a directory structure is modified. The following table describes FSRM functions: Function Create quotas to limit the space allowed for a volume or folder Automatically generate quotas Description Allows you to set the maximum amount of space allotted to a user.10-14 Configuring.ISLAMSC. Allows you to specify that quotas are generated dynamically when subfolders are created. Create file screens WWW. It also allows the administrator to be notified if the quota is exceeded. Common file categories can be grouped together to create file groups.COM .

ISLAMSC.COM . or create reports on demand.Configuring and Managing Storage Technologies 10-15 MCT USE ONLY. STUDENT USE PROHIBITED (continued) Function Monitor attempts to save unauthorized files Define quota and file screening templates Generate scheduled or ondemand storage reports Description Enables administrators to be notified when users attempt to save an unapproved file type. Question: Describe two scenarios where one or more FSRM features could be used in your work environment. WWW. which allows you to quickly generate a report for immediate consumption. Allows you to create reports on a regular basis for review. Allows you to customize and implement a detailed company storage policy.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Open the FSRM management console. STUDENT USE PROHIBITED Demonstration: Installing the FSRM Role Service Key Points • • • • Start the NYC-SVR1 virtual machine. Use Server Manager to add the FSRM role service. Question: Will you install the FSRM role service on all servers in your organization? Question: How would you access the FSRM console from a workstation? WWW. Configure the volume during installation.10-16 Configuring.COM .ISLAMSC.

COM . The three tools included in the FSRM console are: • • • Quota Management node File Screening Management node Storage Reports Management node Question: Describe a scenario in which you would use each FSRM console component. STUDENT USE PROHIBITED FSRM Console Components Key Points The FSRM console enables you to view all their local storage resources from a single console.Configuring and Managing Storage Technologies 10-17 MCT USE ONLY.ISLAMSC. WWW. and create and apply policies that control these resources.

are there currently server storage policies in place? If so.10-18 Configuring. By using File Server Resource Manager. STUDENT USE PROHIBITED FSRM Configuration Options Key Points When you create quotas and file screens.ISLAMSC.COM . you have the option of sending e-mail notifications to users when their quota limit is approaching or after they have attempted to save files that have been blocked. how will you use the FSRM configuration options to enforce these policies? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: In your work environment. The default parameters for storage reports are used for the incident reports that are generated when a quota or file screening event occurs. you can record file screening activity in an auditing database.

ISLAMSC. STUDENT USE PROHIBITED Demonstration: Configuring FSRM Options Key Points • • • Start the NYC-SVR1 virtual machine. Configure email notifications in FSRM.Configuring and Managing Storage Technologies 10-19 MCT USE ONLY. how do you plan to integrate email notifications for quota violations? Question: In your work environment. Question: In your work environment. what notification threshold provides enough advance warning to users that they are approaching a quota threshold? WWW.COM . Configure storage report parameters and default report repository locations.

You must create the storage with minimal long-term management by utilizing file screening and quota management. WWW.ISLAMSC.10-20 Configuring. you will install the FSRM role service. Start the NYC-DC1 and NYC-SVR1 virtual machines. Install the FSRM server role on NYC-SVR1. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Lab A: Installing the FSRM Role Service Scenario As the Windows Infrastructure Services (WIS) Technology Specialist. The main tasks for this exercise are as follows: 1. you have been tasked with configuring storage on a server to comply with corporate standards. 2. Exercise 1: Installing the FSRM Role Service Scenario In this exercise.COM .

In the Lab Launcher. you should have successfully installed the FSRM role service on NYC-SVR1. next to 6419A-NYC-DC1. Set Storage Usage Monitoring to Allfiles (E:). The role service is located under the File Services role. click Launch. STUDENT USE PROHIBITED Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines 1. Minimize the Lab Launcher window. click Start. Task 2: Install the FSRM server role on NYC-SVR1 1. and then click 6419A. WWW. In the Lab Launcher.COM . 4. The Lab Launcher starts. 5. 2. install the File System Resource Manager role service. Using Server Manager. click Launch. 3.Configuring and Managing Storage Technologies 10-21 MCT USE ONLY. next to 6419A-NYC-SVR1. 2. Results: After this exercise. point to Microsoft Learning. point to All Programs. On the host machine. Log on to both virtual machines as Woodgrovebank\Administrator with the password Pa$$w0rd.ISLAMSC.

10-22 Configuring. STUDENT USE PROHIBITED Lesson 3 Configuring Quota Management You use Quota management to create quotas that limit the space allowed for a volume or folder.ISLAMSC. as well as to any new subfolders created in the future. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. FSRM provides quota templates that you can apply easily to new volumes or folders and that you can use across an organization. You also can autoapply quota templates to all existing folders in a volume or folder. and to generate notifications when quota limits are approached or exceeded.COM . WWW.

STUDENT USE PROHIBITED What Is Quota Management? Key Points • A hard quota prevents users from saving files after the space limit is reached. but it generates configured notifications. • • Question: In your work environment.ISLAMSC. and it generates notifications when the data volume reaches the configured threshold. The quota limit applies to the entire folder subtree. A soft quota does not enforce the quota limit.COM .Configuring and Managing Storage Technologies 10-23 MCT USE ONLY. which notification method do you plan to use? WWW.

Windows Server 2003 operating system. and Windows Server 2008 operating systems support NTFS disk quotas. Question: Are there any instances when you would use NTFS disk quotas instead of FSRM quotas? WWW.ISLAMSC. The above table outlines the advantages of using the FSRM quota management tools compared to NTFS disk quotas.10-24 Configuring. NTFS Disk Quotas Key Points The Microsoft Windows® 2000 Server operating system. which you can use to track and control disk usage on a per-user/pervolume basis. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED FSRM Quotas vs.COM .

you can simply update the quota template and then choose to update all quotas that are based on this template.ISLAMSC. If you base your quotas on a quota template and you later decide to change the quota configuration. Question: Based on your work environment specifics. what quota templates do you plan to create? WWW.Configuring and Managing Storage Technologies 10-25 MCT USE ONLY. STUDENT USE PROHIBITED What Are Quota Templates? Key Points Quota templates simplify the tasks associated with quota management. you might choose to allow each user additional space on the storage server. all quotas based on this template are updated for you automatically. For example.COM . By updating the quota template.

COM . you limit the disk space that is allocated for that volume or folder.10-26 Configuring. The FSRM Quota Management node includes all the necessary options to work with quotas. Question: In what scenario would you use the command line Dirquota tool? WWW. By creating a quota for a volume or folder. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Creating and Modifying a Quota Key Points You can use the FSRM Quota Management node to create and modify quotas.ISLAMSC.

Servers that apply quotas to more than 10.COM .ISLAMSC. STUDENT USE PROHIBITED Monitoring Quota Usage Key Points After configuring and applying quotas to your file shares or volumes.000 folders might experience a larger performance overhead. Question: In your work environment.Configuring and Managing Storage Technologies 10-27 MCT USE ONLY. you should understand how to monitor disk usage to meet your organization’s ongoing storage requirements effectively. which quota usage monitoring method will be most helpful? WWW. Note: Quotas reduce the input/output (I/O) per-second performance of the storage subsystem by a small amount (10 percent or less).

Configure the quota to log an event when it is exceeded. Use the quota template to create a new quota. Create a quota template to restrict large files on E:.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: How to Create and Manage Quotas Key Points • • • • Start the NYC-SVR1 virtual machine. Question: What quota notifications do you plan to implement in your work environment? Question: What quota templates do you plan to implement in your environment? WWW.10-28 Configuring.ISLAMSC.

Create a quota template. When users exceed 85 percent of the quota. The main tasks for this exercise are as follows: 1. STUDENT USE PROHIBITED Lab B: Configuring Storage Quotas Exercise 1: Configuring Storage Quotas Scenario You must configure a quota template that allows users a maximum of 100 MB of data in their user folders. WWW. an event should be logged to the Event Viewer on the server. Test that the quota is working by generating several large files. or when they attempt to add files larger than 100 MB.Configuring and Managing Storage Technologies 10-29 MCT USE ONLY.COM .ISLAMSC. 2. Configure a quota based on the quota template. 3.

ISLAMSC. Use the File Server Resource Manager console and the Quotas node to create a quota in the E:\Mod10\Labfiles\Users folder by using the quota template that you created in Task 1. Results: After this exercise. 2. 2. STUDENT USE PROHIBITED Task 1: Create a quota template • In the File Server Resource Manager console.400. and ensure that the new folder is listed in the quotas list.000 bytes. Check the Event Viewer for an Event ID of 12325.400. 3. Make sure this template also notifies the Event Viewer when the folder reaches 85 percent and 100 percent capacity.000 bytes. Try again to create a file that is 16. and then press ENTER. Create an additional folder named User4 in the E:\Mod10\Labfiles\Users folder. Open a command prompt and use the fsutil file createnew file1. use the Quota Templates node to configure a template that sets a hard limit of 100 MB on the maximum folder size. you should have seen the effect of a quota template that imposes a 100MB limit on user storage on the E:\Mod10\Labfiles\Users folder.COM .txt 89400000 command to create a file in the E:\Mod10\Labfiles\Users\User1 folder. Task 2: Configure a quota based on the quota template 1. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Task 3: Test that the Quota is working by generating several large files 1. Test that the quota works by attempting to create a file that is 16. Check to see what effect this has in the Quota console. 4.10-30 Configuring. Enable NTFS folder compression for the E:\Mod10\Labfiles\Users folder.

and you might want to be notified if a specific file type is saved on a file server.ISLAMSC.COM . WWW.Configuring and Managing Storage Technologies 10-31 MCT USE ONLY. This lesson explains the concepts related to file screening that you can use to manage the types of files that users can save on corporate file servers. STUDENT USE PROHIBITED Lesson 4 Implementing File Screening Your security policy might prohibit specific file types from being placed on company servers.

but it also increases the backup process duration.ISLAMSC. STUDENT USE PROHIBITED What Is File Screening? Key Points Many organizations face issues with network users storing unauthorized or personal data on corporate file servers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and might violate privacy or security policies within the company.COM . Not only does this misuse valuable storage space. The e-mail message can include information such as the name of the user who stored the file and its exact location so that you can take appropriate precautionary steps. You also can implement a screening process to notify you by e-mail when an unauthorized file type has been stored on a shared folder. are there any server usage policies that file screening could be used to enforce? WWW. Question: In your work environment.10-32 Configuring.

file screen exception. or storage report. you must understand the role file groups play in the file screening process.ISLAMSC. and Files to exclude: • • Files to include. A file group consists of a set of file name patterns that are grouped into two groups: Files to include. list two or three file groups you plan to create.COM .Configuring and Managing Storage Technologies 10-33 MCT USE ONLY. WWW. These are files that should not be included in the group. STUDENT USE PROHIBITED What Are File Groups? Key Points Before you begin working with file screens. Question: In your work environment. Files to exclude. A file group is used to define a namespace for a file screen. These are files that should be included in the group.

create a file screen exception.COM . WWW. STUDENT USE PROHIBITED What Is a File Screen Exception? Key Points Occasionally. For example. A file screen exception is a configuration that overrides any file screening that would otherwise apply to a folder and all its subfolders. you might want to block video files from a file server.10-34 Configuring. but you need to allow your training group to save the video files for their computer-based training. Question: Describe two ways you plat to use file screen exceptions in your work environment. you will need to allow exceptions to file screening. To allow files that other file screens are blocking. in a designated exception path. In other words.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. the file screen exception creates an exception to any rules derived from a parent folder.

ISLAMSC. Passive screening still allows users to save files but provides notifications for monitoring. Screening types to perform. You can configure two screening types in a file screen template: Active screening does not allow users to save any files related to the selected file groups configured with the template. base your file screens on file screen templates.Configuring and Managing Storage Technologies 10-35 MCT USE ONLY.COM . WWW. Notifications to be generated. STUDENT USE PROHIBITED What Is a File Screen Template? Key Points To simplify file screen management. A file screen template defines the following: • • • File groups to block.

ISLAMSC.10-36 Configuring. Question: What file types do you plan to create file screen templates for in your work environment? WWW. you can manage your file screens centrally by updating the templates instead of the individual file screens.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED By creating file screens exclusively from templates.

Question: How do you plan to implement file screens in your work environment? Question: How do you plan to implement file screen exceptions in your work environment? WWW.Configuring and Managing Storage Technologies 10-37 MCT USE ONLY. Create a new custom file group and create a file screen exception to allow Microsoft Windows Media® Player audio (WMA) files. Create a new file screen in the E:\ drive based upon the Block Audio and Video Files default template.ISLAMSC. STUDENT USE PROHIBITED Demonstration: Implementing File Screening Key Points • • • Start the NYC-SVR1 virtual machine.COM .

Test the file screen. STUDENT USE PROHIBITED Lab C: Configuring File Screening Exercise 1: Configuring File Screening Scenario You must configure file screening to monitor executable files. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. 2. WWW. The main tasks for this exercise are as follows: 1.10-38 Configuring.COM . Create a file screen.

Results: After this exercise. use the File Screens node to create a file screen that monitors executable files in the E:\Mod10\Labfiles\Users folder. you should have successfully implemented a file screen that logs attempts to save executable files in E:\Mod10\Labfiles\Users. Copy and paste E:\Mod10\Labfiles\example.bat to E:\Mod10\Labfiles\Users\user1. When an executable is dropped into the folder. STUDENT USE PROHIBITED Task 1: Create a file screen • On NYC-SVR1.ISLAMSC. the file screen will log an 8215 event in the Event Viewer.COM .Configuring and Managing Storage Technologies 10-39 MCT USE ONLY. WWW. Task 2: Test the file screen 1. 2. Open the Event Viewer and check the application log for Event ID 8215. in the File Server Resource Manager console.

WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you must be able to configure and generate extensive reports based on current storage utilization. STUDENT USE PROHIBITED Lesson 5 Managing Storage Reports To better carry out capacity planning.COM .ISLAMSC. schedule. and generate storage reports using FSRM. This lesson will describe how to configure.10-40 Configuring.

Use this report to identify files that are consuming excessive server disk space.Configuring and Managing Storage Technologies 10-41 MCT USE ONLY.ISLAMSC. STUDENT USE PROHIBITED What Are Storage Reports? Key Points Storage reports provide information about file usage on a file server. You also can create reports to monitor attempts to save unauthorized files by all users or a selected group of users. Files by Owner WWW. Lists files that are grouped by owner. The FSRM Storage Reports Management feature allows you to generate storage reports on demand and schedule periodic storage reports that help identify trends in disk usage. Use this report to analyze server usage patterns and to identify users who use large amounts of disk space.COM . The following table describes the storage report types in FSRM: Report Large Files Description Lists files that are larger than a specified size.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Lists files that have not been accessed for a specified number of days. how do you currently obtain information about file usage on servers? WWW.10-42 Configuring. Lists file screening violations that have occurred on the server. STUDENT USE PROHIBITED (continued) Report Files by File Group Description Lists files that belong to specified file groups. Use this report to identify and reclaim disk space that is lost due to duplicate files. Use this report to identify file-group usage patterns and to identify file groups that occupy large amounts of disk space. and lastmodified date). size. Use this report to identify frequently used data that should be highly available.COM . Lists files that have been accessed within a specified number of days. Use this report to identify individuals or applications that violate the file screening policy. Use this report to identify quotas with high usage levels so that appropriate action can be taken. Lists duplicate files (files with the same name.ISLAMSC. It does not include quotas applied to volumes in NTFS file system. This can help you determine which file screens to configure on the server. This report includes quotas that were created for volumes and folders in FSRM only. This report can help you identify seldom-used data that could be archived and removed from the server. for a specified number of days. Duplicate Files Least Recently Used Files Most Recently Used Files Quota Usage File Screening Audit Question: In your work environment. Lists quotas for which the quota usage is higher than a specified percentage.

Configuring and Managing Storage Technologies 10-43 MCT USE ONLY. Question: In your work environment. and the next scheduled run time. how frequently will you schedule reports using report tasks? WWW. You also can view the current report status (whether the report is running). and the report schedule. Tasks are identified by the reports to be generated. STUDENT USE PROHIBITED What Is a Report Task? Key Points The Scheduled Report Tasks node results pane includes the report task.COM . the last run time and the result of that run.ISLAMSC. the namespace on which the report will be created.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you may want to generate reports on demand to analyze aspects of current server disk usage.ISLAMSC. Use the Generate reports now action to generate one or more reports.10-44 Configuring.COM . STUDENT USE PROHIBITED Generating On-Demand Reports Key Points During daily operations. Question: Under what circumstances do you plan to use on-demand reports? WWW. Current data is gathered before the reports are generated.

WWW.COM . and discard undo disks. 2. Close all virtual machines. STUDENT USE PROHIBITED Lab D: Generating Storage Reports Exercise 1: Generating Storage Reports Scenario You must generate an on-demand storage report.ISLAMSC. The main tasks for this exercise are as follows: 1.Configuring and Managing Storage Technologies 10-45 MCT USE ONLY. Generate an on-demand storage report.

Generate a File Screening Audit and a Quota Usage report. and then click OK. 4. WWW.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. run the Generate reports now option in the Reports node. In the File Server Resource Manager console. In the Close box. Results: After this exercise. select Turn off machine and discard changes. Close the 6419A Lab Launcher. 3. Task 2: Close all virtual machines. 2. STUDENT USE PROHIBITED Task 1: Generate an on-demand storage report 1. Store the report in the E:\Mod10\Labfiles\Users folder. and discard undo disks 1. Review the contents of the report.COM .10-46 Configuring. 2. For each virtual machine that is running. you should have successfully generated an on-demand storage report. 3. close the Virtual Machine Remote Control (VMRC) window.

Configuring and Managing Storage Technologies 10-47 MCT USE ONLY. WWW. This lesson provides an overview of the concepts and terminology related to storage area networks. STUDENT USE PROHIBITED Lesson 6 Understanding Storage Area Networks With the rapid growth of the Internet and increased reliance on e-commerce. the adoption of SANs has become more common due to the proliferation of data.ISLAMSC.COM .

STUDENT USE PROHIBITED What Is a Storage Area Network? Key Points Storage Area Network Many administrators confuse the terms Network Attached Storage (NAS) and storage area network (SAN). • A SAN is a high-performance network.ISLAMSC. dedicated to delivering block (unformatted) data between servers and storage. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . A NAS device is typically a number of disks that are housed in an appliance dedicated to sharing and storing files directly on the LAN. • Question: In what way or ways do you currently use SAN storage in your work environment? WWW. usually separate from the local area network (LAN) of an organization.10-48 Configuring. similar to accessing files via a standard network share.

DAS and SAN storage are indistinguishable. Question: How does SAN storage simplify backups? WWW.ISLAMSC. From the vantage point of most operating systems.Configuring and Managing Storage Technologies 10-49 MCT USE ONLY. STUDENT USE PROHIBITED How Is a SAN Different from Direct Attached Storage? Key Points Both Direct-Attached Storage and SANs use the SCSI protocol to move data in blocks rather than files. despite the differences in their network topologies. Note: NAS devices differ from SANs by serving files via network shares rather than simulating local disks attached to servers.COM .

• • FC interconnects deliver high-performance block I/O to storage devices within a SAN. Unlike parallel SCSI devices that must arbitrate (or contend) for the bus. can transmit information between multiple servers and multiple storage devices at the same time. using switch technology. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. FC channel devices. STUDENT USE PROHIBITED What Is a Fibre Channel SAN? Key Points Fibre Channel (FC) is based on serial SCSI technologies and overcomes the parallel SCSI limitations to enable essentially unlimited device connectivity over long distances.10-50 Configuring.COM . Question: Is Fibre Channel storage in use in your work environment? WWW.ISLAMSC.

are also part of the storage network. STUDENT USE PROHIBITED Example of a Basic Fibre Channel SAN Configuration Key Points In a Fibre Channel SAN. each server contains an HBA that connects by means of a Fibre Channel switch to a disk controller on the storage array.Configuring and Managing Storage Technologies 10-51 MCT USE ONLY.COM . although they reside on the server. HBAs. offloading most of the server processing required for transferring data. Question: Does the SAN configuration depicted above provide fault-tolerance? WWW.ISLAMSC. They serve first to provide the interface between the server and the attached Fibre Channel network and second to provide I/O processing. The resulting performance is very high and very scalable.

10-52 Configuring.ISLAMSC.COM . however. STUDENT USE PROHIBITED Discussion: Designing Redundancy in a Fibre Channel SAN Key Points Your organization has implemented a basic SAN scenario. Based on the diagram presented. describe what is required to ensure availability and redundancy of the SAN environment. Question: Which components should be redundant to obtain high availability? Question: How would you configure the connections between an HBA and a FC switch to ensure availability? Question: How would you ensure that the path between the switch and the disk array is highly available? WWW. you are concerned about availability of the SAN components. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

FC switches. WWW.COM .ISLAMSC.Configuring and Managing Storage Technologies 10-53 MCT USE ONLY. • Redundant HBAs. STUDENT USE PROHIBITED Discussion: Designing Redundancy in a Fibre Channel SAN – Possible Solution Key Points Consider all points of failure when designing redundancy in the SAN. and disk array controllers will increase the level of redundancy in the SAN.

COM . STUDENT USE PROHIBITED What Is iSCSI? Key Points Internet SCSI (iSCSI) is an industry standard that enables transmission of SCSI block commands over an existing IP network by using the TCP/IP protocol. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. is iSCSI implemented? If so. iSCSI is a technological breakthrough that offers organizations the possibility of delivering both messaging traffic and block-based storage over existing IP networks. without installing a separate Fibre Channel network.10-54 Configuring.ISLAMSC. Question: In your work environment. how has it been implemented? WWW.

The Software Initiator service enables streamlined storage management for all aspects of the iSCSI service.COM .ISLAMSC. WWW. Question: Describe at least one scenario where you would implement the Microsoft iSCSI software initiator.Configuring and Managing Storage Technologies 10-55 MCT USE ONLY. STUDENT USE PROHIBITED What Is the Microsoft iSCSI Software Initiator? Key Points The Microsoft iSCSI Software Initiator service is installed on a host server and enables the server to connect to iSCSI target volumes on a storage array.

STUDENT USE PROHIBITED Example of a Basic iSCSI SAN Configuration Key Points An iSCSI-based SAN solution consists of two components: • • iSCSI Software Initiator iSCSI target Question: Question: In the scenario depicted above.10-56 Configuring.COM . can either of the client computers access the iSCSI storage? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.

Storage Manager for SANs helps to simplify provisioning tasks and is designed to look and behave like standard Windows-based applications that administrators are already familiar with. STUDENT USE PROHIBITED What Is Storage Manager for SANs? Key Points Storage Manager for SANs is a server feature that is provided in Windows Server 2008. Storage Manager for SANs can be used to assist in storage resource provisioning and disk configuration tasks with the implementation of a SAN solution. SAN provisioning has traditionally been viewed as the most complex of storage tasks and typically includes proprietary tools and commands. Storage Manager for SANs provides the following benefits and functionality: • • Leverages the Virtual Disk Service to manage storage.Configuring and Managing Storage Technologies 10-57 MCT USE ONLY.COM . with the addition of vendor-provided VDS hardware providers. WWW. including storage array properties such as firmware information. Discovers storage arrays on a Fibre Channel or an Internet Small Computer System Interface (iSCSI) SAN.ISLAMSC.

10-58

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

• • • •

Provides the ability to create, delete, and expand storage array logical unit numbers (LUNs). Provides the ability to specify LUN options such as redundant array of independent disk (RAID) levels. Allows for the allocation of LUNs to specific servers on the SAN. Monitors LUN status and health.

Question: What approach does your organization currently use to manage SAN storage that is connected to Windows Servers?

WWW.ISLAMSC.COM

Configuring and Managing Storage Technologies

10-59

MCT USE ONLY. STUDENT USE PROHIBITED

Troubleshooting SAN Storage

Key Points
When you encounter issues with SAN storage, begin troubleshooting by gathering information about the nature of the issue, hardware involved, and software configuration. After you have gathered enough information, you can analyze the information, recommend changes, implement one or more changes, monitor the result, and document the process for future reference. Question: Have you faced any SAN troubleshooting scenarios in your work environment? If so, how did you approach them?

WWW.ISLAMSC.COM

10-60

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Module Review and Takeaways

Review Questions
1. 2. 3. What is the difference between a hard and soft quota? When a common set of file types need to be blocked, what should you create to block them in the most efficient manner? If you want to apply a quota to all subfolders in a folder, including folders that will be created in the future, what option must you configure in the quota policy?

WWW.ISLAMSC.COM

Configuring and Managing Storage Technologies

10-61

MCT USE ONLY. STUDENT USE PROHIBITED

Tools
The following table describes the tools that you can use to configure FSRM:
Tool Dirquota.exe FileScrn.exe Description Use to create and manage quotas and quota templates. Use to create and manage file screens, file-screening exceptions, and file groups. Use to configure report parameters and generate storage reports on demand. You also can create report tasks and then use Schtasks.exe to schedule them. Use to configure NTFS Quotas and create files to test quota behavior.

