Académique Documents
Professionnel Documents
Culture Documents
O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6419B
Volume 1
Nova 4, LLC
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
2011 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers
iii
Nova 4, LLC
iv
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers
Nova 4, LLC
vi
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers
vii
Nova 4, LLC
viii
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers
Contents
Module 1: Overview of the Windows Server 2008 Management Environment
Lesson 1: Understanding the Windows Server 2008 Environment
1-3
1-11
1-20
1-28
1-35
2-3
2-18
2-29
2-41
2-46
2-53
2-65
3-3
3-13
3-23
3-36
3-43
4-3
4-14
4-20
4-28
5-3
5-11
5-19
5-22
5-28
5-33
ix
Nova 4, LLC
x
5-36
5-49
6-3
6-16
6-26
6-31
6-39
6-48
6-56
7-4
7-17
7-26
7-36
7-45
7-50
7-63
7-68
8-3
8-15
8-20
8-29
9-3
9-14
9-22
9-26
9-35
9-39
9-53
Module 10: Using Group Policy to Configure User and Computer Settings
Lesson 1: Using Group Policy to Configure Folder Redirection and Scripts
10-3
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers
10-14
10-17
10-24
10-27
10-37
10-39
10-46
11-3
11-14
11-21
11-26
11-36
12-3
12-6
12-16
12-21
12-34
13-3
13-9
13-18
13-26
13-33
14-3
14-14
14-19
14-23
14-29
14-37
xi
Nova 4, LLC
xii
A-4
A-6
A-9
A-11
A-13
Nova 4, LLC
About This Course
xiii
Course Description
This course is designed to provide foundation skills in networking and Windows Server security, network
services, and administration.
Audience
Candidates for this course are information technology (IT) professionals who work in medium to large
organizations. The primary candidate is a Windows Server administrator who operates Windows Servers
on a daily basis and who requires the skills for configuring, managing, and maintaining servers installed
with Windows Server 2008, including the Release 2 (R2) edition. Candidates are typically responsible for
day-to-day management of the server operating system and various server roles such as Dynamic Host
Configuration Protocol (DHCP), Domain Name System (DNS), file and print services, directory services, and
software distribution. This course may also be considered in combination with other exam preparation
materials for candidates wishing to prepare for Microsoft Certified Technology Specialist (MCTS) and
Microsoft Certified IT Professional (MCITP) certification in Windows Server 2008.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least one year experience in operating Windows Servers in the area of account management,
server maintenance, server monitoring, or server security
Certification related to the Microsoft Technology Associate (MTA) Networking Fundamentals, Security
Fundamentals, and Windows Server Administration Fundamentals designations, or equivalent
knowledge as outlined in course 6419B: Fundamentals of Windows Server 2008
Course Objectives
After completing this course, students will be able to:
Describe the Windows Server 2008 environment including the roles, features, and tools used to
perform effective server management.
Describe IPv6 addressing and how to install and configure the DNS and DHCP server infrastructure
roles.
Nova 4, LLC
xiv
Use File Server Resource Manager to assist in data storage capacity management.
Secure remote access by using features such as Virtual Private Networks, Network Access Protection
(NAP), and DirectAccess.
Configure and manage AD DS object permissions, and configure trust between AD DS domains.
Understand the specific settings that can be managed by using Group Policy.
Describe solutions that can be implemented to provide efficient remote office network access.
Plan for and implement performance baselines and perform server monitoring by using monitoring
tools.
Plan for and identify backup and restore strategies and identify steps needed to recover from server startup
issues.
Course Outline
This section provides an outline of the course:
Module 1, Overview of the Windows Server 2008 Management Environment In this module, you
will gain familiarity with the components of the operating system and the concepts and terminology
found within the Windows Server 2008 environment.
Module 2, Managing Windows Server 2008 Infrastructure Roles In this module, students will learn
the benefits and technologies associated with IPv6. You will learn the features and configuration options
available to implement the DNS and DHCP server roles.
Module 3, Configuring Access to File Services In this module, you will learn the concepts and
terminology involved in file services, and also provide guidance in the practical management of a file
services infrastructure within the Windows Server 2008 environment.
Module 4, Configuring and Managing Distributed File System In this module, you will learn about
the Distributed File System (DFS) solution that you can use to meet challenges by providing fault-tolerant
access and WAN-friendly replication of files located throughout an enterprise.