StorRept.exe

Fsutil

WWW.ISLAMSC.COM

MCT USE ONLY. STUDENT USE PROHIBITED

WWW.ISLAMSC.COM

Configuring and Managing Distributed File System

11-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 11
Configuring and Managing Distributed File System
Contents:
Lesson 1: Distributed Files System (DFS) Overview Lesson 2: Configuring DFS Namespaces Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace Lesson 3: Configuring DFS Replication Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-3 11-13 11-22 11-26 11-42

WWW.ISLAMSC.COM

11-2

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

Many of today’s enterprises are challenged with maintaining large numbers of servers and users who often are distributed geographically throughout widespread locations. In these situations, administrators must find ways that users can locate the most recent files as quickly as possible. Managing multiple data sites often introduces additional challenges, such as limiting network traffic over slow wide area network (WAN) connections, ensuring the availability of files during WAN or server failures, and backing up file servers that are located at smaller remote offices. This module introduces the Distributed File System (DFS) solution that you can use to address these challenges by providing fault-tolerant access and WANfriendly replication of files located throughout an enterprise.

WWW.ISLAMSC.COM

Configuring and Managing Distributed File System

11-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1

Distributed File System (DFS) Overview

Administrators who manage file servers throughout an enterprise require efficient access to resources and availability to files. DFS in the Microsoft® Windows Server® 2008 operating system provides two technologies to address these challenges: DFS Replication and DFS Namespaces. This lesson introduces the two technologies, and provides scenarios and requirements for deploying a DFS solution within your network environment.

WWW.ISLAMSC.COM

11-4

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

What Is the Distributed File System?

Key Points
DFS Namespaces allows administrators to group shared folders located on different servers into one or more logically structured namespaces. DFS Replication (DFS-R) is a multi-master replication engine used to synchronize files between servers for both local and WAN network connections. Remote Differential Compression (RDC) identifies and synchronizes the data changes on a remote source, and uses compression techniques to minimize the data that is sent across the network.

Question: Do you have experience working with DFS or the DFS predecessor, File Replication service (FRS)?

WWW.ISLAMSC.COM

Configuring and Managing Distributed File System

11-5

MCT USE ONLY. STUDENT USE PROHIBITED

How DFS Namespaces and DFS Replication Work

Key Points
Even though DFS Namespaces and DFS Replication are separate technologies, they can be used together to provide high availability and data redundancy. The following process describes how DFS Namespaces and DFS Replication work together: 1. 2. User accesses folder in the configured namespace. Client computer accesses the first server in the referral. This referral typically is a server in the client's own site, unless there is no server located within the client's site. In this case, the administrator can configure the target priority.

Question: In your organization, do you currently synchronize your shared folders? If so, how do you keep them synchronized?

WWW.ISLAMSC.COM

11-6

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

DFS Scenarios

Key Points
Large organizations that have many branch offices often have to share files or collaborate between these locations. DFS-R can help replicate files between branch offices or from a branch office to a hub site. • • DFS technologies can collect files from a remote office and replicate them to a hub site, thus allowing the files to be used for a number of specific purposes. You can use DFS Namespaces and DFS-R to publish and replicate documents, software, and other line-of-business data throughout your organization.

Question: In what ways can you use DFS technologies within your organization?

WWW.ISLAMSC.COM

Configuring and Managing Distributed File System

11-7

MCT USE ONLY. STUDENT USE PROHIBITED

Types of DFS Namespaces

Key Points
You can create either a domain-based or stand-alone namespace. Each type has different characteristics. A domain-based namespace can be used when: • • Namespace high availability is required. You need to hide the name of the namespace servers from users.

WWW.ISLAMSC.COM

11-8

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

A stand-alone namespace is used when: • • Your organization has not implemented Active Directory® domain services. Your organization does not meet the requirements for a Windows Server 2008 mode, domain-based namespace, and you have requirements for more than 5,000 DFS folders. Stand-alone DFS namespaces support up to 50,000 folders with targets.

Question: In your organization, would you implement a domain-based namespace or a stand-alone namespace?

WWW.ISLAMSC.COM

Configuring and Managing Distributed File System

11-9

MCT USE ONLY. STUDENT USE PROHIBITED

What Are Folders and Folder Targets?

Key Points
You create one or more folders within a DFS namespace. These folders contain one or more folder targets. If one of the folder targets is not available, the client will attempt to access the next folder target in the referral. This increases the data availability in the folder. Question: Describe a scenario of how you would use folder targets in your organization.

WWW.ISLAMSC.COM

11-10

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Namespace Server Requirements

Key Points
A namespace server is a domain controller or member server that hosts a DFS Namespace. The operating system running on the server determines the number of namespaces that a server can host. The following table lists the guidelines you should use for namespace server requirements:
Server hosting stand-alone Namespaces Server hosting Domain-Based Namespaces Must contain an NTFS file system volume to host the namespace Can be a member server or a domain controller Must contain an NTFS volume to host the namespace Must be a member server or domain controller in the domain that the namespace is configured in Namespace cannot be a clustered resource in a server cluster

Can be a clustered file server

WWW.ISLAMSC.COM

Configuring and Managing Distributed File System

11-11

MCT USE ONLY. STUDENT USE PROHIBITED

Question: How can you ensure the availability of domain-based roots with domainbased DFS namespaces?

WWW.ISLAMSC.COM

11-12

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Installing DFS

Key Points
• • • Install the DFS role services on both NYC-DC1 and NYC-DC2. Add File Services role in the Server Manager. Add Distributed File System Role Service.

Question: You need to deploy DFS technology within your environment. Is DFS considered a role service or a feature? Question: Is it possible to install DFS Replication without installing DFS Namespaces?

WWW.ISLAMSC.COM

Configuring and Managing Distributed File System

11-13

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2

Configuring DFS Namespaces

Configuring DFS Namespaces consists of several tasks that include creating the namespace structure, creating folders within the namespace, and adding folder targets. You also may choose to perform additional management tasks, such as configuring the referral order and DFS replication. This lesson provides information on how to complete these configuration and management tasks to deploy an effective DFS solution.

WWW.ISLAMSC.COM

11-14

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Deploying Namespaces for Publishing Content

Key Points
Most DFS implementations primarily consist of content published within the DFS namespace. • • • • Use the New Namespace Wizard to create the namespace from within the DFS Management console. After the namespace is created, you then can add a folder in the namespace. You can add multiple folder targets to increase the folder's availability in the namespace. A referral is an ordered list of targets that a client computer receives from the namespace server when a user accesses a namespace root or folder.

Question: Describe a scenario when having a client continue to access the failover server would present problems.

WWW.ISLAMSC.COM

STUDENT USE PROHIBITED Security Requirements for Creating and Managing a Namespace Key Points To perform namespace management tasks. a user either has to be a member of an administrative group or has to be delegated specific permission to perform the task. Question: How would you delegate namespace tasks in your organization? WWW. Note: You also must add the user to the Local Administrators group on the namespace server.Configuring and Managing Distributed File System 11-15 MCT USE ONLY.COM .ISLAMSC. You can right-click the namespace and then click Delegate Management Permissions to delegate the required permissions.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: You want to enable advanced scalability and access-based enumeration. Which option provides these features? WWW. STUDENT USE PROHIBITED Demonstration: How to Create Namespaces Key Points • • • Create a domain-based namespace.11-16 Configuring. Create the AccountingSpreadhseets folder target. Create the ProjectDocs namespace.ISLAMSC.COM .

The process for increasing namespace availability varies for domain-based and stand-alone namespaces. Domain-based namespaces can be hosted on multiple servers. STUDENT USE PROHIBITED Increasing Availability of a Namespace Key Points For clients to connect to a DFS namespace.COM .Configuring and Managing Distributed File System 11-17 MCT USE ONLY. You can increase the availability of a stand-alone namespace by creating it as a shared resource in a server cluster. Stand-alone namespaces.ISLAMSC. • • Domain-based namespaces. WWW. This means that it is important to ensure the namespace servers are always available. Stand-alone namespaces are limited to a single server. they must be able to connect to a namespace server. You can increase the availability of a domain-based namespace by specifying additional namespace servers to host it.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: Describe how you could use these methods to increase availability in your organization.COM . WWW.ISLAMSC.11-18 Configuring. STUDENT USE PROHIBITED • Folder targets. You can increase the availability of each folder in a namespace by adding multiple folder targets.

you prevent client computers from accessing that folder target in the namespace. This is useful when you are moving data between servers. By default.Configuring and Managing Distributed File System 11-19 MCT USE ONLY. namespace root referrals are cached for 300 seconds (five minutes).ISLAMSC. Clients do not contact a namespace server for a referral each time they access a folder in a namespace. and folder referrals are cached for 1. STUDENT USE PROHIBITED Options for Optimizing a Namespace Key Points Renaming a folder allows you to reorganize the hierarchy of folders to best suit your organization's users. By disabling a folder target's referral.800 seconds (30 minutes). WWW.COM .

ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED To maintain a consistent domain-based namespace across namespace servers. Question: Describe a scenario when you would want to disable a folder target’s referral. namespace servers must poll Active Directory periodically to obtain the most current namespace data.COM .11-20 Configuring. WWW.

Question: Which types of paths can you use when creating a new folder target? Question: What kind of permissions do you need to add folder targets? WWW.COM . Examine namespace optimization settings.Configuring and Managing Distributed File System 11-21 MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Configuring Folder Targets Key Points • • Configure a second folder target.ISLAMSC.

Logon Information • • • Virtual Machines: 6419A-NYC-DC1 and 6419A-NYC-SVR1 User Name: WoodgroveBank\Administrator Password: Pa$$w0rd WWW.11-22 Configuring.ISLAMSC.COM . Create a DFS Namespace. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace Objectives • • Install the Distributed File System Role Service.

point to All Programs. In the Lab Launcher.Configuring and Managing Distributed File System 11-23 MCT USE ONLY. next to 6419A-NYC-DC1. DFS Namespaces. verify that File Server. WWW.COM . 3. 2. 5. On the host machine. The main tasks for this exercise are as follows: 1. 2. 3. The Lab Launcher starts. 4. Start each virtual machine and log on.ISLAMSC. On NYC-DC1. point to Microsoft Learning. click Start. Task 2: Install the Distributed File System Role Service on NYC-DC1 1. Minimize the Lab Launcher window. In the Lab Launcher. Distributed File System. Use the Add Roles Wizard to add the Distributed File System Role Service including the DFS Namespaces and DFS Replication role services. Log on to both virtual machines as Woodgrovebank\Administrator with the password Pa$$w0rd. start Server Manager. 2. 3. and DFS Replication are installed. and then click 6419A. Install the Distributed File System Role Service on NYC-SVR1. next to 6419A-NYC-SVR1. Install the Distributed File System Role Service on NYC-DC1. STUDENT USE PROHIBITED Exercise 1: Installing the Distributed File System Role Service In this exercise. click Launch. Task 1: Start each virtual machine and log on 1. click Launch. you will install the Distributed File System Role Service on both NYC-DC1 and NYC-SVR1. Using the Server Manager Roles pane. This will provide redundancy for the CorpDocs namespace and allow clients to contact the namespace server within their own site. Do not create a namespace at this point.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and DFS Replication are all installed. 2.11-24 Configuring. Distributed File System. WWW. DFS Namespaces. 3.ISLAMSC. Use the Add Roles Wizard to add the Distributed File System Role Service including the DFS Namespaces and DFS Replication role services. On NYC-SVR1. start Server Manager. Using the Server Manager Roles pane. STUDENT USE PROHIBITED Task 3: Install the Distributed File System Role Service on NYC-SVR1 1. Do not create a namespace at this point.COM . verify that File Server.

ISLAMSC.Configuring and Managing Distributed File System 11-25 MCT USE ONLY. You also will configure both NYC-DC1 and NYC-SVR1 to host the CorpDocs namespace to provide redundancy. start the DFS Management console. Namespace server: NYC-SVR1 Click Yes to start the Distributed File System service In the left pane. WWW. you will create the CorpDocs DFS namespace. 4. On NYC-DC1. The main tasks for this exercise are as follows: 1. Use the New Namespace Wizard to create a new namespace. click the plus sign next to Namespaces. Namespace Server: NYC-DC1 Namespace Name and Settings: CorpDocs Namespace Type: Domain-based namespace In the left pane. Use the New Namespaces Wizard to create a namespace with the following options: • • • 3. 2. and then click \\WoodgroveBank. On NYC-DC1. Add an additional namespace server to host the namespace.com\CorpDocs. Task 1: Use the New Namespace Wizard to create a new namespace 1.com\CorpDocs. 2. Task 2: Add an additional namespace server to host the namespace 1. click the plus sign next to Namespaces. and then click \\WoodgroveBank. Verify that the CorpDocs namespace has been created on NYC-DC1. use the Add Namespace Server Wizard to add a new namespace server with the following options: • • 2. in the DFS Management console. Note: Verify from the Details pane that that the CorpDocs namespace is now hosted on both NYC-DC1 and NYC-SVR1.COM . STUDENT USE PROHIBITED Exercise 2: Creating a DFS Namespace In this exercise.

WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.11-26 Configuring. it is important to understand the terminology and requirements associated with the feature. and scalability considerations as they relate to DFS-R. requirements. STUDENT USE PROHIBITED Lesson 3 Configuring DFS Replication To configure DFS-R effectively.COM . and also provides a process for configuring an effective replication topology. This lesson provides information on the specific elements.

ISLAMSC.COM .Configuring and Managing Distributed File System 11-27 MCT USE ONLY. STUDENT USE PROHIBITED What Is DFS Replication? Key Points • • • DFS-R uses a new compression algorithm known as remote differential compression (RDC). When a file is changed. only the changed blocks are replicated. DFS-R detects changes on the volume by monitoring the update sequence number (USN) journal. not the entire file. WWW. and replicates changes only after the file is closed.

COM . DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces to obtain configuration and monitoring information from the DFS Replication service. or loss of the DFS Replication database. STUDENT USE PROHIBITED • • DFS-R is self-healing and can automatically recover from USN journal wraps. WWW. Question: List one advantage and one disadvantage to having deleted files stored in the Conflict and Deleted folders.11-28 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. USN journal loss.

Configuring and Managing Distributed File System 11-29 MCT USE ONLY.COM . Question: How can creating multiple replicated folders in a single replication group simplify deployment? WWW.ISLAMSC. STUDENT USE PROHIBITED What Are Replication Groups and Replicated Folders? Key Points A replication group consists of a set of member servers that participate in replicating one or more replicated folders. Replication group for data collection. A replicated folder is a folder that is synchronized between each member server. There are two main types of replication groups: • • Multipurpose replication group.

ISLAMSC. Question: Does your organization meet the requirements for DFS-R? WWW. the Active Directory schema must be updated to at least the version equal to Windows Server 2003 R2. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED DFS-R Requirements Key Points If you plan to use DFS Replication. You cannot enable replication across servers in different forests.COM . so that it includes the Active Directory classes and attributes that DFS Replication uses.11-30 Configuring.

there is a consideration to ensure the files get replicated. and that latency is acceptable.ISLAMSC. STUDENT USE PROHIBITED Scalability Considerations for DFS-R Key Points Use the above scalability considerations when deploying DFS-R. However.Configuring and Managing Distributed File System 11-31 MCT USE ONLY. Question: DFS-R doesn’t have restrictions on the size of files replicated. Remember. it is important to test and verify that there is adequate space in the staging folders.COM . these are guidelines and that you may be able to deploy configurations successfully that exceed these guidelines. however. What is this consideration? WWW.

COM .11-32 Configuring. STUDENT USE PROHIBITED Process for Deploying a Multipurpose Replication Group Key Points A multi-purpose replication group is used to replicate data between two or more servers for general content sharing or for data publishing. You can choose one of the following three types of topology that is used for the connections between the replication group members. spoke members are connected to one or more hub members. • Hub and spoke: Requires three or more members. In this topology.ISLAMSC. No topology: You can use this option if you want to create a custom topology after you finish the wizard. • • WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Data then is replicated from the hub member to the spoke members. Full mesh: In this topology. each member replicates with all other members of the replication group. This works well with 10 or fewer members.

the connection. Question: What topology would you use in your organization? Question: When is the best time to schedule replication? WWW.COM . you can modify the replicated folders. STUDENT USE PROHIBITED After an initial replication group is created. or topology.ISLAMSC.Configuring and Managing Distributed File System 11-33 MCT USE ONLY. You also can delegate permissions to other administrators to allow for management of the replication group.

the receiving members that contain files that are not present on the primary member move those files to their respective DfsrPrivate\PreExisting folder.11-34 Configuring. Initial replication always occurs between the primary member and its receiving replication partners.COM .ISLAMSC. you must choose a primary member that has the most up-to-date files to be replicated. This server is considered authoritative for any conflict resolution that occurs when the receiving members have files that are older or newer when compared to the same files on the primary member. The following concepts will help you to better understand the initial replication process: • • • Initial replication does not begin immediately. STUDENT USE PROHIBITED Understanding the Initial Replication Process When you first configure replication. When receiving files from the primary member during initial replication. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.

Question: What is a consideration when choosing a primary member? WWW. the “primary member” designation is removed. DFS replication compares the files using a hash algorithm.ISLAMSC. STUDENT USE PROHIBITED • • To determine whether files are identical on the primary member and receiving member.Configuring and Managing Distributed File System 11-35 MCT USE ONLY.COM . After the initialization of the replicated folder.

Start a propagation test. STUDENT USE PROHIBITED Generating Diagnostic Reports and Propagation Tests Key Points To help maintain and troubleshoot DFS-R. you can generate diagnostic reports and perform propagation tests.11-36 Configuring. You can use the Diagnostic Report Wizard to perform the following: • • • Create a health report. Question: How often would you run the diagnostic report wizard to create a health report in your organization? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.COM . Create a propagation report.

Question: Where are you able to modify the path for the staging folder? Question: Which tab shows the sending and receiving members of the replication group? WWW. Create a diagnostic report.COM . STUDENT USE PROHIBITED Demonstration: Deploying DFS-R Key Points • • Create and configure the AccountingDataRepl replication group.ISLAMSC.Configuring and Managing Distributed File System 11-37 MCT USE ONLY.

COM .ISLAMSC. WWW.11-38 Configuring. Change your replication schedule and topology. Solution: Fix the network configuration. Force replication using repadmin (with /replicate /force) or replmon (with synchronize directory partition). STUDENT USE PROHIBITED Troubleshooting DFS-R and Active Directory Key Points Common causes of “Waiting for the DFS Replication service to retrieve replication settings from Active Directory” error: Issue: Active Directory replication latency Solutions: • • • Wait. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Issue: Active Directory replication blocked due to network mis-configurations such as DNS resolution or firewall blocks.

there are still ‘reanimated’ versions. Issue: Active Directory replication blocked due to tombstone lifetime . Solution: To resolve this issue. WWW.COM . Question: List three places you can look for DFS-R troubleshooting information. STUDENT USE PROHIBITED Issue: Active Directory replication blocked due to topology mis-configurations. Issue: AD replication blocked due to lingering objects. Since the old DC can’t be told about the deletions anymore. Lingering objects are typically objects that exist in the read-only GC partition of a domain controller but no longer exist in the read-write source domain partition.Event ID 2042 (“It has been too long since this machine replicated”). Solution: Verify site topology in Active Directory and check event logs for topology problems. the best answer is to forcibly demote the DC if you have other domain controllers that can handle the load in the meantime. This can happen when an administrator brings a domain controller (DC) back online after it has been shut off for months.repadmin /removelingeringobjects. source objects that were deleted and tomb-stoned are no longer available.Configuring and Managing Distributed File System 11-39 MCT USE ONLY. you can use the Repadmin tool to remove lingering objects from a directory partition .ISLAMSC. Solution: In most circumstances.

you may want to start examining how files are being used for sharing violations. • WWW.COM . increase the staging quota by 20 percent. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. If the event that indicates the staging quota is over its configured size (event ID 4208 in the DFS-R event log) is logged multiple times in an hour. If you see a considerable amount of DFS-R event log entries for 4302 and 4304. STUDENT USE PROHIBITED Troubleshooting DFS-R Key Points Several other issues and solutions include: • DFS-R is slow • • Make sure operating system updates and DFS-R hotfixes are installed.11-40 Configuring.ISLAMSC.

would you include .bak from replication.COM . To enable DFS-R to work through a firewall.tmp or *. STUDENT USE PROHIBITED • Data isn’t being replicated • DFS-R might not work across firewalls when replicating between branch offices without a virtual private network (VPN) connection because it uses the remote procedure call (RPC) dynamic endpoint mapper.bak files in your DFS replication? Question: What would be a disadvantage of replicating .bak files? WWW. Additionally. • • • Not replicating .exe command-line tool. you can define a static port using the Dfsrdiag. Question: In your organization. May have error ID: 6802 in Event Viewer if topology is not connected.ISLAMSC.Configuring and Managing Distributed File System 11-41 MCT USE ONLY.bak files By default DFS-R has file filter on replicated folder that excludes the files with names starting ~ or files with extension *. configuring DFS-R using the DFS Management console does not work when a firewall is enabled. You can change it using DFS Management Console.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. You then will add availability and redundancy by creating additional folder targets and configuring replication. Create the HRTemplates folder. 3. and configure a folder target on NYC-DC1.11-42 Configuring. STUDENT USE PROHIBITED Lab B: Configuring Folder Targets and Viewing Diagnostic Reports Exercise 1: Configuring Folder Targets and Folder Replication In this exercise. 2. you initially will create folder targets on two separate servers and then verify that the CorpDocs namespace functions correctly. WWW. Verify the CorpDocs namespace functionality.COM . Create the PolicyFiles folder.ISLAMSC. and configure a folder target on NYC-SVR1. The main tasks for this exercise are as follows: 1.

com\CorpDocs. Create a new folder called PolicyFiles on NYC-SVR1. click \\WoodgroveBank. and notice that replication is not configured.com\CorpDocs and then click HRTemplates.ISLAMSC.com\CorpDocs. 6. STUDENT USE PROHIBITED 4. right-click \\WoodgroveBank. Create additional folder targets for the HRTemplates folder. Share Name: HRTemplateFiles Local path of shared folder: C:\HRTemplateFiles Shared Folder Permissions: Administrators have full access. 5. On NYC-DC1. WWW. 5. In the details pane. 2. and configure a folder target on NYC-SVR1 1. In the console tree. In the details pane. Click the Replication tab. notice that on the Folder Targets tab.Configuring and Managing Distributed File System 11-43 MCT USE ONLY. click the Namespace tab.COM . Click the New Shared Folder button. Task 1: Create the HRTemplates folder. On NYC-DC1. 2. right-click \\WoodgroveBank. in the DFS Management console. and then configure folder replication. 7. and configure a folder target on NYC-DC1 1. expand \\WoodgroveBank. and then configure folder replication. 3. other users have read-only permissions In the console tree. Task 2: Create the PolicyFiles folder. Create additional folder targets for the PolicyFiles folder. in the DFS Management console. Notice that HRTemplates is listed as an entry in the namespace. one folder target is configured.com\CorpDocs. Create a new folder called HRTemplates. Add a new folder target called HRTemplateFiles using the following options: • • • • 4.

expand \\WoodgroveBank. 3. and then configure folder replication 1.com\corpdocs\hrtemplates WWW. Task 3: Verify the CorpDocs namespace functionality 1.ISLAMSC. (If they are not visible.11-44 Configuring. On NYC-DC1. create a new Rich Text Document file called OrderPolicies. notice that on the Folder Targets tab. other users have read-only permissions 4.COM . one folder target is configured. in the DFS Management console. 4. On NYC-DC1. create a new Rich Text Document file called VacationRequest. Add a new Folder target called PolicyFiles using the following options: • • • • Click the New Shared Folder button.) In the HRTemplates folder. click Start and then click Run. 2. In the details pane. Task 4: Create additional folder targets for the HRTemplates folder. Share Name: PolicyFiles Local path of shared folder: C:\Policyfiles Shared Folder Permissions: Administrators have full access. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. add a folder target with the following options: • • • • • • Path to folder target: \\NYC-SVR1\HRTemplates Create share: Yes Local Path of shared folder: C:\HRTemplates Shared folder permissions: Administrators have full access. wait for approximately five minutes to complete. STUDENT USE PROHIBITED 3. Access the \\WoodgroveBank\CorpDocs namespace. In the console tree. other users have read-only permissions Replication group: Yes Replication Group name: woodgrovebank. In the PolicyFiles folder. and verify that both HRTemplates and PolicyFiles are visible.com\CorpDocs and then click PolicyFiles.

com\corpdocs\hrtemplates. 3. STUDENT USE PROHIBITED • • • • 2.ISLAMSC. On NYC-DC1.com\corpdocs\policyfiles Replicated folder name: PolicyFiles Primary member: NYC-SVR1 Topology: Full mesh Replication schedule: default In the console tree. other users have read-only permissions Replication group: Yes Replication Group name: woodgrovebank. Replicated folder name: HRTemplates Primary member: NYC-DC1 Topology: Full mesh Replication schedule: default In the console tree. In the details pane. on the Memberships tab. expand the Replication node. Path to folder target: \\NYC-DC1\PolicyFiles Create share: Yes Local Path of shared folder: C:\PolicyFiles Shared folder permissions: Administrators have full access. on the Memberships tab. verify that both NYC-DC1 and NYC-SVR1 are listed and enabled. and then click woodgrovebank. Task 5: Create additional folder targets for the PolicyFiles folder.Configuring and Managing Distributed File System 11-45 MCT USE ONLY. In the details pane. add a folder target with the following options: • • • • • • • • • • 2. and then configure folder replication 1. WWW. and then click woodgrovebank.com\corpdocs\PolicyFiles. verify that both NYC-DC1 and NYC-SVR1 are listed and enabled.COM . in the DFS Management console. expand the Replication node. 3.

COM . In the Close box. Task 1: Create a diagnostic report for woodgrovebank. and discard undo disks 1. and discard undo disks.ISLAMSC. Note that there may be errors reported if replication has not yet begun or finished. create a diagnostic report for woodgrovebank. 2. Close the 6419A Lab Launcher.11-46 Configuring. On NYC-DC1. and then click OK. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you will generate a diagnostic report to view the folder replication status. When you are finished. 3. close the Virtual Machine Remote Control (VMRC) window. 3. select Turn off machine and discard changes. Count replicated files enabled Read through the report and take note of any errors or warnings. Create a diagnostic report for woodgrovebank. STUDENT USE PROHIBITED Exercise 2: Viewing Diagnostic Reports for Replicated Folders In this exercise. The main tasks for this exercise are as follows: 1. Create a diagnostic report for the policy files replication group. close the Microsoft Internet Explorer® window. When you are finished.com\corpdocs\hrtemplates 1. For each virtual machine that is running. Read through the report and take note of any errors or warnings. Type of Diagnostic Report or Test: health report Path and Name: default Members to include: NYC-DC1 and NYC-SVR1 Options: Backlogged files enabled. 2. WWW. Close all virtual machines.com\corpdocs\hrtemplates. close the Internet Explorer window.com\corpdocs\hrtemplates based upon the following options: • • • • 2. Task 2: Close all virtual machines.

How can you use DFS in your File Services deployment? What kind of compression technology is used by Windows Server 2008 DFS? What are three main scenarios used for DFS? What is the difference between a domain-based DFS namespace and a standalone DFS namespace? What is the default ordering method for client referral to folder targets? What does the Primary Member configuration do when setting up replication? Which folder is used to cache files and folders where conflicting changes are made on two or more members? WWW. 7.Configuring and Managing Distributed File System 11-47 MCT USE ONLY.COM .ISLAMSC. 2. 5. 3. 6. 4. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1.

root servers that are not domain controllers. client computers acting as folder targets 445 445 WWW. servers acting as folder targets. root servers that are not domain controllers.11-48 Configuring. servers acting as folder targets. servers acting as folder targets. root servers that are not domain controllers. STUDENT USE PROHIBITED Network Ports Used by DFS The following table describes the network ports that DFS uses: Service Name NetBIOS Name Service Relevant Computers Domain controllers. root servers that are not domain controllers.COM .ISLAMSC. client computers acting as folder targets Domain controllers Domain controllers 389 UDP TCP 137 137 NetBIOS Datagram Service 138 NetBIOS Session Service 139 LDAP Server Remote Procedure Call (RPC) endpoint mapper Server Message Block (SMB) 389 135 Domain controllers. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. client computers acting as folder targets Domain controllers. client computers acting as folder targets Domain controllers. servers acting as folder targets.

ISLAMSC. WWW. type Dfsutil at a command prompt. Where to find it On a namespace server. On a namespace server. Scripting basic DFS tasks such as configuring DFS roots and targets.exe DFS Management Click Start. and then point to Administrative Tools. Performing tasks related to DFS namespaces and replication. STUDENT USE PROHIBITED Tools The following table lists the tools that you can use to configure and manage DFS: Tool Dfsutil Use For Performing advanced operations on DFS namespaces. and then click DFS Management. type Dfscmd at a command prompt.COM . Dfscmd.Configuring and Managing Distributed File System 11-49 MCT USE ONLY.

COM . STUDENT USE PROHIBITED WWW.MCT USE ONLY.ISLAMSC.

ISLAMSC.Configuring Network Access Protection 12-1 MCT USE ONLY.COM . STUDENT USE PROHIBITED Module 12 Configuring Network Access Protection Contents: Lesson 1: Overview of Network Access Protection Lesson 2: How NAP Works Lesson 3: Configuring NAP Lesson 4: Monitoring and Troubleshooting NAP Lab: Configuring NAP for DHCP and VPN 12-3 12-18 12-25 12-33 12-37 WWW.

COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. monitor. STUDENT USE PROHIBITED Module Overview Network Access Protection (NAP) ensures compliance with specific health policies for systems accessing the network.ISLAMSC. WWW.12-2 Configuring. and troubleshoot NAP. and how to configure. NAP assists administrators in achieving and maintaining a specific health policy. This module provides information about how NAP works.

ISLAMSC.Configuring Network Access Protection 12-3 MCT USE ONLY. WWW.COM . Windows Vista®. STUDENT USE PROHIBITED Lesson 1 Overview of Network Access Protection NAP is a system health policy-enforcement platform built into Microsoft® Windows Server® 2008. as well as automatically update compliant computers to ensure ongoing compliance and limit the access of non-compliant computers to a restricted network until they become compliant. This platform enables you to protect private network assets better by enforcing compliance with system health requirements. and Windows® XP Service Pack 3. NAP enables you to create customized healthrequirement policies to validate computer health before allowing access or communication.

12-4

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

What Is Network Access Protection?

NAP for Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 provides components and an application programming interface (API) that help administrators enforce compliance with health-requirement policies for network access or communication. NAP enables developers and administrators to create solutions for validating computers that connect to their networks, as well as provide needed updates or access to needed health update resources and limit the access or communication of non-compliant computers. NAP has three important and distinct aspects: • • • Health state validation Health policy compliance Limited access

Question: How would you use NAP enforcement in your environment, considering home users, roaming laptops and outside business partners?

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-5

MCT USE ONLY. STUDENT USE PROHIBITED

NAP Scenarios

Depending on their requirements, administrators can configure a solution to address any or all of these scenarios for their networks. Question: Have you ever had an issue with unsecure, unmanaged laptops causing harm to your network? Do you think NAP would have addressed this issue?

WWW.ISLAMSC.COM

12-6

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

NAP Enforcement Methods

Components of the NAP infrastructure known as enforcement clients (ECs) and enforcement servers (ESs) require health-state validation and enforce limited network access for non-compliant computers to specific network access or communication. • • Administrators can use the enforcement methods separately or together to limit the access or communication of non-compliant computers. Network Policy Server (NPS) in Windows Server 2008, the replacement for Internet Authentication Service (IAS) in Windows Server 2003, acts as a health policy server for all of these NAP enforcement methods. Windows Vista and Windows Server 2008 also include NAP support for Terminal Services Gateway (TS Gateway) connections.

Question: Which of the NAP enforcement types would best suit your company? Can you see your organization using multiple NAP enforcement types? If so, which ones?

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-7

MCT USE ONLY. STUDENT USE PROHIBITED

NAP Platform Architecture

The components of a NAP-enabled network infrastructure consist of the following: • • NAP clients are computers that support the NAP platform for system healthvalidated network access or communication. NAP enforcement points are computers or network-access devices that use NAP to require evaluation of a NAP client’s health state and provide restricted network access or communication. NAP enforcement points include HRA, VPN server, DHCP server and network access devices. HRA is a computer that runs Windows Server 2008 and Internet Information Services (IIS), and that obtains health certificates from a certification authority (CA) for compliant computers.

• •

WWW.ISLAMSC.COM

12-8

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

NAP health policy servers are computers that run Windows Server 2008 and the NPS service, and that store health-requirement policies and provide health-state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), and the Remote Authentication Dial-In User Service (RADIUS) server and proxy that Windows Server 2003 provides. Remediation servers are computers that contain health update resources that NAP clients can access to remediate their non-compliant state. Examples include antivirus signature, distribution servers and software update servers.

Question: Does your environment presently use 802.1x authentication at the switch level? If so, would 802.1x NAP be beneficial, considering you can configure remediation VLANs to offer limited access?

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-9

MCT USE ONLY. STUDENT USE PROHIBITED

NAP Architecture Interactions

The interactions for the computers and devices of a NAP-enabled network infrastructure depend on the NAP enforcement methods chosen for unlimited network connectivity. The architecture’s client side and server side have processes that enable policy validation for the client, or remediation network access to help the client become compliant with the requirements for unrestricted network access. Question: List an example of a NAP-enabled network infrastructure used in your organization.

WWW.ISLAMSC.COM

12-10

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

NAP Client Infrastructure

The NAP client architecture consists of the following: • • • A layer of NAP enforcement client (EC) components - Each NAP EC is defined for a different type of network access or communication. A layer of system health agent (SHA) components - An SHA component maintains and reports one or multiple elements of system health. NAP Agent - Maintains the current health-state information of the NAP client and facilitates communication between the NAP EC and SHA layers. The NAP platform provides the agent. SHA application programming interface (API) - Provides a set of function calls that allow SHAs to register with the NAP Agent, to indicate system health status, respond to NAP Agent queries for system health status, and for the NAP Agent to pass system health-remediation information to a SHA. NAP EC API - Provides a set of function calls that allow NAP ECs to register with the NAP Agent, to request system health status, and pass system healthremediation information to the NAP Agent.

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-11

MCT USE ONLY. STUDENT USE PROHIBITED

The NAP ECs for the NAP platform supplied in Windows Vista, Windows Server 2008, and Windows XP with SP2 (with the NAP Client for Windows XP) are the following: • • • • An IPsec NAP EC for IPsec-protected communications An EAPHost NAP EC for 802.1X-authenticated connections A VPN NAP EC for remote access VPN connections A DHCP NAP EC for DHCP-based IPv4 address configuration

Question: How would your organization deal with enabling the appropriate EC on non-domain computers that are outside of the management scope?

WWW.ISLAMSC.COM

12-12

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Using the NAP Client Configuration Tool

Key Points
• • Open the NAP Client Configuration tool. Explore the options available.

Question: List at least one example of how the NAP client could benefit your organization.

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-13

MCT USE ONLY. STUDENT USE PROHIBITED

NAP Server-Side Infrastructure

A Windows-based NAP enforcement point has a layer of NAP Enforcement Server (ES) components. Each NAP ES is defined for a different type of network access or communication. For example, there is a NAP ES for remote-access VPN connections and a NAP ES for DHCP configuration. The NAP ES typically is matched to a specific type of NAP-capable client. For example, the DHCP NAP ES is designed to work with a DHCP-based NAP client. Third-party software vendors or Microsoft can provide additional NAP ESs for the NAP platform. The most common configuration for NAP server-side infrastructure consists of NAP enforcement points providing network access or communication of a specific type and separate NAP health policy servers providing system health validation and remediation. It is possible to install the NPS service as a NAP health policy server on individual Windows-based NAP enforcement points. However, in this configuration, you must configure each NAP enforcement point separately with network access and health policies. We recommend a configuration where you use separate NAP health policy servers.

WWW.ISLAMSC.COM

12-14

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

The overall NAP architecture consists of the following sets of components: • • The three NAP client components (a SHA layer, the NAP Agent, and a NAP EC layer) The four NAP server-side components (a SHV layer, the NAP Administration Server, the NPS service, and a NAP ES layer on Windows-based NAP enforcement points) Health-requirement servers Remediation servers

• •

Question: List at least one example of how the NAP health policy server can monitor your networks.

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-15

MCT USE ONLY. STUDENT USE PROHIBITED

Communication Between NAP Platform Components

Some common NAP-related terms you will see are: • • SHV: System health validator. A module including registration and unregistration with the NAP system. SHA: System health agent. A SHA performs system health updates and publishes its status in the form of statement of health (SoH) to the NAP Agent. The SoH contains information that the NAP health policy server can use to verify that the client computer is in the required state of health. SoH: Statement of health. To indicate the health state of a specific SHA, an SHA creates a SoH and passes it to the NAP Agent. A SoH can contain one or multiple elements of system health. SSoH: System statement of health. To indicate the overall health state of a NAP client, the NAP Agent uses a SSoH, which includes version information for the NAP client and the set of SoHs for the installed SHAs.

WWW.ISLAMSC.COM

12-16

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

SoHR: Statement of health response. A SHA is matched to a SHV on the serverside of the NAP platform architecture. The corresponding SHV returns a SoHR to the NAP client, which is passed by the NAP EC and the NAP Agent to the SHA, informing it of what to do if the SHA is not in a required state of health. SSoHR: System statement of health response. Based on the SoHRs from the SHVs and the configured health policies, the NPS service creates a SSoHR, which indicates whether the NAP client is compliant or non-compliant and includes the set of SoHRs from the SHVs.

The NAP Agent component can communicate with the NAP Administration Server component through the following process: 1. 2. 3. 4. The NAP Agent passes the system SSoH to the NAP EC. The NAP EC passes the SSoH to the NAP ES. The NAP ES passes the SSoH to the NPS service. The NPS service passes the SSoH to the NAP Administration Server.

The NAP Administration Server can communicate with the NAP Agent through the following process: 1. 2. 3. 4. The NAP Administration Server passes the SSoHR to the NPS service. The NPS service passes the SSoHR to the NAP ES. The NAP ES passes the SSoHR to the NAP EC. The NAP EC passes the SSoHR to the NAP Agent.

A SHA can communicate with its corresponding SHV through the following process: 1. 2. 3. 4. 5. The SHA passes its SoH to the NAP Agent. The NAP Agent passes the SoH, contained within the SSoH, to the NAP EC. The NAP EC passes the SoH to the NAP ES. The NAP ES passes the SoH to the NAP Administration Server. The NAP Administration Server passes the SoH to the SHV.

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-17

MCT USE ONLY. STUDENT USE PROHIBITED

The SHV can communicate with its corresponding SHA through the following process: 1. 2. 3. 4. 5. 6. The SHV passes its SoHR to the NAP Administration Server. The NAP Administration Server passes the SoHR to the NPS service. The NPS service passes the SoHR, contained within the SSoHR, to the NAP ES. The NAP ES passes the SoHR to the NAP EC. The NAP EC passes the SoHR to the NAP Agent. The NAP Agent passes the SoHR to the SHA.

Question: List an example of how your organization can use NAP Platform Components to facilitate communication.

WWW.ISLAMSC.COM

12-18

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2

How NAP Works

The design of NAP enables administrators to configure it to meet their network needs. Therefore, the actual NAP configuration will vary according to the administrator’s preferences and requirements. However, the underlying operation of NAP remains the same. When a client attempts to access or communicate on the network, it must present its statement of health (SoH). If a client is not compliant with system-health requirements (for example, that it has the latest operating system and antivirus updates installed), its access to, or communication on, the network can be limited to a restricted network containing server resources, until the health-compliance issues are remedied. After the updates are installed, the client requests access to the network or attempts the communication again. If compliant, the client is granted unlimited access to the network or the communication is allowed.

WWW.ISLAMSC.COM

Configuring Network Access Protection

12-19

MCT USE ONLY. STUDENT USE PROHIBITED

NAP Enforcement Processes

With Network Access Protection, you can create customized health policies to validate computer health before allowing access or communication, to update compliant computers automatically to ensure ongoing compliance, and, optionally, to confine non-compliant computers to a restricted network until they become compliant. Question: List at least one example of why you would customize a health policy.

WWW.ISLAMSC.COM

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. IPsec enforcement defines the following logical networks: • Secure network: The set of computers that have health certificates and that require that incoming communication attempts use health certificates for IPsec authentication.COM . Boundary network: The set of computers that have health certificates.ISLAMSC.12-20 Configuring.1X and VPN enforcement. • WWW. Unlike 802. each individual computer performs IPsec enforcement. but which do not require that incoming communication attempts use health certificates for IPsec authentication. STUDENT USE PROHIBITED How IPsec Enforcement Works IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming communication attempts sent from computers that cannot negotiate IPsec protection using health certificates. in which enforcement occurs at the network entry point.

such as computers running Windows versions that do not support NAP.COM . guests on the network. or Apple Macintosh or UNIX-based computers.Configuring Network Access Protection 12-21 MCT USE ONLY. STUDENT USE PROHIBITED • Restricted network: The set of computers that do not have health certificates that include non-compliant NAP client computers. or computers that are not NAP-capable. Question: For which computers in the secure network would you allow unsecure communication from computers in the restricted network to succeed? WWW.ISLAMSC.

1X-capable access point to use a limited access profile.1X-capable access point applies the VLAN ID to all of the packets exchanged with the 802. For VLAN IDs. the 802. For IP packet filtering.COM .1x NAP? WWW. to limit the traffic of the non-compliant computer so that it can reach only resources on the restricted network.1x Enforcement Works IEEE 802.ISLAMSC.1X client. the 802.1X-capable access point applies the IP packet filters to the IP traffic that is exchanged with the 802. and the traffic does not leave the VLAN corresponding to the restricted network.1X client. either a set of IP packet filters or a VLAN ID. the 802.12-22 Configuring. STUDENT USE PROHIBITED How 802. and silently discards all packets that do not correspond to a configured packet filter. If the NAP client is non-compliant. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: What must the network devices support to implement 802.1X connection has the limited access profile applied and the NAP client can reach only the resources on the restricted network.1X enforcement instructs an 802.

STUDENT USE PROHIBITED How VPN Enforcement Works VPN enforcement uses a set of remote-access IP packet filters to limit noncompliant VPN client traffic so that it can reach only the resources on the restricted network.COM . The VPN server applies the IP packet filters to the IP traffic that it receives from the VPN client. and silently discards all packets that do not correspond to a configured packet filter. Question: How does the VPN NAP enforcement method respond to noncompliant computers that make connection attempts? WWW.Configuring Network Access Protection 12-23 MCT USE ONLY.ISLAMSC.

when an application attempts to send to a unicast IPv4 address other than those supplied via the Classless Static Routes option. STUDENT USE PROHIBITED How DHCP Enforcement Works DHCP address configuration limits network access for the DHCP client through its IPv4 routing table. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.0. DHCP enforcement sets the DHCP Router option value to 0. so that there is no route to the attached subnet. To allow the non-compliant computer to access the restricted network’s remediation servers.0.0.12-24 Configuring. DHCP enforcement also sets the subnet mask for the allocated IPv4 address to 255.255.255. so the non-compliant computer does not have a configured default gateway. such as the DNS and remediation servers. This option contains host routes to the restricted network’s computers.COM . The end result of DHCP limited network access is a configuration and routing table that allows connectivity only to specific destination addresses corresponding to the restricted network.255. the TCP/IP protocol returns a routing error. Therefore.ISLAMSC. the DHCP server assigns the Classless Static Routes DHCP option. Question: Does the DHCP NAP enforcement type work on IPv6 networks? WWW.

ISLAMSC. A NAP-capable client is a computer that has the NAP components installed and can verify its health state by sending a SoH to NPS. STUDENT USE PROHIBITED Lesson 3 Configuring NAP This lesson provides information about configuring the client to interoperate with the server-side infrastructure of a NAP-enforced environment. WWW.Configuring Network Access Protection 12-25 MCT USE ONLY.COM .

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.12-26 Configuring. For example. Windows Server 2008 includes a corresponding Windows Security Health Validator SHV. if the SoH is from an antivirus SHA and contains the last virussignature file version number. provide health-state tracking and validation. WWW. the corresponding antivirus SHV can check with the antivirus health requirement server for the latest version number to validate the NAP client’s SoH. Windows Vista and Windows XP Service Pack 3 include a Windows Security Health Validator SHA that monitors the Windows Security Center settings. NAP is designed to be flexible and extensible.ISLAMSC. which are NAP infrastructure components.COM . An SHV receives a SoH from the NAP Administration Server and compares the system health status information in the SoH with the required system health state. and interoperates with any vendor’s software that provides SHAs and SHVs that use the NAP API. STUDENT USE PROHIBITED What Are System Health Validators? SHAs and SHVs.

the SoHR that the antivirus SHV sends could instruct the NAP client’s antivirus SHA to request the latest version. by name or IP address.COM .Configuring Network Access Protection 12-27 MCT USE ONLY. STUDENT USE PROHIBITED The SHV returns a SoHR to the NAP Administration Server. For example. The SoHR can contain information about how the corresponding SHA on the NAP client can meet current system-health requirements. Question: Does NAP work only with Microsoft-supplied System Health Validators? WWW. of the antivirus signature file from a specific antivirus signature server.ISLAMSC.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. It allows the NAP client to connect to the network despite its non-compliance with the health policy.ISLAMSC. NPS enables it to connect.COM .12-28 Configuring. NPS takes one of the following actions. After the NAP client achieves compliancy. It places the NAP client on a restricted network where it can receive updates from remediation servers that bring the client into compliance with health policy. depending on the NAP configuration: • • It rejects the connection request. STUDENT USE PROHIBITED What Is a Health Policy? If the client configuration state does not match the requirements that the health policy defines. • Question: Can you use only one SHV in a health policy? WWW.

COM . If health policy requires that client computers have the latest antivirus definitions. as NPS defines. Question: What services might a remediation server offer to update antivirus signatures? WWW. an antivirus policy server.Configuring Network Access Protection 12-29 MCT USE ONLY. and the remediation server. a remediation server can host antivirus signatures. an antivirus SHV. STUDENT USE PROHIBITED What Are Remediation Server Groups? A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers into compliance with health policy. then the following work together to update non-compliant computers: an antivirus SHA.ISLAMSC. For example.

ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Firewall software that is not compatible with Windows Security Center cannot be managed or detected by Windows Security Health Agent (WSHA) on the client computer. and Security Center sections. a firewall is enabled for all network connections: • The firewall software that is running on the client computer must be Windows Firewall software or other firewall software that is compatible with Windows Security Center. To use the setting. STUDENT USE PROHIBITED NAP Client Configuration You should remember these basic guidelines when you configure NAP clients: Some NAP deployments that use Windows Security Health Validator require that you enable Security Center: • Enable the Turn on Security Center (Domain PCs only) setting in Group Policy under Computer Configuration. WWW. Windows Components. Administrative Templates.COM .12-30 Configuring.

Change the startup type to Automatic for the Network Access Protection service in the agent properties. Use the following command to enable the DHCP EC on the client: • Netsh nap client set enforcement dhcp = enable Membership in Domain Admins. or equivalent. Security Center is required for some Network Access Protection (NAP) deployments that use Windows Security Health Validator (WSHV). • • Open Services from the Administrative Tools menu. You also must configure the NAP enforcement clients on the NAP-capable computers. • • • Create a custom Microsoft Management Consoles (MMC) console with the NAP Client Configuration snap-in.Configuring Network Access Protection 12-31 MCT USE ONLY. Question: What Windows groups have the rights to enable Security Center in Group Policy. enable NAP service on clients. and select Enforcement Clients from the console tree. Expand NAP Client Configuration.COM . and select Enable This Enforcement Client from the Properties sheet. double-click the EC that you want to enable. You also can use the Netsh command to enable or disable ECs. and enable/disable NAP enforcement clients? WWW. You can use this procedure to install Group Policy Management and enable Security Center on NAP-capable clients using Group Policy. In the details pane. STUDENT USE PROHIBITED The Network Access Protection service is required when you deploy NAP to NAPcapable client computers. is the minimum required to complete this procedure.ISLAMSC.

WWW.12-32 Configuring. Create a policy for DHCP.COM . STUDENT USE PROHIBITED Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies Key Points • • Open the Network Policy Server tool to configure NAP. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.

ISLAMSC. but are disabled by default. Trace logs are available for NAP. WWW.COM . and varied expertise and prerequisites. for each NAP enforcement method.Configuring Network Access Protection 12-33 MCT USE ONLY. These logs serve two purposes: troubleshooting and evaluating a network’s health and security. STUDENT USE PROHIBITED Lesson 4 Monitoring and Troubleshooting NAP Troubleshooting and monitoring the NAP structure is an important administrative task because of different technology levels.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and Debug. Question: List at least one example of how NAP tracing can be used to determine an issue with client communication. You also can use tracing logs to evaluate your network’s health and security. WWW. STUDENT USE PROHIBITED What Is NAP Tracing? You can use the NAP Client Configuration snap-in to configure NAP tracing.COM . Advanced. Tracing records NAP events in a log file.12-34 Configuring. You should enable NAP tracing when: • • You are troubleshooting NAP problems. You want to evaluate the overall health and security of your organization’s computers.ISLAMSC. and is useful for troubleshooting and maintenance. You can configure three levels of tracing: Basic.