Module 5, Managing File Resources Using File Server Resource Manager In this module, you will
learn about the various options available for installing Windows Server, and complete an installation. You
will also launch a local media setup and then perform the post-installation configuration of a server.
Module 6, Configuring and Securing Remote Access In this module, you will understand how to
configure and secure your remote access clients by using network policies, and where appropriate,
Network Access Protection (NAP).
Module 7, Managing Active Directory Domain Services In this module, you will learn how to review
key concepts and directory services structure. You will take a high-level look at the major components of
AD DS and how they fit together. You will also receive hands-on experience working with these
components and their associated tools.
Module 8, Configuring Active Directory Object Administration and Domain Trust In this module,
you will learn how to configure permissions and delegate administration for Active Directory objects. This
module also describes how to configure and manage Active Directory trusts.
Nova 4, LLC
About This Course
xv
Module 9, Creating and Managing Group Policy Objects In this module, you will understand how
administrators deliver and maintain customized desktop configurations, ensure the security of a
geographically and logistically dispersed collection of computers, and provide administration and
management for an increasingly complex and growing computing environment.
Module 10, Using Group Policy to Configure User and Computer Settings In this module, you will
learn the skills and knowledge that you need to use Group Policy to configure Folder Redirection, and
how to use scripts.
Module 11, Implementing Security Settings Using Group Policy In this module, you will
understand security-related components that can assist you in implementing security policies in your
environment.
Module 12, Providing Efficient Network Access for Remote Offices In this module, you will learn
how to provide fast and secure logons at remote offices and place a read only domain controller (RODC)
at the remote office. You will also learn how to use BranchCache to speed up access to data across the
WAN and reduce WAN utilization.
Module 13, Monitoring and Maintaining Windows Server 2008 In this module, you will learn how
to identify components that require additional tuning, and improve the efficiency of your servers.
Module 14, Managing Window Server 2008 Backup and Recovery In this module, you will learn
necessary planning for backup and restore procedures, and startup issues, to ensure that you protect data
and servers sufficiently against disasters.
Nova 4, LLC
xvi
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical information in a
crisp, tightly-focused format, which is just right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Modules: Include companion content, such as questions and answers, detailed demo steps and additional
reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module
Reviews and Takeaways sections, which contain the review questions and answers, best practices, common
issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most up-todate premium content on TechNet, MSDN, Microsoft Press
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the
Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation
to provide feedback on the course, training facility, and instructor.
Nova 4, LLC
About This Course
xvii
Important: At the end of each lab, you must close the virtual machine and must not save any
changes. To close a virtual machine without saving the changes, perform the following steps: 1. On
the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you
want the virtual machine to do? list, click Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course:
Virtual machine
Role
6419B-NYC-DC1
6419B-NYC-DC2
6419B-NYC-SVR1
6419B-NYC-EDGE1
6419B-INET1
6419B-NYC-CL1
6419B-NYC-CL2
6419B-NYC-SVRCORE
6419B-VAN-DC1
Software Configuration
The following software is installed on each VM:
Windows 7
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All the virtual
machines are deployed on each student computer.
Nova 4, LLC
xviii
4 GB RAM
DVD drive
Network adapter
*Striped
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
Module 1
Overview of the Windows Server 2008 Management
Environment
Contents:
1-3
1-11
1-20
1-28
1-35
1-1
Nova 4, LLC
1-2
Module Overview
Familiarity with the operating system of your servers is the first and most important step towards
effectively managing a server infrastructure. Knowledge of the operating system structure, key
components, common management tools, versions and editions, features, and even its limitations will
help you to configure your server infrastructure in a way that best utilizes the capabilities of your servers
to serve your business needs.
This module will provide you with an overview of all of the above areas as they pertain to Windows
Server 2008. You will gain familiarity with the components of the operating system and the concepts
and terminology found within the Windows Server 2008 environment.
Objectives
After completing this module, you will be able to:
Describe the considerations for implementing and managing a Windows Server 2008 environment.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
Lesson 1
Windows Server 2008 builds upon the familiar Windows operating system features that most users and
administrators are familiar with. The initial release of Windows Server 2008 shares its core build
fundamentals and its look and feel with Windows Vista. Windows Server 2008 R2 shares the same
aspects with Windows 7.
However, unlike the desktop client operating systems, Windows Server 2008 is designed to provide a
robust and complete server platform to meet all the server-based needs of most network environments.
Objectives
After completing this lesson, you will be able to:
Describe the factors for choosing between physical vs. virtual implementations.