The NAP Client Configuration console is part of the Windows user interface. navigate to the %systemroot%\tracing\nap directory. and open the particular trace log that you want to view.Configuring Network Access Protection 12-35 MCT USE ONLY.ISLAMSC.COM . Question: What is the netsh command for enabling NAP debug logging levels? WWW. To view the log files. STUDENT USE PROHIBITED Configuring NAP Tracing There are two tools that are available for configuring NAP tracing. and netsh is a command-line tool.

COM .ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Configuring Tracing Key Points • • Configure tracing from the Graphical Users Interface. Configure tracking from the Command Line.12-36 Configuring. Question: Of what group must you be a member to enable NAP tracing? WWW.

and configuring a NAP server to check the current health of computers. You will do this by using Network Policy Server. you need to establish a way to bring client computers automatically into compliance. For this reason.COM .ISLAMSC. detailed steps have been provided here for each of the tasks in this lab. WWW. there will be no separate lab answer key for this module. Note: Since NAP is a new and complex technology in Windows Server 2008.Configuring Network Access Protection 12-37 MCT USE ONLY. STUDENT USE PROHIBITED Lab: Configuring NAP for DHCP and VPN Objectives • • Configure NAP for DHCP clients Configure NAP for VPN clients Scenario As the Woodgrove Bank technology specialist. creating client compliance policies.

On NYC-SVR1.COM . 6. 2. In the Server Manager console pane.12-38 Configuring. you will configure and test NAP for DHCP clients. Task 2: Install the Network Policy Server (NPS) and Dynamic Host Configuration Protocol (DHCP) server roles 1. STUDENT USE PROHIBITED Exercise 1: Configuring Network Access Protocol (NAP) for Dynamic Host Configuration Protocol (DHCP) Clients In this exercise. next to 6419A-NYC-CL1. NYC-SVR1. 5. next to 6419A-NYC-SVR1. next to 6419A-NYC-DC1. Minimize the Lab Launcher window. 2. click Next. On the Before You Begin page. Configure NYC-SVR1 as a NAP health policy server. 6. In the Lab Launcher. and then click Add Roles. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 3. 4. point to Microsoft Learning. click Launch. In the Lab Launcher. and then click Server Manager. Configure NYC-CL1 as DHCP and NAP client. Configure DHCP service for NAP enforcement. right-click Roles. WWW. and NYC-CL1 virtual machines. Test NAP Enforcement.ISLAMSC. 3. NYC-SVR1. In the Lab Launcher. Task 1: Start the NYC-DC1. and NYC-CL1 virtual machines 1. and then click 6419A. 4. The main tasks are as follows: 1. 3. 2. On the host machine. click Start. point to All Programs. Install the Network Policy Server (NPS) and Dynamic Host Configuration Protocol (DHCP) server roles. click Start. 5. click Launch. click Launch. Start the NYC-DC1.

and then click Next. verify that WINS is not required for applications on this network is selected. select the Network Policy Server check box. click Disable DHCPv6 stateless mode for this server. When the installation completes. verify that 10. 20. 19. Verify that the result returned is Valid. click Install. 13. On the Confirm Installation Selections page. click OK. 21. and then click Next. type 255. type 10. 8. STUDENT USE PROHIBITED 4. and then click Next. click Add. 15. Verify that the Activate this scope check box is selected.COM . type NAP Scope. 5.255. On the Add or Edit DHCP Scopes page. click Close. and then click Next twice. and then click Next twice.0. 16. On the Specify IPv4 DNS Server Settings page. On the Select Role Services page. verify that Use current credentials is selected. in Scope Name field. On the Configure DHCPv6 Stateless Mode page. WWW. 18. In the Preferred DNS Server IPv4 Address field.0. In the Ending IP Address field. On the Select Server Roles page. On the Select Network Connection Bindings page.Configuring Network Access Protection 12-39 MCT USE ONLY. 12. On the Specify IPv4 WINS Server Settings page.10. 6.0. On the Authorize DHCP Server page. 7.0. 11.com is listed. Close Server Manager. and then click Next. type 10. 17.50.ISLAMSC.0.10.99.10. 14. select the DHCP Server and Network Policy and Access Services check boxes. 9. In the Subnet Mask field. 10.0. and then click Validate.24 is selected. type 10. and then click Next. In the Starting IP Address field. verify that WoodGroveBank.10. for Parent Domain.10. and then click Next. In the Add Scope dialog box.

Click OK twice. e. In the Network Policy Server console pane.10. verify that Client passes all SHV checks is selected. Configure SHVs: a. In the console pane. c. in the Group Name field. In the New Remediation Server Group dialog box. Click Add. d. b. and then click New. and then click New. in the IP address or DNS name field. and then click Resolve. type Rem1.10. Configure health policies: a. select the Windows Security Health Validator check box.ISLAMSC. click Configure.12-40 Configuring. expand Policies. Click OK twice. d. In the Add New Server dialog box. in the Policy name field. Click Start. and then click System Health Validators. type DHCP Compliant. and then click Network Policy Server. point to Administrative Tools. WWW. STUDENT USE PROHIBITED Task 3: Configure NYC-SVR1 as a NAP health policy server 1. c. on the Windows Vista tab. and then click OK. In the Windows Security Health Validator Properties dialog box. under Network Access Protection. Under SHVs used in this health policy. e. In the details pane.0. In the Windows Security Health Validator dialog box. d. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. 4. 2. In the console pane. b. type 10. 3. clear all check boxes except A firewall is enabled for all network connections. b. expand Network Access Protection. double-click Windows Security Health Validator. Right-click Health Policies. Configure remediation server groups: a. right-click Remediation Server Groups. In the Create New Health Policy dialog box. c.COM . e. In the Client SHV checks list.

In the Type of network access server list. and then click Disable. On the Specify Conditions page. f. p. c. type DHCP Noncompliant.Configuring Network Access Protection 12-41 MCT USE ONLY. and then click New. right-click Network Policies. d. in the Policy name field. type NAP Scope. On the Specify Conditions page.ISLAMSC. and then click OK. right-click Health Policies. under Policies. m. and then click Next. and then click Next. clear all check boxes. click DHCP Server and then click Next. click Add. k. On the Specify Conditions page. In the console pane. click Client fails one or more SHV checks. i. j. g. h. i. 5. b. in the Policy name field. In the Health Policies dialog box. In the console pane.COM . g. In the Client SHV checks list. click DHCP Compliant. l. STUDENT USE PROHIBITED f. On the Specify Network Policy Name and Connection Type page. right-click Connections to Microsoft Routing and Remote Access server and then click Disable. On the Configure Authentication Methods page. In the Select condition dialog box. double-click MS-Service Class. In the Select condition dialog box. In the console pane. double-click Health Policies. then select Perform machine health check only. Under SHVs used in this health policy. in the Health policies list. In the Create New Health Policy dialog box. Configure a network policy for compliant computers: a. type DHCP Compliant-Full Access. On the Specify Access Permission page. and then click OK. click Add. WWW. verify that Access granted is selected. o. select the Windows Security Health Validator check box. verify that Health Policy is specified under Conditions with a value of DHCP Compliant. Right-click Connections to other access servers. In the details pane. verify that MS-Service class is specified under Conditions with a value of NAP Scope. e. and then click New. and then click OK. On the Specify Conditions page. and then click Next. click Network Policies. h. In the MS-Service Class dialog box. n.

double-click MS-Service Class. right-click Network Policies. It specifies that clients matching these conditions will be granted an access level that the policy determines. Configure a network policy for non-compliant computers: a. j. Click Add. and then click New. On the Specify Network Policy Name and Connection Type page. In the Health Policies dialog box. m. WWW. in the Health policies list. h.ISLAMSC. and then click Next. In the Select condition dialog box. In the MS-Service Class dialog box. type NAP Scope. and then click OK. In the console pane. On the Configure Authentication Methods page. f. l. and then click OK. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. clear all check boxes. click Next. click Finish to complete configuration of the network policy for compliant client computers. 6. verify that Access granted is selected. On the Specify Conditions page. and then click Next. In the Select condition dialog box. On the Completing New Network Policy page. c. In the Type of network access server list. STUDENT USE PROHIBITED q. verify that Allow full network access is selected and then click Next. verify that Health Policy is specified under Conditions with a value of DHCP Noncompliant. r. On the Configure Settings page. click Add. t. type DHCP Noncompliant-Restricted Access. e. Note: A setting of Access granted does not mean that non-compliant clients are granted full network access.12-42 Configuring. click DHCP Server and then click Next. click NAP Enforcement. s. click DHCP Noncompliant. then select Perform machine health check only. On the Specify Access Permission page. On the Configure Constraints page. On the Specify Conditions page. double-click Health Policies. verify that MS-Service class is specified under Conditions with a value of NAP Scope. On the Specify Conditions page. In the details pane. k. g. b. and then click Next. d. in the Policy name field.COM . i.

click Allow limited access. On the Specify Conditions page. i. and then click New. t. h. double-click NAP-Capable Computers. 7. click Add. d. click Add. and then click OK.Configuring Network Access Protection 12-43 MCT USE ONLY. Click Configure. u. r. in the Policy name field.ISLAMSC. f. In the Troubleshooting URL field. verify that NAP-Capable is specified under Condition with a value of Computer is not NAP-Capable. click NAP Enforcement. type DHCP Non NAP-Capable. p.woodgrovebank. In the console pane. type http://remediation. On the Configure Settings page. e. On the Configure Constraints page. Verify that Enable auto-remediation of client computers is selected and then click Next. STUDENT USE PROHIBITED n. click Next. click Only computers that are not NAP-capable. click Rem1.restricted. On the Specify Network Policy Name and Connection Type page. s. g. right-click Network Policies. On the Specify Conditions page. q. WWW. In the Select condition dialog box. double-click MS-Service Class. o. In the Select condition dialog box. Configure a network policy for non NAP-capable computers: a. In the Remediation Server Group and Troubleshooting URL dialog box. it's important to understand how to configure the settings. In the NAP-Capable Computers dialog box. c. In the details pane. On the Completing New Network Policy page. Note: that although this remediation server does not exist due to the limitations of the lab environment. click DHCP Server and then click Next. and then click OK. in the Remediation Server Group list. In the Type of network access server list. click Finish to complete configuration of the network policy for non-compliant client computers.COM .com. b. On the Specify Conditions page.

click NAP Enforcement. On the Configure Authentication Methods page. Configure connection request policy: a. o. type http://remediation. On the Specify Access Permission page. verify that Access granted is selected.ISLAMSC. n. f. click Next. In the Remediation Server Group and Troubleshooting URL dialog box. and then click Next.com.12-44 Configuring. On the Specify Conditions page. c. type Non NAP Scope. In the Troubleshooting URL field. click Allow limited access. On the Specify Connection Request Policy Name and Connection Type page. p. click DHCP Server. verify that MS-Service class is specified under Conditions with a value of Non NAP Scope.woodgrovebank. In the console pane. and then click OK. 8. and then click Next. clear all check boxes. and then click OK. q. and then click Next. In the Day and time restrictions dialog box. click Finish to complete configuration of the network policy for older. then select Perform machine health check only. double-click Day and Time Restrictions. right-click Connection Request Policies. t. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. On the Completing New Network Policy page. On the Configure Constraints page. On the Configure Settings page. WWW. in the Policy name field. b. In the Select condition dialog box. and then click New. click Add. non NAP-capable client computers. STUDENT USE PROHIBITED j. l. click Rem1. click All and then click Permitted. in the Remediation Server Group list. Click Configure.COM . k. and then click Next. On the Conditions page. In the details pane. s. Verify that Enable auto-remediation of client computers is selected and then click Next.restricted. u. r. In the MS-Service Class dialog box. In the Type of network access server list. d. m. type NAP DCHP. e.

and then expand IPv4.0] NAP Scope. Result: This completes configuration of the NAP network policies.0] NAP Scope.0. select the 015 DNS Domain Name check box. In the DHCP console pane. 15.10. 12. and then click Configure Options.0] HeadOffice. In the DHCP console pane. verify that Override network policy authentication settings is not selected. In the Profile Name field. 6. 13.Configuring Network Access Protection 12-45 MCT USE ONLY.ISLAMSC.COM . expand nyc-dc1. j. expand IPv4. Task 4: Configure DHCP service for NAP enforcement 1. Under Available Options. i. 5.com.10.woodgrovebank. verify that Default User Class is selected.0. 9. 4. click Start. h. click Start. point to Administrative Tools. 11.com. and then click DHCP. and then click DHCP. click Scope Options.0. STUDENT USE PROHIBITED g. 14. on the Network Access Protection tab.0] NAP Scope Properties dialog box. and then click Delete. and then click OK. Right-click Scope [10. click Enable for this scope. On Specify Authentication Methods page. and then click Scope [10. Click OK and click Next. Close DHCP. 3. point to Administrative Tools.0. In the Scope [10. In console pane. WWW. In the DHCP dialog box. Right-click Scope Options. and then click Finish.0. 8. 10. verify that Authenticate requests on this server is selected and click Next. expand nyc-svr1.10. 2.0] HeadOffice. 7. on the Advanced tab. and then click Properties.woodgrovebank. On NYC-SVR1. On the Specify Connection Request Forwarding page. Right-click Scope [10. In the Scope Options dialog box. Select Use custom profile. click Yes twice. and then click Scope [10. Click Next twice. On NYC-DC1.10.10. type NAP Scope. in the User class list.

expand Administrative Templates. and then press ENTER. 17. click Group Policy Object Editor.woodgrovebank. 23. type woodgrovebank. 22. click Finish.10. type restricted. and then click Security Center.com. 21. right-click Scope Options. In a real environment. 18. In the Select Group Policy Object dialog box.10. c. Under Available Options. click Default Network Access Protection Class. In the console pane. click Add/Remove Snap-in. type mmc. you would specify a DNS server that existed on the restricted network here. In the Console1 window.ISLAMSC. Task 5: Configure NYC-CL1 as DHCP and NAP client 1. select the 006 DNS Servers check box.com domain is a restricted access network assigned to non-compliant NAP clients. select the 015 DNS Domain Name check box. Close DHCP. expand Windows Components. In the String value field. In the Add or Remove Snap-ins dialog box.12-46 Configuring. d. type 10. and then click OK. In console pane. in the User class list. Under Available Options. and then click Configure Options. and then click OK.COM . 20. on the File menu. and then click Add. and then click Add. WWW. Click Start.0. expand Local Computer Policy. On NYC-CL1. the DNS server address is same for both the restricted and nonrestricted networks. enable Security Center: a. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Note: The restricted. 19. and then click OK. In the Scope Options dialog box. b.woodgrovebank.com. e. expand Computer Configuration. Note: that in this lab. In the IP address field. under Available snap-ins. on the Advanced tab. STUDENT USE PROHIBITED 16. In the String value field.

b. When prompted to save settings. e. click Enabled. Enable the DHCP enforcement client: a. click NAP Client Configuration. and then click Add. Configure NYC-CL1 for DHCP address assignment: a. On the File menu. Close Console1. In the Network and Sharing Center window. In the console pane. In the Local Area Connection Status dialog box. click Services. In the Turn on Security Center (Domain PCs only) Properties dialog box. 3. In the Network Access Protection Agent Properties (Local Computer) dialog box. in the Startup type list. e. In the details pane. and then click Add. h. and then click Enable. click View status. and then click OK. f. f.ISLAMSC. click Automatic. Wait for the NAP agent service to start. click Add/Remove Snap-in. Enable and start the NAP agent service: a. c. d. and then click Properties. click Properties. In the Add or Remove Snap-ins dialog box. 4. In the Add or Remove Snap-ins dialog box.COM . double-click Turn on Security Center (Domain PCs only). right-click Network. click Add/Remove Snap-in. c. click No. click Enforcement Clients. and then click OK. b. d. In the details pane. click NAP Client Configuration (Local Computer). On the File menu. click OK twice. under Available snap-ins. STUDENT USE PROHIBITED f. In the NAP Client Configuration details pane. In the Services dialog box. 2. In the NAP Client Configuration dialog box.Configuring Network Access Protection 12-47 MCT USE ONLY. click Services. In the console pane. double-click Network Access Protection Agent. Right-click DHCP Quarantine Enforcement Client. WWW. c. b. click Finish. and then click Start. and then click OK. Click Start. g. g. under Available snap-ins.

WWW. b. select the An antivirus application is on check box and then click OK twice. and then click Obtain DNS server address automatically. Close Network and Sharing Center. click Configure. At the command prompt. 2. e. Note: This reduces the lab’s complexity. In the Internet Protocol Version 4 (TCP/IP) Properties dialog box. In the Windows Security Health Validator dialog box. Task 6: Test NAP enforcement 1. Click Start.12-48 Configuring. and then click Command Prompt. type ipconfig /all. d. f. g. and then press ENTER. In the Local Area Connection Properties dialog box. b. In the details pane. clear the Internet Protocol Version 6 (TCP/IPv6) check box. STUDENT USE PROHIBITED d.ISLAMSC. Click OK.COM . in the Network Policy Server console pane. c. In the Windows Security Health Validator Properties dialog box. Verify that the DNS Suffix Search List is Woodgrovebank.com and System Quarantine State is Not Restricted. Click Internet Protocol Version 4 (TCP/IPv4). c. and then click Close twice. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Configure the System Health Validator policy to require antivirus software: a. Verify DHCP assigned address and current quarantine state: a. point to Accessories. expand Network Access Protection. click Obtain an IP address automatically. and then click Properties. double-click Windows Security Health Validator. under Virus Protection. and then click System Health Validators. particularly for those who are not familiar with IPv6. h. point to All Programs. On NYC-SVR1.

c. On NYC-CL1.com. 5.ISLAMSC. Click Close. WWW.Configuring Network Access Protection 12-49 MCT USE ONLY. double-click the Network Access Protection icon. 4. STUDENT USE PROHIBITED 3. at the command prompt. b. In the notification area. Note: Notice it tells you the computer is not compliant with requirements of the network. Close Command Prompt. type ipconfig /release and then press ENTER. This may take a few minutes to appear. 6. Verify the Connection-specific DNS suffix is now restricted.woodgrovebank. Verify the restricted network on NYC-CL1: a.COM . Type ipconfig /renew and then press ENTER.

A compliant policy grants full network access to an intranet network segment. 5. Configure System Help for Networking. 3. and then click OK. select the Allow check box. 4. point to Administrative Tools. 6. Configure NYC-CL1 as a VPN and NAP client. 2. WWW. right-click Computer. expand WoodgroveBank-NYC-DC1-CA.COM .ISLAMSC. and then click Manage. In the Certificate Templates Console details pane. In the Permissions for Authenticated Users pane. Configure NYC-DC1 as an Enterprise Root CA. Close all windows. on the Security tab. and then click Certification Authority. A non-compliant policy demonstrates network restriction by applying IP filters to the VPN tunnel interface that only allow client access to a single remediation server. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The main tasks are as follows: 1. click Authenticated Users. You will create two network policies in this exercise. Configure NYC-SVR1 with NPS functioning as a health policy server. 3. This exercise uses the Windows Security Health Agent and Windows Security Health Validator to require that client computers have Windows Firewall enabled and have an antivirus application installed. 4. for Enroll. STUDENT USE PROHIBITED Exercise 2: Configuring NAP for VPN Clients In this exercise. 5.12-50 Configuring. On NYC-DC1. 2. Configure NYC-SVR1 with the Routing and Remote Access Service (RRAS) configured as a VPN server. 6. and then click Properties. click Start. In the certsrv – [Certification Authority (Local)] console pane. In the Computer Properties dialog box. you will configure NAP for VPN Clients. right-click Certificate Templates. Task 1: Configure NYC-DC1 as an Enterprise Root CA 1. and discard undo disks. Close all virtual machines.

b. click Add/Remove Snap-in. and then click Add Role Services. On the Select Role Services page. click Certificates. In the Console1 window. and then click Finish. click Next. On NYC-SVR1. In the console pane. c. 3. expand Roles. STUDENT USE PROHIBITED Task 2: Configure NYC-SVR1 with NPS functioning as a health policy server 1. In the Certificate Enrollment dialog box. e. In the Server Manager console pane. On the Request Certificates page. d. WWW. In the Add or Remove Snap-ins dialog box. click System Health Validators. right-click Personal. d. select the Remote Access Service check box. i. and then click Enroll. g. on the File menu. and then click Add. Close Server Manager. When the installation completes. In the details pane. right-click Network Policy and Access Services. b. expand Certificates (Local Computer). select the Computer check box. click Computer account. and then press ENTER. double-click Windows Security Health Validator. and then click Server Manager. click Start. click Install. Click OK. click Next. Click Start. type mmc. Configure NPS as a NAP health policy server: a. f. and then click Next. j. On the Confirm Installation Selections page. e. c. click Close. point to All Tasks. click No. Install the Remote Access Service role service: a.ISLAMSC. Verify the status of certificate installation as Succeeded.COM . In the Certificates snap-in dialog box.Configuring Network Access Protection 12-51 MCT USE ONLY. Close Console1. In the Network Policy Server console pane. b. and then click Finish. 2. and then click Request New Certificate. Obtain computer certificate on NYC-SVR1 for server-side PEAP authentication: a. f. When prompted to save settings. h.

WWW. 4. b. and then click Properties. f. i. and then click Next. click New. Under IPv4. and then click Next. On the Define NAP Health Policy page. and then click Finish. c. In the details pane. On the Configure an Authentication Method page. In the Troubleshooting URL field. click IP Filters.ISLAMSC. b. d. in the Remediation Server Group list. d. clear the An antivirus application is on check box. d. In the Windows Security Health Validator dialog box. g. In the details pane. click Configure NAP. STUDENT USE PROHIBITED c. In the console pane. review the policies that will be created.com and click Next. On the Specify NAP Enforcement Servers Running VPN Server page. 5. In the Windows Security Health Validator Properties dialog box. On the Configure User Groups and Machine Groups page. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. click NPS(local). click Configure. click Next. right-click NAP VPN Noncompliant. h. In the Inbound Filters dialog box. click Rem1. On the Settings tab. c.12-52 Configuring. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page. review the settings.COM .restricted. in the Network connection method list. On the Specify NAP Remediation Server Group and URL page. click Virtual Private Network (VPN) and then click Next. e. review the settings. type http://remediation. and then click OK twice. On the Select Network Connection Method For Use with NAP page. e. Configure NAP VPN Non-compliant policy: a. click Next.woodgrovebank. j. Configure Network Policies using the Network Policy Wizard: a. In the console pane. click Input Filters. click Network Policies.

c.10. Configure connection request policies: a.Configuring Network Access Protection 12-53 MCT USE ONLY. Right-click NAP VPN. In the details pane. In the Add IP Filter dialog box. Click OK.10.255. double-click Tunnel Type. p.10. Under IPv4. e. click Connection Request Policies. b. In the NAP VPN Properties dialog box. type 10. WWW.10. type 255. right-click Use windows authentication for all users. j. h. In the Outbound Filters dialog box. In the Inbound Filters dialog box. r. click Permit only the packets listed below. o. Click OK.255. l. In the Subnet mask field. In the IP address field.255. In the Outbound Filters dialog box.COM . click Add. In the Subnet mask field. m. type 255. select Source network check box. In the console pane. In the Select condition dialog box. select the Destination network check box. d. In the Add IP Filter dialog box. click Output Filters. In the IP Address field. Click OK. click Permit only the packets listed below. click New. g.0. on the Conditions tab.ISLAMSC. Note: This ensures that only traffic from NYC DC1 can be sent to non-compliant clients. 6. i.255. and then click Properties.255. type 10.0.255. s. q. STUDENT USE PROHIBITED f. Note: This ensures that traffic from non-compliant clients can reach only NYC DC1. and then click Disable. k. Click OK twice. n.

Click Microsoft: Protected EAP (PEAP). k. 5. verify that Enable Quarantine checks is selected. and then click Next. and review the settings. On the Configuration page. 7. click From a specified range of addresses. In the Configure Protected EAP Properties dialog box. 2. WWW. h. 6. click Microsoft: Secured password (EAPMSCHAP v2). In the details pane.COM . click Authentication.12-54 Configuring. click Start. On the VPN Connection page. and then click OK. In the Routing and Remote Access window. point to Administrative Tools. j. 8. click Add. Click Authentication Methods. and then click Configure and Enable Routing and Remote Access. verify that Remote access (dial-up or VPN) is selected. g. In the Add EAP dialog box. On the Settings tab. Clear the Enable security on the selected interface by setting up static packet filters check box. STUDENT USE PROHIBITED f.ISLAMSC. select the VPN check box. and review the settings. and then click Next. i. On NYC-SVR1. and then click OK twice. In the Routing and Remote Access Server Setup Wizard. 3. l. and then click Next. right-click NYC-SVR1 (local). 4. Task 3: Configure NYC-SVR1 with the Routing and Remote Access Service (RRAS) configured as a VPN server 1. click Local Area Connection 2. click Next. and then click Edit. Note: This ensures that NYC SVR1 will be able to ping NYC DC1 when attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic. On the IP Address Assignment page. select the Layer Two Tunneling Protocol L2TP and Point-to-Point Tunneling Protocol PPTP check boxes. In the Tunnel Type dialog box. On the Remote Access page. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and then click Routing and Remote Access. and then click OK. and then click Next.

type 10. In the New IPv4 Address Range dialog box. Close the NAP Client Configuration window. and then press ENTER. Task 4: Configure NYC-CL1 as a VPN and NAP client 1.0. b. On the Address Range Assignment page. On the Managing Multiple Remote Access Servers page. and then click Properties. Click Finish. 13. click New. next to Local Area Connection. 16. verify that No. and then click Next. use Routing and Remote Access to authenticate connection requests is selected. click OK and then click Next.100.110. d. click OK twice.ISLAMSC. On NYC-CL1. In the Network Policy Server console pane. click Start.[NAP Client Configuration (Local Computer)] console pane. 15. right-click Remote Access Quarantine Enforcement Client. right-click Microsoft Routing and Remote Access Service Policy and then click Disable. In the Local Area Connection Properties dialog box.10. type napclcfg. In the Network and Sharing Center window. right-click Connection Request Policies and then click Refresh. c. STUDENT USE PROHIBITED 9. b. WWW. right-click Network. 11. Configure NYC-CL1 for the Internet network segment: a. and then click Properties. 17. click Properties. In the napclcfg . click View status. In the End IP address field.Configuring Network Access Protection 12-55 MCT USE ONLY. In the Local Area Connection dialog box. d. In the details pane. click Enforcement Clients. 14. and then click Enable. Click Start. 2.10.0.msc. In the details pane. quarantine-enforcement client: a. Enable the remote-access. 10. 12. c. In the Routing and Remote Access dialog box. type 10. in the Start IP address field. click Internet Protocol Version 4 (TCP/IPv4).COM . Close Routing and Remote Access.

c.COM .ISLAMSC.0. g. j. Click OK twice. 4. On the How do you want to connect page. and then click Command Prompt.255. and then click Next. In the Network and Sharing Center Tasks pane. At the command prompt. Configure a VPN connection: a. Verify that a successful reply from 10. On the Type your user name and password page. f.10. type 10. i. and then click Next. In the Domain (optional) field. Click Start | All Programs | Accessories.10. b. Select the Allow other people to use this connection check box. In the Subnet mask field. type 10. d. type 255.0. In the Preferred DNS server field. g. 3. b. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.1. click Connect to a workplace. in the User name field.10. WWW. type Woodgrove VPN. type 10. In the Default gateway field.10. f.10 is returned. click Use the following IP address. h.0. In the Password field.30. type Pa$$w0rd and then select the Remember this password check box. type WOODGROVEBANK.12-56 Configuring. j. type 10.10. STUDENT USE PROHIBITED e. click I’ll set up an Internet connection later. and then click Close. and then click Create.0.0. On the Do you want to set up an Internet connection before continuing page. On the Choose a connection page. c.0. Verify network connectivity for NYC-CL1: a. click Set up a connection or network. in the Internet address field. type Administrator.0. type ping nyc-dc1 and then press ENTER.50. h. click Use my Internet connection (VPN). e. i. In the IP address field.10. In the Destination name field. On the Type the Internet address to connect to page.

d.Configuring Network Access Protection 12-57 MCT USE ONLY. click Use Extensible Authentication Protocol (EAP). right-click Woodgrovebank VPN. n. click OK. click View Server Certificate. In the Network Connections window. In the Network Connections window. f. b. it should have unlimited access to the intranet subnet. click Connect. verify that Secured Password (EAP-MSCHAP v2) is selected. Click OK three times. on the Security tab. click Advanced (custom settings). WWW. and then click Settings. and then click Properties. At the command prompt. and then in the Use Extensible Authentication Protocol (EAP) list. c. t. r. STUDENT USE PROHIBITED k. e. In the Advanced Security Settings dialog box. In the Connect Woodgrove VPN dialog box. and then select the Enable Quarantine checks check box.ISLAMSC. right-click Woodgrove VPN. click Protected EAP (PEAP) (encryption enabled). p. and then clear the Connect to these servers check box. click Close. o. On the The connection is ready to use page. s. 5. In the Protected EAP Properties dialog box. verify that Certificate Information states that the certificate was issued to nyc-svr1Woodgrovebank. verify that the Validate server certificate check box is selected. In the Validate Server Certificate dialog box. type ipconfig /all and press ENTER. In the Enter Credentials dialog box. click Manage network connections. Click Properties.COM . m. q. Wait for the VPN connection to be made. Clear the Enable Fast Reconnect check box. In the Select Authentication Method list.com by WoodgroveBank-NYC-DC1-CA and then click OK twice. l. Test the VPN connection: a. In the Woodgrove VPN Properties dialog box. In the Network and Sharing Center Tasks pane. g. Because NYC-CL1 is compliant. and then click Connect. In the Certificate dialog box.

review the settings and then click Close. Click OK twice. in the Network Connections window. j. click OK. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. and then click Disconnect.COM . d. In the details pane. 6. double-click Windows Security Health Validator. In the Connect Woodgrove VPN dialog box. In the Windows Security Health Validator dialog box. click System Health Validators. Note: This dialog box indicates the computer does not meet health requirements. STUDENT USE PROHIBITED h. 7. f. This message is displayed because antivirus software has not been installed. In the Enter Credentials dialog box.12-58 Configuring. In the Network Connections window. right-click Woodgrove VPN. click Configure. Configure Windows Security Health Validator to require an antivirus application: a. right-click Woodgrove VPN. In the notification area. d. WWW. select the An antivirus application is on check box. Type ping nyc-svr1 and then press ENTER. in the Network Policy Server console pane. b. In the Network Access Protection dialog box. e. click Connect. c. i.ISLAMSC. e. Verify the client is placed on the restricted network: a. This should be successful. double-click the network access icon in the system tray. On NYC-SVR1. Review the IP configuration and verify that System Quarantine State is Not Restricted. c. Note: The client now meets the requirement for VPN full connectivity. and then click Connect. Wait for the VPN connection to be made. b. In the Windows Security Health Validator Properties dialog box. On NYC-CL1.

and discard undo disks 1. In the Windows Help and Support window. Disconnect from Woodgrovebank VPN.COM . select Turn off machine and discard changes. close the Virtual Machine Remote Control (VMRC) window. 8. and then click OK.Configuring Network Access Protection 12-59 MCT USE ONLY. 3. Verify that the Networking help topics exist. Task 5: Configure System Help for Networking 1. click Networking. type ipconfig /all and then press ENTER. Task 6: Close all virtual machines. Review the IP configuration. The System Quarantine State should be Restricted. WWW. In the Close box. For each virtual machine that is running. h. At the command prompt.ISLAMSC. STUDENT USE PROHIBITED g. 2. Close the 6419A Lab Launcher. 3. click Start and then click Help and Support. 2. On NYC-SVR1.

STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1.12-60 Configuring. What are the three main client configurations that you need to configure for most NAP deployments? You want to evaluate the overall health and security of the NAP enforced network.COM . 2. What do you need to do to start recording NAP events? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.

the higher the risk of incorrect configuration.1x and VPN). including the settings of various configuration parameters. which in turn helps maintain the network’s overall integrity.ISLAMSC. Use consistent NAP policies throughout the site hierarchy to minimize confusion. Do not rely on NAP as an instantaneous or real-time enforcement mechanism. While NAP helps keep computers compliant over the long run. typical enforcement delays may last for several hours or more due to many factors. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent. Strong enforcement methods provide the most secure and effective NAP deployment. • • WWW. There are inherent delays in the NAP enforcement mechanism. 802. The more complicated your NAP policy design. Configuring a NAP policy incorrectly may result in clients accessing the network when they should be restricted or valid clients being erroneously restricted. NAP is designed to help administrators maintain the health of the network’s computers. Do not rely on NAP to secure a network from malicious users.Configuring Network Access Protection 12-61 MCT USE ONLY.COM . STUDENT USE PROHIBITED Best Practices Consider the following best practices when implementing NAP: • • Use strong enforcement methods (IPsec.

Some NAP deployments that use Windows Security Health Validator require that Security Center is enabled. WWW. The text and links below the text change to reflect your selection. click Control Panel. you can create scripts to configure automatically a set of Windows Firewall with Advanced Security settings. Netsh nap Using netsh. and display the configuration and status of Windows Firewall with Advanced Security. connection request policies. In Getting Started and Standard Configuration. select Network Access Protection (NAP) policy server.12-62 Configuring.COM . Open the NPS (Local) console. create rules. and then click double-click Services. Windows Components. click System and Maintenance. Where to find it Click Start. Configure NAP with a wizard Used to create the health policies. click Administrative Tools. and Security Center sections of Group Policy. You can type help to get a full list of available commands. and Network Access Protection (NAP) with Network Policy Server. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Tools Tool Services Use For Enable and configure the NAP service on client computers. monitor connections. Administrative Templates. Group policy Enable the Turn on Security Center (Domain PCs only) setting in the Computer Configuration.ISLAMSC. Open a command window with administrative rights and type netsh nap. Group Policy can also be used to enable and manage the NAP client. Click Configure NAP with a wizard.

STUDENT USE PROHIBITED Module 13 Configuring Availability of Network Content and Resources Contents: Lesson 1: Configuring Shadow Copies Lab A: Configuring Shadow Copying Lesson 2: Providing Server and Service Availability Lab B: Configuring Network Load Balancing 13-3 13-11 13-14 13-26 WWW.COM .Configuring Availability of Network Content and Resources 13-1 MCT USE ONLY.ISLAMSC.

WWW.COM . which provides access to previous file and folder versions on a network.13-2 Configuring.ISLAMSC. this module explains how you can use failover clustering and Network Load Balancing (NLB) to facilitate greater data availability and workload scalability. Finally. STUDENT USE PROHIBITED Module Overview This module explains how to configure network resources and content availability and how to enable a shadow copy volume. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

you can enable shadow copies on a per-volume basis that will monitor changes made to shares over the network.Configuring Availability of Network Content and Resources 13-3 MCT USE ONLY. WWW. giving the user the opportunity to recover files and folders. STUDENT USE PROHIBITED Lesson 1 Configuring Shadow Copies In Microsoft® Windows Server® 2008 as in Microsoft Windows Server 2003.COM .ISLAMSC.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . Question: If you were to deploy shadow copies of shared folders in your network environment.ISLAMSC. This is useful because users can: • • • Recover files that were deleted accidentally. Compare versions of a file while working. would you notice a decrease in calls from users needing restoration from backups? WWW. STUDENT USE PROHIBITED What Are Shadow Copies? Key Points The Previous Versions feature in Windows Server 2008 enables your users to access previous versions of files and folders on your network.13-4 Configuring. Recover from accidentally overwriting a file.

Configuring Availability of Network Content and Resources 13-5 MCT USE ONLY.COM . gather the following information to assist with planning: • • • How frequently will users modify the content of shadow copy-protected folders? How many previous versions of files do you want to maintain? How much space is available for storing shadow copies? Question: Apply these planning considerations to a shadow copy scenario in your work environment and describe the choices you might make. STUDENT USE PROHIBITED Considerations for Deploying Shadow Copies Key Points Before deploying shadow copies. WWW.ISLAMSC.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The default storage area will be on the same volume. STUDENT USE PROHIBITED Shadow Copy Scheduling Key Points If you use the default values to enable shadow copies of shared folders on a volume. Question: How might you consider modifying the default schedule for your environment? Do you have data in shares that might require a more aggressive schedule? WWW. tasks will be scheduled to create shadow copies at 7:00 A. If you decide that you want shadow copies to be made more often.COM . and Noon. and its size will be limited to10 percent of the available space.13-6 Configuring. verify that you have allotted enough storage space and that you do not make copies so often that it degrades server performance.M.ISLAMSC.

STUDENT USE PROHIBITED Demonstration: Configuring Shadow Copies Key Points • • Open Computer Management.COM . Question: What are the possible drawbacks or costs of enabling Shadow Copies? Question: Will you enable Shadow Copies on all volumes on your servers? WWW. Enable Shadow Copies on a single server volume.ISLAMSC.Configuring Availability of Network Content and Resources 13-7 MCT USE ONLY.

Question: What might be the problem if a user calls the Help Desk and complains that the Previous Versions tab is missing from the shared folder/file properties? WWW.ISLAMSC. the Previous Versions client software must be installed for the user to make use of shadow copies. so client configuration is not necessary. The Microsoft Windows Vista® operating system has the Previous Versions client built into the operating system.COM . STUDENT USE PROHIBITED Managing Shadow Copies from a Client Perspective Key Points For previous versions of the Windows operating system.13-8 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

COM . you can use the Previous Versions feature to recover previous versions of files and folders. or recover files and folders that have been renamed or were deleted.ISLAMSC. what would you ask to determine the problem? WWW.Configuring Availability of Network Content and Resources 13-9 MCT USE ONLY. STUDENT USE PROHIBITED Restoring Shadow Copies Key Points After you enable shadow copies of shared folders and start creating shadow copies. Question: If a user calls you and says that the “Previous Versions” tab is not visible.

how would you advise them to proceed? WWW. STUDENT USE PROHIBITED Demonstration: Restoring Shadow Copies Key Points • Use the Previous Versions tab to restore an older version of a file. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.13-10 Configuring. Question: How would you train users to perform shadow copy restorations on their own? Question: If a user wanted to restore part of a previous document version.ISLAMSC.COM .

Configuring Availability of Network Content and Resources 13-11 MCT USE ONLY.ISLAMSC. Change a file in a share location. Enable shadow copies on a volume. You want to institute shadow copies to allow users to recover their own previous versions. STUDENT USE PROHIBITED Lab A: Configuring Shadow Copying Exercise 1: Configuring Shadow Copying Scenario You are the storage administrator for Woodgrove bank. You find your time is often spent restoring previous versions of files from backups. 3. Manually create a shadow copy. you will configure and test shadow copies. View the file previous versions. 4. and restore to a previous version. WWW.COM . In this exercise. The main tasks are as follows: 1. 2.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Add the following text to the end of the text file: This is my second modification to the file. Using the Computer Management console. Save and close the shadowtest. next to 6419A-NYC-DC1. Minimize the Lab Launcher window. 6. In the Lab Launcher. The Lab Launcher starts. On NYC-CL1. open the shadowtest. click Launch. 4. Click the 6419A Lab Launcher shortcut on your desktop. Task 2: Enable shadow copies on a volume 1. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd.COM . click Launch.ISLAMSC. WWW. Save and close the shadowtest. 3. 2. enable shadow copies for drive E:\.txt file. Task 3: Change a file in a share location 1. open the shadowtest. STUDENT USE PROHIBITED Task 1: Start the virtual machines. In the Lab Launcher. Task 4: Manually create a shadow copy • On NYC-DC1. Add the following text to the end of the text file: This is my text that I am adding to the file. 3.txt file at \\NYC-DC1\shadow\. 2. 5. next to 6419A-NYC-CL1.13-12 Configuring. and then log on 1. In the Lab Launcher.txt file. 5. 2. Create an initial shadow copy for drive E:\. create a new shadow copy of drive E\:. On NYC-CL1. next to 6419A-NYC-SVR1. 6. 4. click Launch.txt file at \\NYC-DC1\shadow\.

WWW.COM . Results: After this exercise. changed a file. 2.txt. view the previous versions tab of the properties of \\NYC-DC1\shadow\shadowtest. you should have established shadow copies on a share.Configuring Availability of Network Content and Resources 13-13 MCT USE ONLY. STUDENT USE PROHIBITED Task 5: View the previous file versions.ISLAMSC. 3. and restore to a previous version 1. and then restored the original version. Restore the previous version. On NYC-CL1. View the previous version.

Streaming Media.13-14 Configuring. such as Web.ISLAMSC.COM . Virtual Private Networking (VPN). This enhances the scalability and availability of mission critical. Proxy. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. It also provides high availability by detecting host failures and automatically redistributing traffic to operational hosts. Terminal Services. STUDENT USE PROHIBITED Lesson 2 Providing Server and Service Availability Network Load Balancing (NLB) is a clustering technology that uses a distributed algorithm to load balance network traffic across several hosts. and so on. IP-based services.

All the other hosts drop the request. maps the client requests to particular hosts for processing. but only the host to which a given client request is mapped accepts and handles the request. as well as the ability to distribute a large number of clients over a group of servers. the statistical mapping algorithm.Configuring Availability of Network Content and Resources 13-15 MCT USE ONLY. and load-balancing performance. The client requests go to all the hosts in the cluster.COM . which is present on all the cluster hosts. scalability. Depending on the configuration of each host in the cluster. STUDENT USE PROHIBITED Network Load Balancing Manager Overview Key Points When you install NLB as a network driver on each of the cluster’s member servers or hosts.ISLAMSC. the cluster presents a virtual IP address to client requests. Question: Do you have any servers hosting stateless information that would benefit from Network Load Balancing in your environment? WWW. Using NLB with compatible services offers the benefits of increased availability.

ISLAMSC. Question: Should you enable this feature on all servers? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Installing Network Load Balancing Key Points • Install the Network Load Balancing feature.13-16 Configuring.COM .

which are specific to each host in a NLB cluster.ISLAMSC. STUDENT USE PROHIBITED Considerations for Creating a Network Load Balancing Cluster Key Points To configure the Network Load Balancing cluster. Cluster parameters include: • The IP Address and Subnet Mask for the NLB cluster. which apply to a NLB cluster as a whole. • Cluster parameters. which specifies a unique ID for each host. Host parameters include: • Priority.Configuring Availability of Network Content and Resources 13-17 MCT USE ONLY. WWW. you must configure three types of parameters: • Host parameters.COM . The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule.

COM . STUDENT USE PROHIBITED • Port rules. Port rules include the following attributes: • • The Port Range specifies the port or ports which will be affected by the port rule.ISLAMSC. The Protocols setting determines the network protocol that the rule will cover. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. which override the Priority setting or provides load balancing for specific ranges of ports.13-18 Configuring. Question: What applications would require the optional shared storage? WWW.

ISLAMSC.Configuring Availability of Network Content and Resources 13-19 MCT USE ONLY. STUDENT USE PROHIBITED Demonstration: Configuring a Network Load Balancing Cluster Key Points • • Create a new NLB cluster.COM . Question: When should you configure multiple DIP for a cluster? WWW. Configure settings for the new NLB cluster.

13-20 Configuring.ISLAMSC. STUDENT USE PROHIBITED Clustering Terminology Key Points There are several important terms that are used when discussing clustering. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . Question: Discuss your work environment’s approach to planned and unplanned downtime. WWW.

If one of the cluster nodes fails. STUDENT USE PROHIBITED What Is a Failover Cluster? Key Points A failover cluster is a group of independent computers that work together to increase the availability of applications and services.Configuring Availability of Network Content and Resources 13-21 MCT USE ONLY. Failover clusters include the following new functionality: • • New validation feature Support for globally unique identifier (GUID) partition table (GPT) disks in cluster storage WWW.COM . known as nodes. another node begins to provide service (a process known as failover). Therefore. Physical cables and software connect the clustered servers. users experience a minimum of service disruptions.ISLAMSC. Note: The failover cluster feature is not available in the Windows® Web Server 2008 or Windows Server 2008 Standard editions.

COM . which can result in increased availability Improvements to the way a cluster works with storage Improvements to interfaces for working with shared folders Improvements to networking and security Question: Have you employed previous versions of clustering technology? WWW. STUDENT USE PROHIBITED Improvements to existing failover cluster functionality include: • • • • • • Improved cluster setup Simplified management interfaces Improvements to stability and security. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.13-22 Configuring.ISLAMSC.

COM . This is especially necessary if you are currently using that hardware for a server cluster running Windows Server 2003. you can use a wizard to migrate certain resource settings to it from a server cluster running Windows Server 2003.Configuring Availability of Network Content and Resources 13-23 MCT USE ONLY. STUDENT USE PROHIBITED Hardware Requirements for a Failover Cluster Key Points Carefully review the hardware on which you plan to deploy a failover cluster to ensure that it is compatible with Windows Server 2008. WWW. after you create a failover cluster running Windows Server 2008.ISLAMSC. Hardware that supports a server cluster running Windows Server 2003 will not necessarily support a failover cluster running Windows Server 2008. Note: You cannot perform a rolling upgrade from a server cluster running Windows Server 2003 to a failover cluster running Windows Server 2008. However.

ISLAMSC.COM . STUDENT USE PROHIBITED The following hardware is required in a failover cluster: • • • • • Servers Network adapters and cable (for network communication) Device controllers or appropriate adapters for the storage if using shared SCSI iSCSI initiator and dedicated network adapter if using iSCSI storage Shared storage Question: If you presently have a server cluster in a previous server version. can you do a rolling upgrade to Windows Server 2008 Failover Clustering? WWW.13-24 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

Virtual Machines running on Hyper-V™ hosts can be made highly available. Databases on Microsoft SQL Server® can be made highly available. STUDENT USE PROHIBITED Failover Clustering Scenarios Key Points Failover clustering can be useful in a number of different scenarios: • • • • File shares can be made highly available.COM .Configuring Availability of Network Content and Resources 13-25 MCT USE ONLY. Applications like Microsoft Exchange can be made highly available.ISLAMSC. Question: Describe one scenario in your work environment where you currently use or plan to implement failover clustering. WWW.

Configure Network Load Balancing on NYC-DC1 and NYC-SVR1.13-26 Configuring. and discard undo disks. 2. The main tasks are as follows: 1. you will configure Network Load Balancing. Test the Network Load Balancing cluster. In this exercise. WWW. Close all virtual machines.ISLAMSC. Configure network load balancing for the service.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Install the Network Load Balancing feature on NYC-DC1 and NYC-SVR1. STUDENT USE PROHIBITED Lab B: Configuring Network Load Balancing Exercise 1: Configuring Network Load Balancing Scenario You have been asked to increase the reliability for a critical web server service. 4. 3.

Task 3: Test the NLB Cluster 1.0 default page appears. 2.0.10. Port Range: 80 to 80 Protocols: TCP Filtering mode: Multiple host Affinity: none Add the host NYC-SVR1 to the cluster. Specify an IPv4 cluster IP of 10.70.COM . open Network Load Balancing Manager. Give the cluster a Full Internet Name of webfarm.255. Use Internet Explorer to browse to http://10. Use Internet Explorer to browse to http://10.70 with a Subnet Mask of 255. 3.com and set the operation mode to Multicast. 4. Repeat for NYC-SVR1. 5. Task 2: Create an NLB Cluster 1. On NYC-DC1.0. On NYC-DC1. 2. The IIS 7. 3.Configuring Availability of Network Content and Resources 13-27 MCT USE ONLY.ISLAMSC. 4. Turn off NYC-SVR1. 3.70. 2. Create a new cluster with the hostname NYC-DC1 and start it.0.0. Define port rules: • • • • 6.0. STUDENT USE PROHIBITED Task 1: Install Network Load Balancing 1.woodgrovebank. Add the Network Load Balancing feature.10. WWW. open Server Manager.10.

select Turn off machine and discard changes. In the Close box. the web site is still available. and discard undo disks 1. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.13-28 Configuring. For each virtual machine that is running. Close the 6419A Lab Launcher.COM . and then click OK. 3. Results: Even though a NLB Cluster member is unavailable. STUDENT USE PROHIBITED Task 4: Close all virtual machines. 2. close the Virtual Machine Remote Control (VMRC) window. WWW.ISLAMSC.

ISLAMSC. if you are using NLB to load balance a cluster of IIS servers. Security procedures can typically be found in the documentation for each particular application. It is important to properly secure the load-balanced applications and hosts. you should follow the procedures and guidelines for securing IIS.Configuring Availability of Network Content and Resources 13-29 MCT USE ONLY. 2. What is the danger of choosing to restore a folder in Shadow Copies? How is failover clusters different from Network Load Balancing? Best Practices Consider the following best practices for NLB and Failover Clustering: • Properly secure the NLB hosts and the load-balanced applications: • Network Load Balancing does not provide additional security for the loadbalanced hosts and cannot be used as a firewall.COM . For example. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. WWW.

The Network Load Balancing Manager log file contains potentially sensitive information about the Network Load Balancing cluster and hosts. However. This log can be very useful in troubleshooting problems or errors when using NLBM. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.) • • • Use only the TCP/IP network protocol on the cluster adapter: • • Do not add any other protocols (for example. so it must be properly secured. any communication among NLB cluster hosts is not possible unless each cluster host has at least two network adapters. You can configure Network Load Balancing on more than one network adapter. Enable NLBM logging by clicking Log Settings in the Network Load Balancing Manager Options menu. By default. Select the Enable logging check box. IPX) to this adapter. NLB cannot distinguish between single adapters on each host. • While not required. the log file inherits the directory’s security settings in which it is created. Be aware that the individual using NLBM does require full control of the log file. WWW. make sure that you install Network Load Balancing on only one adapter (referred to as the cluster adapter.ISLAMSC.13-30 Configuring. STUDENT USE PROHIBITED • You must protect the NLB subnet from intrusion by unauthorized computers and devices to avoid interference from unauthorized heartbeat packets. use two or more network adapters in each NLB cluster host whenever possible: • If the cluster is operating in the default unicast mode. Therefore.COM . if you use a second network adapter to address this best practice. and then specify a name and location for the log file. so you may need to change the explicit permissions on the file to restrict read and write access to those individuals who do not need full control of the file. Enable Network Load Balancing Manager logging: You can configure Network Load Balancing Manager (NLBM) to log each NLBM event.