1-3
Nova 4, LLC
1-4
Key Points
Windows Server 2008 is available in different editions to support the various server and workload needs of
network environments. Each edition of Windows Server 2008 is packaged with a unique set of features
that target that edition to a particular environment or even a specific role. The seven editions of Windows
Server 2008 deal with almost every possible type of server implementation you would find or require in a
network environment.
Note: This course covers functionality for both releases of Windows Server 2008. The initial release of
Windows Server 2008 was made available in early 2008. A second release, Windows Server 2008 R2,
came available in the middle of 2009. These two releases are treated as distinct versions of Windows
Server. When discussing the Windows Server 2008 operating system, three separate terms will be used
to differentiate which release is being referenced.
The term Windows Server 2008 initial release will be used to refer the initial, early 2008 release of the
operating system.
The term Windows Server 2008 R2 will be used to refer to the 2009 second release.
The term Windows Server 2008 will be used to refer to features or discussion relating to both releases
and as a general term for the Windows Server 2008 operating system.
The following table lists the most commonly used Windows Server 2008 R2 editions.
Edition
Description
Windows Server
A cost-effective advanced server platform that targets small business owners and
2008 R2 Foundation information technology (IT) generalists. Windows Server Foundation is designed
operating system
to provide core server features at a low cost. Windows Server Foundation is
capable of supporting only one processor and up to 8 gigabytes (GB) of Random
Access Memory (RAM).
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
Edition
1-5
Description
Windows Server
2008 R2 Standard
operating system
The Windows Server Standard edition offers the most commonly used features in
Windows Server 2008 and is designed to meet almost all general server
computing requirements. It adds features like Server Core, Hyper-V, and
DirectAccess to the functionality of Windows Server Foundation. Windows Server
Standard supports up to 4 processors and up to 32 GB of RAM.
Windows Server
2008 R2 Enterprise
operating system
Windows Server
2008 R2 Datacenter
operating system
The following specialized editions of Windows Server 2008 are also available.
Edition
Description
Windows Web
Server 2008 R2
operating system
A Web application and services platform, Windows Web Server 2008 includes
Internet Information Services (IIS) 7.5 and is designed as an Internet-facing server.
Windows Web Server 2008 includes Web server and Domain Name System (DNS)
server roles.
Windows Server
2008 R2 HPC
Edition
Windows Server
2008 for Itaniumbased Systems
operating system
Note: When discussing processor support, it is important to note that the numbers provided here refer
to physical processors, not processor cores. A single physical processor may have multiple cores that
allow for multiple applications or threads to use the processor at the same time in a co-operative
manner.
These charts list the editions available for the most recent version of Windows Server, Windows Server
2008 R2. The Foundation edition is not available in the initial release of Windows Server 2008.
Additionally, the initial release of Windows Server 2008 is available with or without Hyper-V, which is the
Windows Server 2008 virtualization platform. Windows Server 2008 R2 ships with Hyper-V included by
default.
Note: Windows Server 2008 R2 is available only for 64-bit hardware platforms. 32-bit hardware
platforms are no longer supported.
Nova 4, LLC
1-6
Key Points
Windows Server 2008 R2, the most recent version of the Windows Server platform, provides a number of
improvements and new features not found in the initial release of Windows Server 2008.
While the improvements and features provide a more robust and powerful operating system,
implementing Windows Server 2008 R2 in your environment requires special considerations.
x64 is the industry standard architecture found in most AMD and Intel-based platforms. The x64
architecture is the most common 64-bit architecture found in 64-bit servers.
Itanium-based systems are built around Intel 64-bit Itanium (IA64) processors and are most
commonly used for mathematically complex or intensive application such as large databases.
Windows Server 2008 R2 will be the last version of Windows Server to support the Itanium processor
architecture.
Because of the 64-bit requirement, servers being upgraded or migrated to Windows Server 2008 R2 will
need to be examined to ensure they are based on a 64-bit platform.
There may be instances in you environment where a 32-bit version of Windows Server 2003 or the initial
release of Windows Server 2008 is running on a 64-bit hardware platform. These systems are capable of
running Windows Server 2008 R2. However, there is no direct upgrade path between 32-bit and 64-bit
versions of Windows Server.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-7
Upgrade Paths
When directly upgrading a previous version of Windows Server, only specific upgrade paths are supported
between versions. Keep in mind that because of the 64-bit requirement of Windows Server 2008 R2, all
previous versions of Windows Server operating systems must be 64-bit operating systems.