ISLAMSC.Configuring Availability of Network Content and Resources 13-31 MCT USE ONLY. Limit client access to cluster resources. By giving the minimal possible user rights to the Cluster service account. • • • • WWW. STUDENT USE PROHIBITED • Verify that the load-balanced application is started on all cluster hosts on which the application is installed: • NLB does not start or stop applications. Use different accounts for the Cluster service and applications in the cluster. • Use the following to help increase failover cluster security: • Do not set the Cluster service account to be a member of the domain Administrators group. you avoid potential security issues if that account is compromised. files and folders on cluster disks). Use different Cluster service accounts for multiple clusters.COM . Limit and audit access to shared data (for example.

MCT USE ONLY.ISLAMSC.COM . STUDENT USE PROHIBITED WWW.

STUDENT USE PROHIBITED Module 14 Monitoring and Maintaining Windows Server 2008 Servers Contents: Lesson 1: Planning Monitoring Tasks Lesson 2: Calculating a Server Baseline Lesson 3: Measuring Performance Objects Lab A: Identifying Windows Server 2008 Monitoring Requirements Lesson 4: Selecting Appropriate Monitoring Tools Lesson 5: Planning Notification Methods Lesson 6: Overview of Windows Server 2008 Management Tasks Lesson 7: Automating Windows Server 2008 Management Lab B: Configuring Windows Server 2008 Monitoring 14-3 14-9 14-14 14-24 14-29 14-37 14-41 14-45 14-49 WWW.Monitoring and Maintaining Windows Server 2008 Servers 14-1 MCT USE ONLY.COM .ISLAMSC.

You should monitor servers to ensure that they run efficiently and use available server capacity. Many administrators require performance-monitoring tools to identify components that require additional tuning and troubleshooting.COM . WWW. STUDENT USE PROHIBITED Module Overview Most businesses require cost-effective solutions that provide value for money. you can improve the efficiency of your servers.ISLAMSC.14-2 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. By identifying components that require additional tuning.

WWW. This lesson discusses the range of monitoring features that are available for Windows Server 2008 and how you can plan to measure the efficiency of the operating system and hardware components through monitoring.ISLAMSC. STUDENT USE PROHIBITED Lesson 1 Planning Monitoring Tasks The Microsoft® Windows Server® 2008 operating system can use many monitoring tools.Monitoring and Maintaining Windows Server 2008 Servers 14-3 MCT USE ONLY.COM .

By using performance-monitoring tools.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Reasons for Monitoring Key Points You should monitor servers in your organization so that you can troubleshoot unexpected performance problems from your hardware and software quickly and easily. This type of monitoring can also help you to ensure that you are meeting SLAs. you can determine when a server is really slower at responding to user requests rather than relying on user perception of "slow" and "fast" response times. Interactive monitoring of systems is useful when you want to determine the effect of performing a specific action or troubleshoot specific events.14-4 Configuring. WWW.COM .

Question: List four troubleshooting procedures that would benefit from server monitoring. You should use historical performance data to assist you when you plan future server requirements.Monitoring and Maintaining Windows Server 2008 Servers 14-5 MCT USE ONLY. STUDENT USE PROHIBITED Reviewing collected data can be useful for tracking trends over time. WWW. determining when to relocate resources. and deciding when to invest in new hardware to meet the changing requirements of your business.ISLAMSC.COM .

Question: Which tools do you currently plan to use to monitor Windows Server 2008? Consider long-term planning goals and specific troubleshooting instances. WWW.COM .14-6 Configuring.ISLAMSC. STUDENT USE PROHIBITED Monitoring Methods Key Points You should select the most appropriate tool to suit the type of monitoring that is required. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

WWW. STUDENT USE PROHIBITED Planning for Event Monitoring Key Points There are several considerations when planning for event monitoring. You can prevent service and system outages by ensuring that resources retain enough capacity to meet service-level agreements (SLAs).ISLAMSC.COM .Monitoring and Maintaining Windows Server 2008 Servers 14-7 MCT USE ONLY. Consider the following: • • • You should ensure that your systems are cost-effective for your organization. Your business may achieve reductions in the effort staff spent on event monitoring by implementing efficient event monitoring.

COM .ISLAMSC. STUDENT USE PROHIBITED Question: What is the monetary cost of reduced user productivity for your organization? Question: What is the cost of system outage that is caused by not monitoring systems? Question: What is the cost of a reactive approach to troubleshooting? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.14-8 Configuring.

COM .Monitoring and Maintaining Windows Server 2008 Servers 14-9 MCT USE ONLY.ISLAMSC. STUDENT USE PROHIBITED Lesson 2 Calculating a Server Baseline This lesson discusses some of the key server components to measure. WWW. You will learn how to use analysis and planning techniques from collected performance metrics to improve your server infrastructure.

memory and network. • • • You should measure all of the key components in your system.14-10 Configuring.COM . Question: Which hardware components are most likely to restrict performance for a file server? WWW. disk. STUDENT USE PROHIBITED Key Hardware Components to Monitor Key Points The four main hardware components to monitor are processor. You can increase server performance by adding power or reducing the number of users who are accessing a server. You should consider the server role and workload to determine which hardware components are likely to restrict performance.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

STUDENT USE PROHIBITED Common Performance Metrics Key Points You should familiarize yourself with basic performance measurement objects and counters to monitor the main hardware components.Monitoring and Maintaining Windows Server 2008 Servers 14-11 MCT USE ONLY. Question: What performance issues could be identified by monitoring cache? WWW.ISLAMSC.COM .

COM .ISLAMSC. It may be possible to reduce the number of servers in operation after you have measured performance. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. By analyzing performance trends. STUDENT USE PROHIBITED Analyzing Performance Trends Key Points It is important to align planning across your organization. Question: What additional server support will your current business plans require? WWW. • • • You should give careful consideration to the value of performance data to ensure that it reflects the real server environment. you can make decisions for the future.14-12 Configuring. You should consider performance analysis alongside business plans.

COM . Question: How can you scale up your existing server workload to support more users? WWW. How to scale the systems to support additional workload and users in the future. STUDENT USE PROHIBITED Planning for Future Capacity Requirements Key Points You want to ensure that you are able to support future growth in your organization. The number of users that a server can support. Planning for future capacity will allow your organization to grow without compromising productivity. Capacity planning focuses on: • • • The server workload.ISLAMSC.Monitoring and Maintaining Windows Server 2008 Servers 14-13 MCT USE ONLY.

ISLAMSC. In this lesson. STUDENT USE PROHIBITED Lesson 3 Measuring Performance Objects Performance tuning is the continuous process of monitoring a server to determine whether it can deliver the requested workload. You should tune these roles to ensure that they are performing efficiently to maximize their use. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Windows Server 2008 enables you to create server roles to meet your business requirements. WWW. You should tune servers to adjust to the current workload to support more users or applications.14-14 Configuring. you will learn some of the basic performance counters to measure for different server roles.COM .

Question: Which server roles will you use in your organization? Which objects and counters will be available for you to monitor? WWW. By using server roles.Monitoring and Maintaining Windows Server 2008 Servers 14-15 MCT USE ONLY.COM . • • • By identifying the role that a server performs. STUDENT USE PROHIBITED Identifying Server Role Performance Metrics Key Points Windows Server 2008 uses server roles to improve server efficiency and security. Only the performance objects and counters that are relevant to the installed server role are available to monitor.ISLAMSC. you ensure that you install and activate only the required components on your servers. you can ensure that you measure the necessary counters to monitor performance.

14-16 Configuring.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. including: • • • • Real-time snapshot value Total since last server restart Average over specific time interval Average of last x values WWW.COM . STUDENT USE PROHIBITED Identifying Key Performance Counters Key Points There are many counters that you should research and consider monitoring to meet your specific requirements. Windows Server 2008 collects data from counters in various ways. Windows Server 2008 enables monitoring of operating system performance through performance objects and counters in the object.

ISLAMSC. STUDENT USE PROHIBITED • • • Number per second Maximum value Minimum value Question: Why are average counters more useful than counters that show the current value? WWW.Monitoring and Maintaining Windows Server 2008 Servers 14-17 MCT USE ONLY.COM .

• Processor\% Processor Time: Shows the percentage of elapsed time that this thread used the processor to execute instructions.ISLAMSC. • WWW. at which the processor received and serviced hardware interrupts. in incidents per second. Processor\Interrupts/sec: Shows the rate.14-18 Configuring. and a thread is the object that executes instructions.COM . An instruction is the basic unit of execution in a processor. STUDENT USE PROHIBITED Primary CPU Performance Counters Key Points CPU counters are a feature of the computer's CPU that store the count of hardware-related events. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Code executed to handle some hardware interrupts and trap conditions is included in this count.

so it is necessary to observe this counter over a long period of time.ISLAMSC. Also. STUDENT USE PROHIBITED • Processor\System Processor Queue Length: The System\Processor Queue Length counter is a rough indicator of the number of threads each processor is servicing. sometimes called processor queue depth.COM . not a length per processor. reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor. Question: If the % Processor time is 80%.Monitoring and Maintaining Windows Server 2008 Servers 14-19 MCT USE ONLY. the System\Processor Queue Length counter is reporting a total queue length for all processors. should any corrective action be taken? WWW. The processor queue length.

14-20 Configuring. Physical memory is the amount of RAM on the computer. what might be happening? WWW. STUDENT USE PROHIBITED Primary Memory Performance Counters Key Points The Memory performance object consists of counters that describe the behavior of physical and virtual memory on the computer. Question: If the pool nonpages bytes has a slow rise.COM . Many of the memory counters monitor paging.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. which is the movement of pages of code and data between disk and physical memory. Virtual memory consists of space in physical memory and on disk.

The values of physical disk counters are sums of the values of the logical disks (or partitions) into which they are divided." The PhysicalDisk performance object consists of counters that monitor hard or fixed disk drives.Monitoring and Maintaining Windows Server 2008 Servers 14-21 MCT USE ONLY.COM . STUDENT USE PROHIBITED Primary Disk Performance Counters Key Points The LogicalDisk performance object consists of counters that monitor logical partitions of hard or fixed disk drives. and paging data. such as "C. program. System Monitor identifies logical disks by their drive letter. Question: Why do you want the % Disk time to be as low as possible? WWW. Disks are used to store file. and are written to record changes to them.ISLAMSC. They are read to retrieve these items.

the total amount of traffic that passes a given point on a network connection per unit of time. Network adapter teaming for performance and failover.COM . Workloads might require access to several different networks that must remain secure. Connections to network-based storage arrays. Connections to the physical host server.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Primary Network Performance Counters Key Points Most workloads require access to production networks to ensure communication with other applications and services and to communicate with users. Network requirements include elements such as throughput—that is.14-22 Configuring. Networks for performing backups and other maintenance tasks. Examples include connections for: • • • • • • Public network access. Other network requirements include the presence of multiple network connections. WWW. Dedicated remote-management connections.

you can evaluate your network performance. Question: If the output queue length is 5.COM . STUDENT USE PROHIBITED By monitoring the network performance counters.Monitoring and Maintaining Windows Server 2008 Servers 14-23 MCT USE ONLY.ISLAMSC. what problems might you have in your network? WWW.

ISLAMSC. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.Part C.COM .Part B. 4. 3. STUDENT USE PROHIBITED Lab A: Identifying Windows Server 2008 Monitoring Requirements Exercise 1: Evaluating Performance Metrics Scenario In this exercise. you will review data collector sets to locate problems and provide troubleshooting advice to technical specialists. 2. Start each virtual machine and log on. Identify performance problems with Windows Server 2008 .14-24 Configuring.Part A. Identify performance problems with Windows Server 2008 . Identify performance problems with Windows Server 2008 . The main tasks for this exercise are as follows: 1.

Log on to both virtual machines as Woodgrovebank\Administrator with the password Pa$$w0rd. In the Lab Launcher.Processor Queue Length Process _ % Processor Time (All Instances) What appears to be the problem on this server? Write a brief report that outlines your findings and suggests possible solutions to the problem. click Launch.COM .ISLAMSC. On the host machine. and then click 6419A. point to All Programs. point to Microsoft Learning. 2. Use Performance Monitor to review the data collector log at E:\Labfiles\Mod14\Ex1A\6419A-NYC-SVR1-LAB14-EX1A. Task 2: Identify performance problems with Windows Server 2008 Part A You know that the server 6419A-NYC-SVR1 experiences low network traffic and has limited disk activity. In the Lab Launcher. WWW. click Launch. 3. 5. but the help desk is receiving many reports that the server is slow.% Processor Time System . click Start. next to 6419A-NYC-DC1. STUDENT USE PROHIBITED Task 1: Start each virtual machine and log on 1. The Lab Launcher starts. 4.Monitoring and Maintaining Windows Server 2008 Servers 14-25 MCT USE ONLY. next to 6419A-NYC-SVR1.blg on the server 6419A-NYC-SRV1: • Examine the following counters: • • • • • Processor . Minimize the Lab Launcher window.

but the help desk is receiving many reports that the server is slow.Disk Transfers/sec Process . Use Performance Monitor to review the data collector log at E:\Labfiles\Mod14\Ex1B\6419A-NYC-SVR1-LAB14-EX1B. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.Current Disk Queue Length PhysicalDisk .Avg.IO Data Bytes/sec (All Instances) What appears to be the problem on this server? Write a brief report that outlines your findings and suggests possible solutions to the problem. Disk Queue Length PhysicalDisk .14-26 Configuring.blg on the server 6419A-NYC-SVR1: • Examine the following counters: • • • • • • PhysicalDisk .ISLAMSC.COM . STUDENT USE PROHIBITED Task 3: Identify performance problems with Windows Server 2008 Part B You know that the server 6419A-NYC-SVR1 is not running processor-intensive applications.

WWW.COM .Page Faults/sec Memory .% Usage Peak Memory . but the help desk is receiving many reports that the server is slow.Working Set-Private (All Instances) Paging File .Committed Bytes Memory . Results: After this exercise.ISLAMSC.blg on the server 6419A-NYC-SVR1.Pool Nonpaged Bytes Memory .Pool Paged Bytes What appears to be the problem on this server? Write a brief report that outlines your findings and suggests possible solutions to the problem. you should have identified performance issues with servers and suggested steps to resolve the problems.% Committed Bytes In Use Memory .Available Mbytes Memory . Use Performance Monitor to review the data collector log at E:\Labfiles\Mod14\Ex1C\6419A-NYC-SVR1-LAB14-EX1C. STUDENT USE PROHIBITED Task 4: Identify performance problems with Windows Server 2008 Part C You know that the server 6419A-NYC-SVR1 experiences low network traffic and is not running processor-intensive applications. • Examine the following counters: • • • • • • • • • • • Process .Monitoring and Maintaining Windows Server 2008 Servers 14-27 MCT USE ONLY.% Usage Paging File .

you should have identified steps to create a data collector set for measuring file server performance. • WWW. you will plan the performance metrics that are required to measure the scalability of a server.ISLAMSC. The main task for this exercise is to create a data collector set to measure server requirements. STUDENT USE PROHIBITED Exercise 2: Monitoring Performance Metrics Scenario In this exercise.14-28 Configuring. Task 1: Create a data collector set to measure server requirements • Create a data collector set based on the System Performance template to measure the performance requirements of a file server. This forms the base performance metrics for measuring the capacity of this server. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . Which specific counters do you anticipate will require careful analysis? Results: After this exercise.

COM .Monitoring and Maintaining Windows Server 2008 Servers 14-29 MCT USE ONLY.ISLAMSC. You should use these tools and complement them where necessary with your own tools. STUDENT USE PROHIBITED Lesson 4 Selecting Appropriate Monitoring Tools Windows Server 2008 provides a range of tools to monitor the operating system and applications that you can use to tune your system for efficiency. WWW.

Windows Server 2008 Event Viewer collects information that relates to server operations.14-30 Configuring. STUDENT USE PROHIBITED Windows Server 2008 Monitoring Tools Key Points Windows Server 2008 has a range of built-in tools to assist you in monitoring your systems.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. By making performance counters available through WMI. you can monitor servers by using scripts. WWW. All performance counters are available programmatically through Microsoft Windows® Management Instrumentation (WMI).COM . Task Manager enables you to view processes in real time to determine their exact resource usage at a point in time.

both in real time and by collecting log data for later analysis.ISLAMSC.COM .Monitoring and Maintaining Windows Server 2008 Servers 14-31 MCT USE ONLY. STUDENT USE PROHIBITED You can use Microsoft Windows Reliability and Performance Monitor to examine how programs you run affect your computer's performance. Question: Which tools do you currently use to monitor servers? How can you make use of improved monitoring tools in Windows Server 2008? WWW.

You can create custom views in Performance Monitor that you can export as data collector sets for use with performance and logging features.COM .14-32 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Reliability and Performance Monitor Key Points Performance Monitor provides a visual display of Windows performance objects and counters.ISLAMSC. either in real time or as a review of historical data. Performance Monitor features multiple graph views that you can use to review performance log data. Question: What is a benefit to Data Collector Sets? WWW.

ISLAMSC.COM . STUDENT USE PROHIBITED Reliability Monitor Key Points Reliability Monitor provides a system stability overview and trend analysis with detailed information about individual events that may affect the overall stability of the system.Monitoring and Maintaining Windows Server 2008 Servers 14-33 MCT USE ONLY. Question: How can you use the Reliability Monitor in your organization? WWW.

Performance Monitor overview.ISLAMSC.14-34 Configuring. Reliability Monitor overview. Reports overview. Question: Where can you find real-time information about network activity? Question: Which Reliability Monitor reports will you implement in your work environment? WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . STUDENT USE PROHIBITED Demonstration: Overview of the Reliability and Performance Monitor Key Points • • • • Reliability and Performance Monitor resources view.

Question: Which third-party monitoring tools do you currently use. Many third-party tools integrate with System Center Operations Manager (Operations Manager) 2007 to provide a centralized monitoring console for your organization. STUDENT USE PROHIBITED Third-Party Monitoring Tools Key Points Third-party tools can help you monitor your server environment.COM . Hardware vendor tools are useful in detecting performance issues that occur because of faulty hardware.ISLAMSC. if any? How can these help you monitor server performance in the future? WWW.Monitoring and Maintaining Windows Server 2008 Servers 14-35 MCT USE ONLY.

troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Event Viewer provides the ability to collect copies of events from multiple remote computers.ISLAMSC. To specify which events to collect. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Question: Where would subscriptions be most useful on in your organization? WWW.14-36 Configuring. you can view and manipulate these forwarded events as you would any other locally stored events.COM . STUDENT USE PROHIBITED What Are Subscriptions? Key Points Event Viewer enables you to view events on a single remote computer. After a subscription is active and events are being collected. However. and store them locally. you create an event subscription.

Monitoring and Maintaining Windows Server 2008 Servers 14-37 MCT USE ONLY. you must notify staff by using a range of methods to take appropriate action to resolve problems. To meet SLAs. STUDENT USE PROHIBITED Lesson 5 Planning Notification Methods Your business will require you to react to various events to ensure that you maintain SLAs. It may be necessary for staff to request additional support to assist in troubleshooting some events. WWW.ISLAMSC.COM .

You should ensure that your server operations run effectively and meet all of your business SLAs.ISLAMSC.14-38 Configuring.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. You should always attempt to find the most cost-effective solution to a performance bottleneck. STUDENT USE PROHIBITED Identifying Business Requirements Key Points Performance tuning is an ongoing exercise where you never achieve perfection. Question: What are your businesses response times and how does your business makes staff available to provide support? WWW.

STUDENT USE PROHIBITED Suitable Notification Methods Key Points You should react in a measured and appropriate manner to an event. Other events may require staff to perform investigative work in the form of additional system checks to determine the cause of a problem and then to provide a solution to improve system performance. These system checks usually do not require an immediate e-mail response.Monitoring and Maintaining Windows Server 2008 Servers 14-39 MCT USE ONLY.ISLAMSC. • Question: How do you notify staff of service failure or maintenance problems? In what ways can you improve this process? WWW. Notifications to server events should take into account the severity of the problem. • • Some events will require staff to react immediately to ensure that they maintain system availability.COM .

ISLAMSC. STUDENT USE PROHIBITED Establishing an Escalation Path Key Points To meet SLAs. Where it is not possible to resolve an issue in-house. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you should notify the relevant people because further delays are likely.14-40 Configuring. • Your SLAs should state the amount of time problems remain at various stages during resolution. This helps you to provide an acceptable and mutually agreed level of service to your organization. • Question: What improvements can you make to the escalation paths for issues within your business? WWW. you should ensure that you have a clear audit trail to follow when you escalate performance issues.COM .

WWW.Monitoring and Maintaining Windows Server 2008 Servers 14-41 MCT USE ONLY.COM . and ensure that the frequency reflects both maintenance and business requirements.ISLAMSC. it is important to understand what management tasks you must perform on your servers. You must decide how frequently to run each management task. STUDENT USE PROHIBITED Lesson 6 Overview of Windows Server 2008 Management Tasks To ensure that the server runs optimally.

search engines. STUDENT USE PROHIBITED Windows Server 2008 Maintenance Tasks Key Points Performing regular maintenance tasks will help facilitate optimal server availability. are included with Windows Server 2008. such as Event Viewer. and blogs.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. including security updates. • • Question: List the monitoring tasks you perform at work most often. • Regular maintenance tasks involve ensuring you computer is up-to-date with the latest operating system updates. newsgroups. the Microsoft Web site. Monitoring performance. health and diagnostics on a regular basis will ensure possible issues are caught early. Troubleshooting tools. You will also want to ensure you have the latest security updates are installed for all applications.14-42 Configuring.COM . WWW. In addition. administrators can search the Microsoft TechNet Web site.

COM . you will want to perform some tasks for all types of servers. including reviewing system and application event logs. However.Monitoring and Maintaining Windows Server 2008 Servers 14-43 MCT USE ONLY.ISLAMSC. STUDENT USE PROHIBITED Common Tasks for Different Server Roles Key Points Different server roles will necessitate different tasks. Question: Which event logs do you regularly review on your servers at work? WWW.

you should follow guidelines for the frequency of management tasks. Question: How often do you review server event logs? Question: Do any of your servers have requirements that make scheduling management tasks more difficult (such as 24x7 operations)? WWW.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.14-44 Configuring.ISLAMSC. STUDENT USE PROHIBITED Frequency of Management Tasks Key Points To maximize administrator time while also providing adequate monitoring of servers.

ISLAMSC. STUDENT USE PROHIBITED Lesson 7 Automating Windows Server 2008 Maintenance There are many advantages to automating aspects of your Windows Server 2008 management strategy. there are many considerations to take into account that relate to the methods. software. WWW.Monitoring and Maintaining Windows Server 2008 Servers 14-45 MCT USE ONLY. and planning that you must perform before you can deploy automation options. skills.COM . However. Automating management tasks often saves time and can have a significant impact on costs.

STUDENT USE PROHIBITED Automation Requirements Key Points When you examine automation solutions for managing your server infrastructure.COM . Question: Do you have any skills in scripting or in Windows PowerShell™ in your organization? WWW.14-46 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you must consider several aspects that can provide benefits but may have hidden restrictions or costs.ISLAMSC.

Monitoring and Maintaining Windows Server 2008 Servers 14-47 MCT USE ONLY. Although some of these tools may require additional skills.COM . several of them are straightforward to implement and offer immediate benefits.ISLAMSC. deploy configuration changes. Question: Question: Do you currently use automation tools at work? Question: In what ways can using automation tools benefit your organization? WWW. STUDENT USE PROHIBITED Task Automation Tools Key Points Microsoft provides many tools that can simplify complex or repetitive tasks in Windows Server 2008. you may use various third-party tools that can perform monitoring and alerting. or perform audits to more easily manage computers on your network. In addition.

why was the tool(s) chosen? WWW.14-48 Configuring. You may need to select several tools to ensure comprehensive coverage of all of your management requirements. Question: If you currently use some of these tools. STUDENT USE PROHIBITED Tool Selection Process Key Points When you choose tools to help you manage your infrastructure. you must consider several factors to ensure that you make the right choice.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .

WWW. The alert should log an event in the application event log.Monitoring and Maintaining Windows Server 2008 Servers 14-49 MCT USE ONLY. Task 1: Generate an alert by using a data collector set • • Create a user-defined data collector set and configure an alert to trigger when the counter Process . you should have configured a performance alert. The main task for this exercise is to generate an alert by using a data collector set.% Processor Time reaches 95%. STUDENT USE PROHIBITED Lab B: Configuring Windows Server 2008 Monitoring Exercise 1: Configuring Data Collector Sets Scenario In this exercise.COM .ISLAMSC. Results: After this exercise. you will configure data collector sets to generate an alert.

you will create a data collector set to monitor a server that you currently administer. STUDENT USE PROHIBITED Exercise 2: Monitoring Extension Exercise Scenario In this exercise. you should have identified performance counters that you will need to collect from a server in your own organization. Task 1: Create a tailored data collector set • Use the Reliability and Performance Monitor to create a data collector set for a server in your organization.COM .14-50 Configuring. Results: After this exercise.ISLAMSC. The main task for this exercise is to create a tailored data collector set. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.

2. and discard undo disks. STUDENT USE PROHIBITED Exercise 3: Automating Maintenance Tasks Scenario You decide that it will be easier to review the Directory Service log information from a single.ISLAMSC. You also want to produce a simple report about disk space across several servers at the same time. In this exercise.COM .Monitoring and Maintaining Windows Server 2008 Servers 14-51 MCT USE ONLY. 3. Run a script to review disk space. Close all virtual machines. The main tasks for this exercise are as follows: 1. Forward Directory Service replication error messages to a central location.com domain. Create a subscription to forward events from NYC-DC1 to NYC-SVR1 by manually entering the query in the following code example: <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(Level=2 or Level=3) and (EventID=1308 or EventID=1864)]]</Select> </Query> </QueryList> WWW. Task 1: Forward Directory Service replication error messages to a central location • Log on to 6419A-NYC-DC1 by using the following information: • • • • User name: woodgrovebank\administrator Password: Pa$$w0rd Add the computer NYC-SVR1 to the Administrators group in the WoodgroveBank. you will configure event forwarding for Directory Service events. Log on to 6419A-NYC-SVR1 by using the following information: • • User name: woodgrovebank\administrator Password: Pa$$w0rd • • Open Event Viewer. central location.

Close the 6419A Lab Launcher.Woodgrovebank\Documents \DriveReport.14-52 Configuring.ps1 script that you created and review the results.COM . you should have configured Event Log forwarding for Active Directory directory service replication errors and run a script to review disk space. and discard undo disks 1. Start Windows PowerShell. Enter the text in the following code example into Notepad: $aryComputers = "NYC-DC1". Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY."NYC-SVR1" Set-Variable -name intDriveType -value 3 -option constant foreach ($strComputer in $aryComputers) {"Hard drives on: " + $strComputer Get-WmiObject -class win32_logicaldisk -computername $strComputer | Where {$_. and then click OK.drivetype -eq $intDriveType} | Format-table} • • • • Save as C:\Users\Administrator. Run the DriveReport. 2. select Turn off machine and discard changes. In the Close box. Turn on Windows PowerShell script execution by typing the following: set-executionpolicy unrestricted. close the Virtual Machine Remote Control (VMRC) window. 3. Task 3: Close all virtual machines.ps1. STUDENT USE PROHIBITED Task 2: Run a script to review disk space • • Open Notepad.ISLAMSC. WWW. Results: After this exercise. For each virtual machine that is running.

4.ISLAMSC. 5. 3.Monitoring and Maintaining Windows Server 2008 Servers 14-53 MCT USE ONLY.COM . What are the benefits of monitoring server performance? What are some of the tasks that you should undertake when you create a performance baseline for a server? What are the advantages of using a range of monitoring tools? What are the advantages of measuring specific performance counters? What are the advantages of using alerts to identify performance issues? WWW. STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1. 2.

to monitor your server infrastructure.14-54 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.ISLAMSC. Use a range of tools. STUDENT USE PROHIBITED Best Practices Related to Windows Server 2008 Performance Monitoring Supplement or modify the following best practices for your own work situations: • • • Create server baselines for each of your server roles.COM . including third-party tools. Reuse data collector sets across servers.

ISLAMSC.Managing Windows Server 2008 Backup and Restore 15-1 MCT USE ONLY. STUDENT USE PROHIBITED Module 15 Managing Windows Server 2008 Backup and Restore Contents: Lesson 1: Planning Backups with Windows Server 2008 Lesson 2: Planning Backup Policy on Windows Server 2008 Lesson 3: Planning a Server Restore Policy Lesson 4: Planning an EFS Restore Policy Lesson 5: Troubleshooting Windows Server 2008 Startup Lab A: Planning Windows Server 2008 Backup Policy Lab B: Planning Windows Server 2008 Restore 15-3 15-15 15-20 15-29 15-40 15-51 15-58 WWW.COM .

Restoring data is a riskier operation than backing up data because you can overwrite and lose existing data through careless restore procedures. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. WWW.COM . By using the Microsoft® Windows Server® 2008 operating system. STUDENT USE PROHIBITED Module Overview Disaster recovery planning is a critical part of managing any server infrastructure. but in some organizations. it is likely that the restore operators are a subset of the backup operators. the backup and restore teams are separated. You should plan your restore policy based on the data that you have backed up from your backup strategy.ISLAMSC. You should only permit trusted administrators to perform restore operations. you can restore data that was previously backed up to disk. This module examines the necessary planning for backup procedures to ensure that you protect data and servers sufficiently against disasters. You should use the knowledge that you gain from this module to improve your Windows Server 2008 restore skills.15-2 Configuring.

Managing Windows Server 2008 Backup and Restore 15-3 MCT USE ONLY. STUDENT USE PROHIBITED Lesson 1 Planning Backups with Windows Server 2008 This lesson examines the planning elements that are required to create a successful. you will distribute backup tasks among various servers and personnel in your environment. Typically.COM .ISLAMSC. You can apply these considerations when you are planning backup for various types of data on your network. and secure backup process. unobtrusive. WWW.

For example. and licensing costs. you can script the Wbadmin start systemstatebackup command to run backups on a schedule. how you intend to manage your backups across several servers. Note that system state backup is only available for the command line and is not available in the Windows Server Backup snap-in user interface. you must choose which backup software to use and who should perform some of the required backup tasks. You need to use backup software to back up the data and servers on your network. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The Windows Server 2008 Backup feature also supports command-line use through the Wbadmin. In addition. but it does not support tape backups.15-4 Configuring. You can choose the backup feature in the Windows Server 2008 operating system or you can choose third-party backup software.ISLAMSC. you cannot configure a scheduled backup to create system state backups. Your choice depends on your backup medium. STUDENT USE PROHIBITED Selecting Backup Software and Backup Operators Key Points When you plan your backup strategy. WWW.COM . However. among other factors.exe command. the Windows Server 2008 Backup feature has no additional licensing costs. This is useful for scripting or performing specific backups such as system state data.

ISLAMSC. such as databases.COM . Question: What backup software or solutions do you currently use? WWW. that you must regularly back up. A database backup may require special software or tools to perform the backup.Managing Windows Server 2008 Backup and Restore 15-5 MCT USE ONLY. You must ensure that whoever is administering the backup process checks that backups complete successfully and that they are aware of backup failures. STUDENT USE PROHIBITED You may also have special requirements. In addition. you must select staff members who should perform the backup tasks.

COM . STUDENT USE PROHIBITED Process for Planning Backup in Windows Server 2008 Key Points When you plan your backup strategy. Plan elements List the data to back up Details You must identify all data that requires backup so that you can restore your data and systems in the event of a disaster. List the data to back up.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. you must plan the elements that are listed in the following table. You must identify all data that requires backup so that you can restore your data and systems in the event of a disaster. WWW. Create a backup schedule You must plan how frequently and at what times servers perform automated backup tasks. You must identify the quantity of data which in Windows Server 2008 includes which volumes to back up so that you can choose an appropriate storage medium and identify how long a backup or restore operation requires.15-6 Configuring.

Removable disks and shared folders are the only supported storage media.Managing Windows Server 2008 Backup and Restore 15-7 MCT USE ONLY. you may also need to select a backup type. Should you be able to restore data from one month ago. Backup media include: • • • • Tape (not available with Windows Server 2008 backup) Removable hard disk DVD Shared folder Tape is available in various formats. Choose the backup medium Based on your backup software. SQL Server 2008) may enable you to choose from the following backup types: • Full or Normal • Incremental • Differential The Windows Server 2008 Backup feature performs one scheduled full backup followed by scheduled incremental backups by using the Volume Shadow Copy Service (VSS).ISLAMSC. you should ensure that the tape format that you use is appropriate to the quantity of data that you are backing up. Your backup software (i. The Windows Server 2008 Backup feature does not support backing up to tape. WWW. supporting various data rates and storage capacities. six months ago. STUDENT USE PROHIBITED (continued) Plan elements Choose a backup type Details Based on the frequency and the time that is taken to perform a backup and a restore operation.COM . you should choose an appropriate backup medium. the size of backups. Tapes are susceptible to magnetic fields and heat. so they should be stored away from these environmental factors. and the time to restore data. 12 months ago. Consider the length of time that you require to retain backups to restore data. If you back up to tape.e. or longer? You must also consider the storage location of your backup media.

WBadmin.exe is a command line utility. You may wish to create a system state backup of the machine before you make critical changes to the machine or active directory. which differs from the more granular selection process from Windows Server 2003. You can use four wizards to guide you through running backups and recoveries. Question: What types of data do you regularly back up at work? WWW.15-8 Configuring. you can perform a system recovery by using a full server backup and the Windows Recovery Environment—this will restore your complete system onto the new hard disk. You can however still recover volumes. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . selected volumes.exe utility. You can use Windows Server Backup to back up a full server (all volumes). If you wish to take just a system state backup you must use the wbadmin. and the system state.ISLAMSC. in case of disasters like hard disk failures. and may impact they way you perform backups. The ability to take just a system state backup is not exposed in the GUI interface of backup. STUDENT USE PROHIBITED The Windows Server Backup feature in Windows Server 2008 consists of an MMC snap-in and command-line tools that provide a complete solution for your day-today backup and recovery needs. folders. certain applications. And. files. or the system state.

The storage medium has a large effect on the time that a backup takes.ISLAMSC. STUDENT USE PROHIBITED Creating a Backup Schedule Key Points When you create a backup schedule. WWW. What is the cost to re-create the data? This cost should have an impact on how frequently you back up data and the storage medium that you use to perform backups.COM .Managing Windows Server 2008 Backup and Restore 15-9 MCT USE ONLY. you should consider the following factors: How often does the data change? You may want to back up data that changes more frequently more often so that you can restore as much information as possible. You should also consider backing up data that changes less often less frequently to reduce storage requirements and administrative overhead.

but an incremental backup backs up only changes to data. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. so the server is accessed for extended hours throughout the day. or you may have global users.15-10 Configuring. STUDENT USE PROHIBITED How long is the backup window? Certain types of backup take longer than other types. However. How often is a trial restore performed? You should periodically perform a trial restore on your backups to ensure that the backup is accessible and the data is recoverable. you may have other tasks. so you typically schedule them for hours outside normal business hours. Question: How frequently do you currently perform backups? Question: Do you have different backup schedules for different data? WWW. This is an essential part of disaster recovery planning and you should not ignore it.ISLAMSC. How long does a restore take? Restoring large amounts of data can take hours or days. such as automated maintenance on the server. a full backup takes longer than an incremental backup. depending on the amount of data that was lost and the speed of the backup media. You should choose the type and frequency of backup based on how long you want the backup operation to take. You can back up different types of data in different ways or by using different media so that you can restore the most important data more quickly. This can be particularly useful when you are planning for disasters that involve the loss of one or more servers or if you have service-level agreement (SLA) requirements to meet.COM . For example. Backup operations use server resources. You should typically automate the backup task by creating a scheduled backup job in your backup software or by using task scheduling in Windows Server 2008.

If you keep archived data on a server hard disk. this has a relatively high cost per megabyte (MB). or can the data be archived to a static medium such as optical or tape storage? For static media archival. it has a lower cost per MB. and data that is stored on tape has a very low cost per MB. you move older data to cheaper storage media. STUDENT USE PROHIBITED Creating the Data Retention Plan Key Points How long must you keep data? Must you keep data for legal compliance.ISLAMSC. WWW. which may require keeping the data on a server. What is the cost of data storage? Different storage mechanisms and media have different costs associated with them.Managing Windows Server 2008 Backup and Restore 15-11 MCT USE ONLY. Typically. you must consider that media such as DVD or tape has a finite lifetime for storing data. If you keep your data archive on your corporate storage area network (SAN). or for business requirements such as the ability to audit all projects during the previous five years? Where should you archive data? Do users require access to archived data regularly. Contrary to this is the ease of access.COM . so you must balance the cost against the ease of access for the data. such as Sarbanes-Oxley.

15-12 Configuring. which can offer backup capabilities and options to archive older data to media such as tape instead of hard disk.ISLAMSC. Question: What is your current data retention plan? Question: Do you have any legal data retention requirements to fulfill? WWW.COM . or you could invest in software to assist data retention in your organization. Consider tools such as Microsoft System Center Data Protection Manager. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED What software tools can assist data retention? Your backup software or additional tools may have data-retention capabilities.

COM . STUDENT USE PROHIBITED Backing Up Encrypted Files and Virtual Machines Key Points Planning backups for encrypted files must include consideration for correctly backing up and recovering the files and for backing up and recovering the encryption keys. Encrypting File System (EFS) is a powerful tool for encrypting files and folders on client computers and remote file servers. Backing up Hyper-V Although not technically a backup.ISLAMSC. WWW. It enables users to protect their data from unauthorized access by other users or external attackers. a VM snapshot provides a point in time to which you can revert back using differencing disks and a copy of the VM configuration file.Managing Windows Server 2008 Backup and Restore 15-13 MCT USE ONLY.

ISLAMSC. data on disk. Because these are live computers consisting of in-memory data. and open files.15-14 Configuring. Question: Do your users currently use Encrypting File System (EFS)? WWW. STUDENT USE PROHIBITED Although one exciting benefit of server virtualization is the prospect of no longer having to individually back up the virtualized systems. there are other things to consider. system configurations.COM . simply backing up the virtual machine files is not sufficient. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

This lesson examines some of the additional considerations that you must take into account when you create your backup policy.ISLAMSC. you must also examine some wider issues when you plan your overall backup policy.COM . STUDENT USE PROHIBITED Lesson 2 Planning Backup Policy on Windows Server 2008 In addition to deciding on backup strategy for various types of data on your network.Managing Windows Server 2008 Backup and Restore 15-15 MCT USE ONLY. WWW.

It is important that the time that is taken to perform a restore operation does not exceed the SLA. WWW. the SLA is redundant.ISLAMSC. and it should identify acceptable periods of unavailability.15-16 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Factors That Affect Backup Policy Key Points Factor Service-level agreements Details If your information technology (IT) department has agreed on SLAs or intends to create SLAs for data or server availability.COM . An SLA should specify the data or servers to which it refers. you must include consideration of backup and restore processes with your SLA. if it does.

Costs for your backup solutions can include hardware. software. Bandwidth If you back up to a different physical location.ISLAMSC. The available bandwidth for these backups directly impacts the time that is taken to perform a backup and restore operation and. you should include any necessary increase in backup costs that are required to maintain your backup schedule. such as a secure offsite storage provider or a dedicated disaster recovery site. but you may require these for specific data types in your organization. Question: Does your information technology (IT) department fulfill any servicelevel agreements (SLAs)? Question: Do you back up any data over the network? WWW. such as database backups. you must consider the cost of your backup solution. and the required storage quantities. Personnel You should also consider who can perform backup tasks. and system tasks such as performing backups or changing backup schedules. You should carefully consider cost with respect to backup and restore times. you must consider bandwidth requirements. STUDENT USE PROHIBITED (continued) Factor Cost Details When you plan your backup policy. unless fast links are available. This includes physical tasks such as loading or changing tape libraries. and media. When you plan for increases in data storage.COM . If you have branch offices. you would typically use these as additional protection if a physical or environmental disaster occurs at your primary location.Managing Windows Server 2008 Backup and Restore 15-17 MCT USE ONLY. You might also consider using Distributed File System (DFS) replication to enable backup at another location. you can decide to perform all regular file-based backups from your main office by replicating content to the main office and then performing the backup. Larger storage capacities or faster storage media are more expensive.

15-18 Configuring. Question: Who currently has access to backup media at your organization? WWW. at both on-site and off-site locations.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Storage and Security Considerations Key Points Security considerations for your data backups are an important part of your overall security strategy.ISLAMSC. Physical security is particularly important with backup storage media.

STUDENT USE PROHIBITED Process for Selecting Backup Operators Key Points When you plan who should perform key backup and restore tasks in your organization.COM . Training is also important for individuals to understand the effect of backup and restore on data and related systems. Question: Who performs backup and restore tasks in your organization? Question: Are backup and restore roles separated in your organization? WWW.ISLAMSC.Managing Windows Server 2008 Backup and Restore 15-19 MCT USE ONLY. consider whether the backup and restore roles should be separated for security purposes.

STUDENT USE PROHIBITED Lesson 3 Planning a Server Restore Policy This lesson will discuss the requirements for a restore policy on Windows Server 2008. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.COM . Your restore policy should not be a static document that you write once and archive. WWW.15-20 Configuring. You should regularly update your server restore policy by reviewing the results of trial and real restore operations.

Question: Who determines the restore procedures during data and server loss incidents within your organization? Question: What process do you follow to ensure that you only restore valid data and that no data is lost during the restore process? WWW. You should determine whether a single file or application data requires restoring. STUDENT USE PROHIBITED Considerations for a Server Restore Key Points Total server failure may require data recovery from an off-site location.ISLAMSC. You should consider the potential impact that a failed restore could have on your organization.Managing Windows Server 2008 Backup and Restore 15-21 MCT USE ONLY.COM .

15-22 Configuring. Consider the effect on service-level agreements (SLAs) that the restore of data will have.ISLAMSC. STUDENT USE PROHIBITED Impact of a Server Restore Key Points Perform a brief business impact analysis before you restore data to determine the possible number of users who are impacted by the restore of data. Question: How can you improve the change management process for restoring data in your organization? WWW.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

You should regularly review your backup policy by performing a trial restore of data.ISLAMSC.Managing Windows Server 2008 Backup and Restore 15-23 MCT USE ONLY. STUDENT USE PROHIBITED Improving the Backup Plan Key Points You should continually strive to improve your backup plan after you have identified areas for improvement from unsuccessful restores.COM . Question: What improvements can you make to your backup plans? Question: What improvements can you make to your disaster recovery plans? WWW.

Question: How do you ensure that restored data does not overwrite newer data in your organization? WWW. The Volume Shadow Copy Service (VSS) captures and copies stable images for backup on running systems. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. You can empower users to recover their own data by using earlier versions.COM .15-24 Configuring. STUDENT USE PROHIBITED Change Management Considerations Key Points Data restore may require emergency changes to meet SLAs. particularly servers.ISLAMSC. without unduly degrading the performance and stability of the services they provide.

COM . Question: How frequently are the backup logs reviewed and trial restores performed to ensure that the backups have worked as expected in your organization? WWW. Some backups will fail. you should ensure that the backups are complete and useable for restore. STUDENT USE PROHIBITED Restore Logs Key Points You should review backup log files after each backup.Managing Windows Server 2008 Backup and Restore 15-25 MCT USE ONLY. After you have restored data.ISLAMSC. you should verify that the restoration of all files has been successful by reviewing the associated log files.

You should consider whether to restore data to an alternate location or to overwrite existing files. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .15-26 Configuring. Question: What is the process in your organization for checking access to restored data? WWW.ISLAMSC. STUDENT USE PROHIBITED Restore Options Key Points You should verify that access to restored data is only available to authorized users.

Question: Who can restore files in your organization? Question: Must you review membership of the Administrators and Backup Operators groups? WWW.COM . you should not place them in the Backup Operators group.ISLAMSC.Managing Windows Server 2008 Backup and Restore 15-27 MCT USE ONLY. If users only require the right to back up files. because this would grant users additional rights to restore files. STUDENT USE PROHIBITED Security Analysis Key Points You should use the built-in group Backup Operators to enable users to back up and restore files and folders.

STUDENT USE PROHIBITED Updating Backup Policy Key Points You should review. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. This improved backup enables users to restore files without resorting to assistance from the IT team. Question: How often do you update the backup and restore policy in your organization? Can you identify areas of your current policies that require updating? WWW.ISLAMSC. and update all of your policies and working practices to ensure that you continue to meet the requirements of your business.15-28 Configuring. improve.COM . you can provide access to recent changes in documents for users. Windows Server 2008 simplifies scheduling backup tasks by using VSS. By increasing the frequency of backups.

Managing Windows Server 2008 Backup and Restore 15-29 MCT USE ONLY. you secure it so that only the data owners can access the files. it is critical that you back up the certificates which store encryption keys and store them in a secure location. Because there is no way to recover data that has been encrypted with a corrupted or missing certificate. WWW. You can also specify a recovery agent.COM . STUDENT USE PROHIBITED Lesson 4 Planning an EFS Restore Policy By encrypting data. This lesson will discuss the requirements for restoring encrypted data by using the Encrypting File System (EFS) on Windows Server 2008. The recovery agent's certificate serves a different purpose than the user's certificate. This agent can restore the data.ISLAMSC. It is beyond the scope of this course to detail the recovery of file encryption keys. This may lead to difficulties when you restore data because user encryption keys are stored separately to files.

You should have a documented and tested procedure to restore user encryption keys.COM .15-30 Configuring. STUDENT USE PROHIBITED Considerations When Restoring EFS Data Key Points You should ensure that you could recover encryption keys and data as part of your recovery strategy. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. When you restore data. you should ensure that you match the file that is restored with the same key that you used to encrypt the file.ISLAMSC. Question: What steps must you take to ensure that you can recover EFS keys and data? WWW.

This makes the file more secure by limiting access to only the user who is encrypting the file. STUDENT USE PROHIBITED Requirements for EFS Recovery Key Points There are many configurations and recovery options for EFS. your options for file and encryption key recovery may be limited to only the user owning the file if the data recovery agent (DRA) keys are intentionally deleted. however. backups. you can ensure that data is recoverable in the event of loss of the original user encryption keys. WWW. You can recover keys from Active Directory.Managing Windows Server 2008 Backup and Restore 15-31 MCT USE ONLY. there is the possibility of recovery keys being stored on multiple servers and workstations throughout the organization. By using a recovery agent.ISLAMSC. or recover the data by using data recovery agents. You should also consider that if an organization does not centralize key storage in AD.COM . the tradeoff is that you can only ever recover the file by using the original encryption key. In a secure environment where only the user who is encrypting a file may decrypt it.

Question: What planning documentation is there in your organization for EFS? How can you ensure that this documentation is updated and modified? WWW. STUDENT USE PROHIBITED You can use Group Policy settings to configure EFS across your organization.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. You should consider the use of smart cards and storing keys on these cards as part of your EFS strategy.15-32 Configuring.COM .

you will need to: • • Install and configure the Microsoft Active Directory® domain service. Install and configure Active Directory Certificate Services.ISLAMSC. After you complete these steps.Managing Windows Server 2008 Backup and Restore 15-33 MCT USE ONLY. To configure your enterprise CA. your Windows Server 2008 enterprise CA will be configured to issue digital certificates. WWW. The CA is responsible for issuing digital certificates that provide S/MIME functionality. STUDENT USE PROHIBITED Preparing to Recover EFS Files Key Points Configure Windows Enterprise Certification Authority The first step is to configure your computer running Windows Server 2008 Enterprise Edition to be an enterprise certification authority (CA).COM .

Windows Vista®. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. User autoenrollment minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) for a PKI implementation when Windows XP Professional or Windows Vista clients are configured to use Active Directory. or Windows Server 2008 client to enroll users when they log on to their domain. and others. within an Active Directory directory service environment.15-34 Configuring. and keeps them periodically updated between these events.COM . Secure/Multipurpose Internet Mail Extensions (S/MIME). such as smart card logon. Certificate Auto-enrollment Policy Using the autoenrollment feature.509 standard. or a machine when it boots. the EFS subsystem automatically generates its own self-signed certificates for users and default recovery agents. Question: Who in your organization is in charge of creating and configuring certification authority? WWW. This combination allows the Microsoft Windows® XP Professional. Automatic enrollment of user certificates provides a quick and simple way to issue certificates to users and to enable public key infrastructure (PKI) applications. as opposed to allowing EFS to generate its own self-signed certificates. It operates by using certificates based on the X. There are several circumstances in which an organization may want to implement Certificate Authorities. Encrypting File System (EFS).ISLAMSC. Secure Sockets Layer (SSL). If no Certificate Authority (CA) is available from which to request certificates. which includes: • • • Certificate renewal Superseding of certificates Multiple signature requirements Certificate autoenrollment is based on the combination of Group Policy settings and version 2 certificate templates. organizations can manage the certificate lifecycle for users. STUDENT USE PROHIBITED Certificate Templates The Encrypting File System (EFS) is a feature of Windows 2008 that allows users to encrypt data directly on volumes that use the NTFS file system.