The following tables illustrate the most common supported upgrade paths.
Windows Server 2003 (SP2, R2)
Standard
Standard, Enterprise
Enterprise
Enterprise, Datacenter
Datacenter
Datacenter
Standard
Standard, Enterprise
Enterprise
Enterprise, Datacenter
Datacenter
Datacenter
Web
Standard, Web
Nova 4, LLC
1-8
Key Points
Server virtualization enables you to configure one or more virtual machines that emulate a physical
computer. Multiple virtual machines can run on one physical server, with all the virtual machines sharing
the resources available on the physical server.
Windows Server 2008 introduces Hyper-V as the first integrated virtualization platform of Windows
Server. Hyper-V provides software infrastructure and basic management tools that you can use to create
and manage a virtualized server computing environment.
Server virtualization can overcome the limitations of physical server and provide a solution for challenges
that organizations face with their physical environments. The following list describes common
organization challenges:
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-9
The factors that make a server a good candidate vary, but any server facing one of the above challenges
should be assessed for potential virtualization.
The Microsoft Assessment and Planning (MAP) Toolkit provides the ability to assess your current IT
infrastructure for a variety of Windows Server 2008 migration projects, including virtualization. The MAP
Toolkit is a powerful inventory, assessment, and reporting tool that can be used to simplify the migration
planning process for a virtualized environment.
Nova 4, LLC
1-10
Key Points
When configuring a server, many aspects of server management need to be considered to ensure that
your server environment is functioning in the most efficient and consistent manner possible.
The following questions should be answered when configuring and managing a Windows Server 2008
server:
What roles does the server perform within the network infrastructure? The functionality of a server is
determined by the operating system software components that are installed and configured.
Are there specific security needs associated with this server? If a server has specific security needs or is
being located in a physical or network environment where the threat of unauthorized malicious use is
high, steps need to be taken to ensure that users with malicious intent have the fewest areas of the
operating system exposed to them.
How will the server be managed? As you will learn, Windows Server 2008 has a number of different
tools that allow you to manage a Windows Server 2008 server. Different tools allow different
management tasks and capabilities, such as scripting, remote access, high level overviews, or multiple
administrators.
Is there a requirement for server availability? Depending on the role of your Windows Server 2008
server, server availability may be a requirement. Your server may be required by policy or business
logic to provide its services in a consistently available manner. Larger organizations and public
organizations such as emergency services, hospitals, phone and power companies, and many others
cannot afford even a few seconds a year of downtime for important services. The servers providing
these services need to be configured in some type of redundant or fault-tolerant configuration to
ensure consistent availability.
Question: Does your organization manage servers that may have some of the requirements in this topic?
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-11
Lesson 2
The usefulness and functionality of a server are determined by the set of components installed and
configured on the server.
In a production environment, determining what components of an operating system need to be installed,
activated, and configured to provide a specific piece of functionality can be an imposing task. In previous
versions of Windows Server, the responsibility was placed on the administrator to determine this list of
components, ensure they were configured correctly, and provide a method of effectively managing these
components.
Windows Server 2008 changes all this with server roles and server features.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
1-12
Key Points
Windows Server 2008 uses a role-based configuration. Operating system functionality is controlled
primarily through server roles.
Server Roles
A server role is a collection of operating system components that work together to provide a specific
aspect of server functionality. Rather than having to determine the components required to provide some
type of functionality, as in previous versions, a Windows Server 2008 server administrator can simply
install the role associated with that functionality. Installing a role prompts Windows Server 2008 to enable
the necessary operating system components required to perform the functionality associated with the
role. This ensures that all the components required are enabled when a role is installed. Also, those
components will be disabled if the role is removed from the server.
Role Services
Server roles comprise one or more role services that represent the individual aspects of functionality that a
role provides. Depending on how a role is being implemented, some role services may or may not be
installed as part of the overall role functionality. Role services allow administrators to build onto the
functionality of a role, depending on the requirements.
For example, Print and Document Services is composed of the following role services:
Print Server
LPD Service
Internet Printing
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-13
If you are configuring a Windows Server 2008 server to function as a print server, but do not specifically
require scan services, you should not select the Distributed Scan Server role service to be installed as part
of the Print and Document Services Role.
Multiple Roles
While some roles are typically installed as the only role on a server and provide the core of that server
functionality, multiple roles are often installed to work together to provide multiple aspects of
functionality; or they can be combined to better utilize server hardware resources.