Important: Before changing the recovery policy in any way. point to All Tasks and then click Do Not Require Data Recovery Agents.COM . STUDENT USE PROHIBITED Managing the Recovery Agent Key Points • • • To designate a user as an additional recovery agent using the Add Recovery Agent Wizard. If you select this option. click Add Data Recovery Agent. To allow EFS to work without recovery agents. To delete this EFS policy and every recovery agent.Managing Windows Server 2008 Backup and Restore 15-35 MCT USE ONLY. Note that this option will not appear unless there is an EFS policy on the computer. you should first back up the recovery keys to a floppy disk. users can still encrypt files on this computer.ISLAMSC. point to All Tasks and then click Delete Policy. WWW.

• • Process for Exporting and Deleting Private Key The first domain controller in a domain contains the built-in Administrator profile that contains the public certificate and the private key for the default recovery agent of the domain. see Related Topics. If the Administrator profile or if the first domain controller is no longer available. At all other times.15-36 Configuring. As a best practice. and the Add Data Recovery Agent option can be used to import this certificate into the EFS policy. the private key that is used to decrypt the encrypted files is lost.exe. If you click to select the Delete the private key if the export is successful check box. Fore more information on cipher. members of the Domain Admins group might be able to perform this procedure. consider using Run as to perform this procedure. For example. and then store the recovery agent's private key offline to help maintain its security. There is no default recovery agent on a standalone computer. you must be a member of the Administrators group on the local computer. You can make changes to the File Recovery certificate by right-clicking the certificate and then clicking Properties. open the Default Domain Policy in the Group Policy Object Editor snap-in. To locate the Encrypted Data Recovery policy. As a security best practice. A file recovery certificate can be created by running cipher. expand Windows Settings. the private key is removed from the domain controller. Install the recovery agent's private key only in situations when you need it to recover files. and then expand Public Key Policies. STUDENT USE PROHIBITED Notes • To perform this procedure. export. If the computer is joined to a domain. and files cannot be recovered through that recovery agent. or you must have been delegated the appropriate authority. WWW.exe /r. we recommend that you use this option. you can give the certificate a friendly name and enter a text description. expand Security Settings. expand Computer Configuration. The public certificate is imported to the Default Domain Policy and is applied to domain clients by using Group Policy. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM .ISLAMSC.

COM . WWW. NT 4.ISLAMSC. STUDENT USE PROHIBITED Note: We strongly recommend that you click to select the Enable strong protection (requires IE 5. and then store the backup in a location where you can confirm the physical security of the backup.Managing Windows Server 2008 Backup and Restore 15-37 MCT USE ONLY. Question: List at least one example of how your organization can use the Recovery Agent to access EFS files during a disaster recovery scenario.0. Note: We recommend that you back up the file to a disk or to a removable media device.0 SP4 or above check box to protect your private key from unauthorized access.

ISLAMSC. The Microsoft Enterprise Certification Authority makes it easy for users to automatically get certificates for use by EFS. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.15-38 Configuring.COM . WWW. the best practice for organizations to follow regarding data recovery is to deploy a public key infrastructure (PKI) to issue certificates to users and data recovery agents that are issued from a certification authority (CA). STUDENT USE PROHIBITED Recovering EFS Files Key Points Data Recovery—Best Practices In general.

) that can be secured and retrieved only when appropriate security policies and practices have been followed.ISLAMSC. CD-ROM. STUDENT USE PROHIBITED Other best practices include: Using more than one DRA per domain. etc.COM . and may be combined as an aggregate policy based on the organization of Active Directory.Managing Windows Server 2008 Backup and Restore 15-39 MCT USE ONLY. and storing the actual private keys for the DRAs on a medium (floppy disk. Question: Who in your organization has the proper DRA privileges to open EFS encrypted files? WWW. domain or OU like any other Group Policy. DRAs may be defined at the site.

WWW.15-40 Configuring. STUDENT USE PROHIBITED Lesson 5 Troubleshooting Windows Server 2008 Startup Key Points Sometimes a problem can arise that will prevent Windows from starting properly. review startup process that may be affected. and explore different troubleshooting techniques that you can use depending on when the failure occurs. This lesson will discuss the common causes of startup problems. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC.COM .

system misconfiguration. STUDENT USE PROHIBITED Common Causes of Startup Problems Key Points Diagnosing and correcting hardware and software problems that affect the startup process requires different tools and techniques than troubleshooting problems that occur after the system has started. hardware failures. Question: Can you think of situations where you had to troubleshoot a Windows startup problem and if so how did you resolve it? WWW. or virus activity.Managing Windows Server 2008 Backup and Restore 15-41 MCT USE ONLY. because the person troubleshooting the startup problem does not have access to the full suite of Microsoft Windows Server 2008 troubleshooting tools. If the condition is serious enough. such as user error.ISLAMSC. driver problems. you might need to reinstall Windows. Resolving startup issues requires a clear understanding of the startup process and core operating system components.COM . application faults. as well as the tools used to isolate and resolve problems. disk or file corruption. Startup failure can result from a variety of problems.

including system buses. hard disks. The detect and configure hardware phase detects and configures only hardware necessary to start the kernel loading phase.COM . and parallel ports. in which of these phases is system memory checked? WWW. Question: During startup. STUDENT USE PROHIBITED Reviewing Startup Processes Key Points The above startup sequence applies to systems started or restarted after a normal shutdown.15-42 Configuring. Remaining hardware devices are configured during the kernel loading phase. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.ISLAMSC. input devices.

COM . This method helps you recover your operating system or full server. and Wbadmin restore catalog commands. WWW. A Windows Setup disc and a backup created with Windows Server Backup. This wizard helps you recover files and folders. and volumes. STUDENT USE PROHIBITED Being Prepared for Startup Failures Key Points Being prepared for a server failure means having being able to recover the server quickly in the event of disaster. This wizard is only available if your backup catalog has become corrupted. Wbadmin start systemstaterecovery. you can use the following to perform recovery tasks: Recovery Wizard.Managing Windows Server 2008 Backup and Restore 15-43 MCT USE ONLY. On a computer running Windows Server 2008. This wizard helps you recover the backup catalog.ISLAMSC. applications. You can also perform recoveries using the Wbadmin start recovery. Catalog Recovery Wizard.

Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . STUDENT USE PROHIBITED Additional preventative measure should be taken to ensure server health and availability including: • • • Protecting the operating system with current Windows Updates and antivirus signatures Following vendor recommendations for hardware maintenance Familiarizing yourself with advanced boot options (F8 on startup): • • • Safe Mode Last Known Good Configuration Boot Logging References: Windows Server 2008 Help: Recover the Operating System WWW.ISLAMSC.15-44 Configuring.

STUDENT USE PROHIBITED Troubleshooting Startup Before the Windows Logo Appears Key Points Use this flow chart to see how to troubleshoot startup problems that occur before the Windows Server 2008 logo appears.ini contained information about the Windows operating systems installed on the computer.ini. It was most useful in multiboot configurations. and it can apply to computer platforms that use means other than basic input/output system (BIOS) to start the computer.COM .ini file has been replaced with Boot Configuration Data (BCD). or for advanced users or administrators who needed to customize how Windows started.Managing Windows Server 2008 Backup and Restore 15-45 MCT USE ONLY. Question: Based on this flowchart.ISLAMSC. This file is more versatile than boot. This information was displayed during the startup process when you turned on your computer. a file called boot. In earlier versions of Windows. In Windows Server 2008. what would you say are the most common causes of Windows failing to start before the Windows logo appears? WWW. the boot.

WWW. When you are troubleshooting. Once Windows starts. you can perform further troubleshooting to resolve the problem with the component if necessary. If the startup problem occurs immediately after updating or installing a startup application. the method for determining which services and processes to temporarily disable varies from one computer to the next. use the process illustrated here to identify and disable the failing software component to allow Windows to start successfully.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.COM . The most reliable way to determine what you can disable is to gather more information about the services and processes enabled on your computer. try troubleshooting the startup application.15-46 Configuring. STUDENT USE PROHIBITED Troubleshooting Startup After the Windows Logo Appears Key Points If your computer displays the graphical Windows Server 2008 logo before failing.

STUDENT USE PROHIBITED Windows Server 2008 includes several tools and features to generate a variety of logs that can provide you with valuable troubleshooting information: • • • • • Event Viewer Sc.Managing Windows Server 2008 Backup and Restore 15-47 MCT USE ONLY.ISLAMSC. what would you say are the most common causes of Windows failing to start after the Windows logo appears? WWW.COM .exe System Information Error Reporting Service Boot logs (covered earlier) Question: Based on this flowchart.

COM . WWW. The following sections provide techniques for temporarily disabling startup applications.ISLAMSC. use the process shown here to identify and disable the failing startup application to enable successful log on. STUDENT USE PROHIBITED Troubleshooting Startup Problems After Logon Key Points If your computer fails immediately after a user logs on. Problems with applications that run at startup can cause logon delays or even prevent you from completing Windows startup in Normal mode.15-48 Configuring. If a problem occurs after installing new software. you can temporarily disable or uninstall the application to verify that the application is the source of the problem. try uninstalling the application. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. If the problem occurs immediately after updating or installing an application.

STUDENT USE PROHIBITED Disabling Startup Applications by Using the SHIFT Key One way you can simplify your configuration is to disable startup applications. Question: Based on this flowchart.ISLAMSC. what would you say are the most common causes of Windows failing to start after logon? WWW. By holding down the SHIFT key during the logon process you can prevent the operating system from running startup programs or shortcuts.COM .Managing Windows Server 2008 Backup and Restore 15-49 MCT USE ONLY.

startup failures.15-50 Configuring. hardware related problems can appear before the logo would normally appear in the startup process.COM . and symptoms include warning messages. incorrect driver settings. what would be the first things you would check? WWW. Question: If you suspected a hardware related problem. The causes are typically improper device configuration. You can also use the suggestions provided in the companion CD for troubleshooting hardware issues not directly related to startup. or hardware malfunction and failure. STUDENT USE PROHIBITED Recovering from Hardware Problems Key Points Although most hardware related problems do not stop Windows Server 2008 from successfully starting. and Stop messages.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.

several file servers are part of a domain-based Distributed File System (DFS) namespace and host the following shares: • • Sales.COM . data for several departments is stored across servers on the network.ISLAMSC. The Finance database should not form part of your backup plan.Managing Windows Server 2008 Backup and Restore 15-51 MCT USE ONLY. In the New York office. This share holds important data for the Finance department that supplements the Finance application database. • WWW. Human Resources. STUDENT USE PROHIBITED Lab A: Planning Windows Server 2008 Backup Policy Exercise 1: Evaluating the Existing Backup Plan Scenario At Woodgrove Bank. This share holds the shared data for the Sales department. forecasts. You have encrypted some of this data by using EFS. Finance. and sales figures. The Sales department updates it regularly with budgets. This share holds highly confidential data for the Human Resources department.

for the IT department. This share holds documents that relate to any projects that are running at the New York office and changes frequently. point to All Programs.ISLAMSC. Propose changes to the backup plan.COM . The Lab Launcher starts. you are responsible for ensuring that four intranet Web servers and two domain controllers can have the data or server restored in the event of a disaster. In this exercise. click Start. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. In the Lab Launcher. On the host machine. click Launch. there is a scheduled weekly backup of the volumes that contain the shares on the file servers and the volumes that contain the Web page content on the Web servers. 3. This share holds technical information. point to Microsoft Learning. Web pages on the intranet Web sites do not change frequently. such as white papers and guidance documents. Currently. click Launch. you must review the existing backup plan against requirements that the management team at Woodgrove Bank have specified. • In addition to the file servers. and then click 6419A. Minimize the Lab Launcher window. 4. Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines 1. The main tasks for this exercise are as follows: 1. 2. Projects. WWW. The IT department updates this information infrequently. 2. next to 6419A-NYC-SVR1. 5. next to 6419A-NYC-DC1. In the Lab Launcher. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd. STUDENT USE PROHIBITED • Technical Library.15-52 Configuring. Review the existing backup plan.

if a server fails. you copy the Human Resources confidential data onto a removable hard disk that is attached to a computer in the Human Resources office. and security identity. you should have reviewed the existing backup plan and proposed changes to the backup plan. including all installed roles.Managing Windows Server 2008 Backup and Restore 15-53 MCT USE ONLY. You have agreed that no more than one day's critical data should be lost in the event of a disaster. This task is performed weekly by using a script to preserve the encryption on the files.ISLAMSC. you should be able to restore that server. features. Does the current backup plan enable you to restore the servers in this way? 2. Propose an appropriate backup frequency for the shares in the following table: Backup Sales Finance Human Resources Technical Library Projects Frequency 2. 3. Critical data includes the Sales. applications.COM . Does the current backup plan meet this requirement? Currently. How would you address the requirement to restore the servers and how frequently would you back up the servers? Results: After this exercise. Finance. What are the consequences of this process and how would you address them? You have also agreed that. WWW. in six hours. STUDENT USE PROHIBITED Task 2: Review the existing backup plan 1. Task 3: Propose changes to the backup plan 1. and Projects data.

ISLAMSC. What factors affect how quickly you can restore data? Given that you have a limited budget to meet the SLA requirements. In this exercise. Failure to comply with these requirements entails heavy fines and penalties for the company. In the event of an audit. and Projects shares. The main tasks for this exercise are as follows: 1. You must keep Human Resources and financial information for a minimum of seven years. WWW. The SLA will specify availability for data and the recovery of deleted items. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Finance. 2. You should be able to restore critical data. STUDENT USE PROHIBITED Exercise 2: Updating the Backup Policy Scenario The management team at Woodgrove Bank has decided that an SLA should be put in place for the mission-critical data that is stored on the intranet file servers and Web servers. Create a backup strategy to comply with legal requirements. how could you maximize your budget while providing backup for all of the network data for which you are responsible? 2. which includes the Sales.COM . Task 1: Create a backup strategy to comply with the SLA 1. Task 2: Create a backup strategy to comply with legal requirements • How will you ensure that the required data is stored for the minimum legal requirement period and that the data is available for audit purposes when it is required? Results: After this exercise. as quickly as possible in the event of a disaster. Woodgrove Bank must also comply with legal regulations that state how long the bank must keep customer and financial data.15-54 Configuring. you must provide access to this data within three working days. Create a backup strategy to comply with the SLA. you should have created a backup strategy to comply with the SLA and legal storage requirements. In addition. you will examine the SLA and legal requirements and propose solutions to ensure compliance.

you will share your solutions with the class in an instructor-led discussion. The main task for this exercise is to discuss your solutions with the class.ISLAMSC.COM . WWW. Be prepared to add solutions from your own experience at work to the discussion. STUDENT USE PROHIBITED Exercise 3: Reviewing Backup Policy and Plans Scenario In this exercise.Managing Windows Server 2008 Backup and Restore 15-55 MCT USE ONLY.

The backup should include the file shares on the E: volume and backup to Disk 2. 2. From the Group Policy Management Editor. you should have initialized a new disk and created the new backup schedule by using Windows Server Backup. Results: After these tasks. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. On NYC-DC1. Task 3: Backup the Domain Recovery Agent's Private Key 1. STUDENT USE PROHIBITED Exercise 4: Implementing the Backup Policy Scenario In this exercise. Task 2: Create the new backup schedule • Use Windows Server Backup to create a new backup schedule. and you should schedule the backup for 12:30 and 21:00 every day. Log on to 6419A-NYC-SVR1 by using the following information: • • 2. 2. Create the new backup schedule. WWW.pfx using a password of Pa$$w0rd. use the Group Policy Management Editor to browse to the Encrypting File System public policy (located in Default Group Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting Files System).ISLAMSC. export the File Recovery certificate private key to C:\AdminKey. Initialize the backup storage volume.15-56 Configuring.COM . User name: Woodgrovebank\Administrator Password: Pa$$w0rd Use Disk Management to create a maximum-size simple volume on Disk 2. Use a quick format. you will implement a Backup policy for the NYC-SVR1 file server. The main tasks for this exercise are as follows: 1. Task 1: Initialize the backup storage volume 1.

select Turn off machine and discard changes.ISLAMSC. and then click OK. Close the 6419A Lab Launcher.COM . WWW.Managing Windows Server 2008 Backup and Restore 15-57 MCT USE ONLY. In the Close box. For each virtual machine that is running. close the Virtual Machine Remote Control (VMRC) window. 3. 2. STUDENT USE PROHIBITED Task 4: Lab Shutdown 1.

15-58 Configuring. The server NYC-FS1 has file shares. on a redundant array of independent disks (RAID) 5 volume that is labeled E:.ISLAMSC. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. The backup takes 20 hours to complete because of the volume of data to back up. At present.COM . After the backup completes. In this exercise. the backup team sends a copy of the backup to secure off-site storage. including the Human Resources (HR) share. you will analyze the backup data against restore requirements. STUDENT USE PROHIBITED Lab B: Planning Windows Server 2008 Restore Exercise 1: Evaluating Backup Data Scenario Woodgrove Bank has file servers that store shared data for several departments. WWW. Previous versions are not enabled on the E: volume. a member of the backup team performs a manual full backup of the E: volume by using Windows Server Backup on a Friday evening.

3. 6. 3. a member of the HR department asks you to restore an important file. 2. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Task 2: Evaluate file restoration On Thursday. In the Lab Launcher. Evaluate server restore. which he created two days ago but someone subsequently deleted. next to 6419A-NYC-SVR1. Why can you not restore the file? How could you change the backup strategy so that it is possible to restore files that have changed more recently? What other effects would a change in backup strategy cause? Task 3: Restore EFS files Members of the HR department have encrypted some of the files that are stored on the HR share by using EFS. NYC-SVR1. 2. Minimize the Lab Launcher window. 5. and then click 6419A. point to All Programs. The HR director asks you to restore some encrypted confidential files that were originally written by Tommy Hartono. In the Lab Launcher. click Start. 3. how can you provide access to the files for the HR director? WWW. Task 1: Start the NYC-DC1. next to 6419A-NYC-INF.Managing Windows Server 2008 Backup and Restore 15-59 MCT USE ONLY. click Launch. next to 6419A-NYC-DC1. The Lab Launcher starts. 2. Evaluate file restoration. point to Microsoft Learning. 1. who has since left the company. 4. click Launch. In the Lab Launcher. After you have restored the files.ISLAMSC. On the host machine. STUDENT USE PROHIBITED The main tasks for this exercise are as follows: 1. click Launch.COM . and NYC-INF virtual machines 1. Restore EFS files.

you should have analyzed the backup data against the restore requirements. NYC-FS1. 1.COM . suffers a hardware failure.15-60 Configuring. the server.ISLAMSC. WWW. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. STUDENT USE PROHIBITED Task 4: Evaluate server restore On Wednesday. 2. Both the C: and E: volumes are lost. How can you restore the server and data? How could you make the restore process easier? Results: After this exercise.

In the following table. Task 1: Plan a trial restore 1.ISLAMSC.Managing Windows Server 2008 Backup and Restore 15-61 MCT USE ONLY. list the hardware and software requirements for performing a trial restore: Requirements 2. What additional consideration must you make for performing a trial restore of the HR data on NYC-FS1? With what types of backup data should you perform a trial restore? Results: After this exercise. STUDENT USE PROHIBITED Exercise 2: Planning a Restore Scenario In this exercise. you should have planned for trial restore operations. WWW. you will plan for trial restore operations to test your backups. 3. The main task for this exercise is to plan a trial restore.COM .

2. WWW.COM . Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY.15-62 Configuring. Allow the Restore Operators group to restore files. 3. STUDENT USE PROHIBITED Exercise 3: Investigating a Failed Restore Scenario Users have reported that some files in the Technical Library share on 6419A-NYCSVR1 appear to be the wrong version. you will investigate the files and resolve the problem.ISLAMSC. The main tasks for this exercise are as follows: 1. Log on to 6419A-NYC-SVR1 by using the following information: • • 2. What operation was last performed? Task 2: Create a Restore Operators group • Create a new local group on 6419A-NYC-SVR1 that is named Restore Operators. Username: Woodgrovebank\Administrator Password: Pa$$w0rd Review the backup logs. In this exercise. you should have investigated a failed restore and changed the backup policy. Determine the reason for the wrong file version. Task 1: Determine the reason for the wrong file version 1. Results: After this exercise. Task 3: Separate the Backup and Restore roles • Edit the local security policy on 6419A-NYC-SVR1 by using the following settings: • • Prevent the Backup Operators group from being able to restore files. Create a Restore Operators group. Separate the Backup and Restore roles. 3.

Task 1: Backup and restore specific files and folders 1.ISLAMSC. 2. 3. Log on to 6419A-NYC-INF by using the following information: • • 2. Perform a system state restore. 3. Use Windows Server Backup to recover the file. In this exercise. The main tasks for this exercise are as follows: 1. Task 2: Check the state of the DHCP service 1.Managing Windows Server 2008 Backup and Restore 15-63 MCT USE ONLY. Back up the E: volume. Backup and restore specific files and folders. 2. Check the state of the DHCP service. STUDENT USE PROHIBITED Exercise 4: Restoring System State Data Scenario The infrastructure team at Woodgrove Bank has escalated a problem with Dynamic Host Configuration Protocol (DHCP).COM . Run the Windows Server Backup. The DHCP service on 6419A-NYC-INF cannot start and the server reports a general error. you will perform a system state restore to repair the server. 4. Username: Woodgrovebank\Administrator Password: Pa$$w0rd Is the DHCP service running? WWW. Delete a file.

3. and then click OK. STUDENT USE PROHIBITED Task 3: Perform a system state restore 1. For each virtual machine that is running.COM . close the Virtual Machine Remote Control (VMRC) window. Results: After this exercise. Cancel the backup after a couple of minutes.ISLAMSC. In the Close box. 2. Task 4: Lab Shutdown 1. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. select Turn off machine and discard changes. you should have seen how to backup and recovery files from the command line and from the Windows Server Backup utility. WWW. Use the following command to perform the system state restore: wbadmin start systemstaterecovery -version:<version identifier> backuptarget:f: 3. Close the 6419A Lab Launcher. Use the following command to get the backup version identifier: wbadmin get versions -backuptarget:f: 2.15-64 Configuring.

3.ISLAMSC. What should you consider for your server restore policy? What considerations should you take into account for the recovery of encrypted data? What steps should you take to verify restored data? How do you know whether your backups are successful? What provisions should you make for backup storage? WWW. 5.COM . STUDENT USE PROHIBITED Module Review and Takeaways Review Questions 1.Managing Windows Server 2008 Backup and Restore 15-65 MCT USE ONLY. 2. 4.

What do you anticipate the main issues will be when you back up data after you have migrated to Windows Server 2008? How do you plan to archive backup data after your migration? How will you restore previous versions of files from Windows 2000 Server after your migration? • • Best Practices Related to Windows Server 2008 Backup Supplement or modify the following best practices for your own work situations: • • • • • Do not add information technology (IT) administrators who require only the right to back up files and folders to the Backup Operators group. Educate users to enable them to recover their own files by using the Volume Shadow Copy Service (VSS). STUDENT USE PROHIBITED Real-World Issues and Scenarios • Your organization currently runs Microsoft Windows 2000 Server servers.COM .15-66 Configuring. WWW. Perform regular trial restore procedures to test your restore strategy. Perform regular backups to enable data to be restored to a point in time. Best Practices Related to Windows Server 2008 Restore Supplement or modify the following best practices for your own work situations: • • • • • Add IT administrators who require the right to restore files and folders to the Backup Operators group. Develop an archive solution for your data to enable off-site storage. Educate users to enable them to recover their own files by using VSS. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Create a local group and assign rights to back up files and folders on relevant servers. Do not overwrite data files with older data. Restrict membership of the Backup Operators group solely to administrators who are allowed to restore files and folders.ISLAMSC.

com/fwlink/ ?LinkId=121141 • Managing backup media. • Performing manual backups of Windows Server 2008 volumes. after you have installed the Backup feature. after backup tasks. Wbadmin. legal requirements. Identify specific requirements for backing up data. and the quantity of data that it is acceptable to lose. System Center Data Protection Manager you have installed the Backup feature.microsoft. Tools Tool Windows Server Backup Console Use for Where to find it On the Administrative Tools menu. • Backing up Windows Server 2008 data (application servers and databases can also be backed up). Specify your backup schedule. • Creating a data storage hierarchy.COM . WWW.Managing Windows Server 2008 Backup and Restore 15-67 MCT USE ONLY. such as SLAs. Choose appropriate backup hardware. media. Perform trial data and server restore operations. and software.ISLAMSC. • Performing system state backups.exe • Scripting Windows Server 2008 At the command prompt. Specify your backup operators. • Scheduling backups of the Windows Server 2008 operating system volumes. http://go. STUDENT USE PROHIBITED Best Practices Related to Backup Policies Supplement or modify the following best practices for your own work situations: • • • • • • Identify the data sources that require backing up.

STUDENT USE PROHIBITED Course Evaluation Your evaluation of this course will help Microsoft understand the quality of your learning experience.15-68 Configuring. Managing and Maintaining Windows Server 2008 Servers MCT USE ONLY. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated. WWW.COM .ISLAMSC.