When deploying multiple server roles on a single computer, consider the following:
The capacity of the computer should be sufficient for all the installed roles.
The security requirements for the roles you plan to install must co-exist on a single computer.
The security settings should be configured appropriately for all installed roles.
Possible migration paths should be planned in advance, if the computer becomes overloaded.
Question: How do server roles and role-based configuration make it easier to configure functionality on a
Windows Server 2008 server? Are there ways that role-based configuration makes configuration more
difficult?
Nova 4, LLC
1-14
Key Points
Windows infrastructure services roles are used to form the underlying framework of software and services
that are used by other applications within the organization and provide application-based services to the
rest of the network.
The following table describes Windows Server 2008 infrastructure and application services roles:
Role
Description
Application Server
DHCP Server
DNS Server
Fax Server
Sends and receives faxes electronically rather than requiring paperbased copies of documents
File Services
Hyper-V
Allows users to run programs on a remote server but view the results in
a Remote Desktop window
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-15
Role
Description
Print Services
Terminal Services
Also, the Universal Description, Discovery, and Integration Services (UDDI) server role has been removed
from Windows Server 2008 R2. UDDI provides capabilities for sharing information about Web services
between servers, but the server role is unsupported on 64-bit platforms, the only platform on which
Windows Server 2008 R2 will run. A new, stand-alone version of UDDI that supports 64-bit platforms is
available for download from the Microsoft website.
Nova 4, LLC
1-16
Key Points
Active Directory roles form the core of identity and access management within a Windows Server-ased
network. The various Active Directory roles allow for full control over management and access to various
server-based network resources, including users, computers files, folders, and printers. Also, the Active
Directory server roles allow separate Active Directory infrastructures to seamlessly integrate, allowing for
secured unified administration and information exchange.
The following table lists the Active Directory server roles.
Role
Description
Active Directory
Domain Services (AD
DS)
Stores information about users, computers, and other devices on the network.
AD DS helps administrators securely manage this information and facilitates
resource sharing and collaboration between users and organizations.
Active Directory
Certificate Services
(AD CS)
Active Directory
Federation Services
(AD FS)
Active Directory
Organizations that have applications which require a directory for storing
Lightweight Directory application data can use AD LDS as the data store. AD LDS runs as a nonServices (AD LDS)
operating-system service.
Active Directory
Rights Management
Services (AD RMS)
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-17
Key Points
Server features are Windows Server 2008 components that do not specifically fall into the scope of one of
the server roles. Although they are not directly part of a server role, server features can support or add a
complementary functionality to one or more roles, or improve the functionality of the server, regardless of
which roles are installed.
Server features are typically installed individually, independent of other server features and server roles.
Similar to server roles, server features are installed, configured, and managed primarily through the Server
Manager console in Windows Server 2008 R2.
Windows BranchCache
XPS Viewer
Remote Server Administration Tools now includes Active Directory Administrative Center, Remote
Desktop (RD) Connection Broker tools, and BitLocker Recovery Password Viewer.
Nova 4, LLC
1-18
Note: Windows 2000 Client Support has been removed from Message Queuing in Windows Server
2008 R2
Also, several features are available only to certain editions of Windows Server 2008. Enterprise level
capabilities like BranchCache Hosted Server and Failover Clustering are not available in the Foundation or
Standard editions. Additionally, DirectAccess Management is not available in the Foundation edition.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-19
Key Points
Server Manager is the key tool used in Windows Server 2008. This demonstration will show you how both
server soles and server features are managed within Server Manager.
In this demonstration, you will learn how to:
Nova 4, LLC
1-20
Lesson 3
Windows Server 2008 is a robust and powerful operating system that contains a large number of
components and capabilities.
To harness the power of Windows Serer 2008, you need to be familiar with the management tools
available, which allow you to effectively manage and administer your Windows Server 2008 servers.
Objectives
After completing this module, you will be able to:
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-21
Key Points
There are a variety of methods used to manage a Windows Server 2008 environment. The specific tool or
tools that you will use with Windows Server 2008 may vary, according to you how you are managing your
servers.
The most common management tools are briefly described as follows:
Server Manager
Server Manager is the core tool for management of a Windows Server 2008 server. Built on the Microsoft
Management Console (MMC), Server Manager contains console add-ins for all installed server roles and
server features, and a unified collection of tools and operating system information useful in managing
Windows Server 2008, including the following:
Event Viewer
Services console
Performance monitoring
Device Manager
Task Scheduler
Disk Management
Windows Server 2008 R2 introduces several enhancements to Server Manager that are not available in the
initial release of Windows Server 2008.
Server Manager has built in Best Practice Analyzers (BPAs) from Microsoft to help administrators
ensure their servers are configured in the most secure and optimal manner possible.
Nova 4, LLC
1-22
New PowerShell cmdlets have been added that allow you to install, remove, or view information
about available roles by using Windows PowerShell.
Command-Line Tools
Windows Server 2008 has a huge number of command-line tools for use by administrators directly from
the command line or for inclusion in administrative scripts batch files or scripting languages such
VBScript.
RSAT
The RSAT download is available for Windows client operating systems (Windows Vista, and Windows 7)
and allows for the remote management of Windows Servers from desktop computers.
Windows PowerShell
Windows PowerShell is a task-based command-line shell and scripting language designed specifically for
system administration. It allows administrators to automate and control the management of Windows
computers and applications that run on Windows.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
Key Points
This demonstration will show you the Server Manager interface, highlighting the most commonly used
tools and console windows.
In this demonstration, you will learn how to:
Describe how Server Manager unifies administrative consoles for server roles, server features, and
other operating system components.
Find commonly used management tools and console windows within Server Manager.
1-23
Nova 4, LLC
1-24
Key Points
RSAT enables administrators to remotely manage server roles, server features and other operating system
functionality for a Windows Server 2008 server.
Essentially, RSAT installs MMC consoles for server components on the client operating systems and uses
those consoles to connect remotely to Windows Server 2008 computers to perform management tasks.
When you install RSAT onto the client operating system, you will be given a choice of which consoles you
want to install.
RSAT is typically installed on a Windows client operating system used by someone requiring
administrative access to a Windows Server 2008 server. RSAT is available for both Windows Vista and
Windows 7 client operating systems and offers varying functionality, depending on both the operating
system of the client RSAT is installed on and the version of Windows Server 2008 that is being managed.
When running RSAT on a Windows 7 computer, and connecting to a Windows Server 2008 R2 server, the
following remote management tools are available.
Server Manager
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
Hyper-V Tools
1-25
Nova 4, LLC
1-26
Key Points
Windows PowerShell is a task-based command-line shell and scripting language designed specifically for
system administration. Built on the .NET framework, PowerShell allows administrators to automate and
control the management of Windows computers and applications that run on Windows.
Windows PowerShell was introduced as part of Windows Vista and the initial release of Windows Server
2008. PowerShell comprises a large number of single instance commands, called cmdlets.
Cmdlets are the core building block of PowerShell. They are typically very narrow in scope, performing
only a single task. This provides for a large number of cmdlets with relatively simple syntax and options,
rather than a smaller list with more complex syntax and methods for use.
Cmdlets
Cmdlets in PowerShell are composed by using a verb-noun syntax that makes it relatively easy to
determine the intended purpose of a cmdlet simply by knowing the cmdlet name. The following list
provides some examples of PowerShell cmdlets:
Get-Date
Start-Service
Restart-Computer
Set-ItemProperty
Get-Help
Clear-Eventlog
PowerShell cmdlets allow the management of almost any aspect of the Windows operating system, and
any installed applications that support PowerShell.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-27
PowerShell 2.0
PowerShell 2.0, introduced with Windows Server 2008 R2 and Windows 7, adds a number of important
new features and improvements in functionality over the original version of PowerShell shipped with the
initial release of Windows Server 2008 and Windows Vista. The following is a list of the new features
available with PowerShell 2.0:
Remoting
Remoting is one of the most important changes in PowerShell 2.0, and it provides support for
running scripts on remote systems. PowerShell Remoting lets you run scripts on remote networked
systems in a one-to-one, or one-to-many configuration. This new remoting support requires that
PowerShell 2.0 be installed on both the local and remote systems.
Note: PowerShell remoting relies on Windows Remote Management (WinRM). In order for remoting
to work, WinRM must be enabled on the remote computer.
To enable WinRM with its default configuration, you can execute the following command from the
command prompt on the remote computer.
winrm qc
Eventing
PowerShell Eventing lets you respond to the notifications that many PowerShell objects support.
Active Directory
AppLocker
Failover Cluster
Group Policy
Server Manager
Note: The additional modules mentioned are installed with their corresponding server role or server
feature. They are not part of the default installation of Windows PowerShell V2. For example, the
Active Directory module and its corresponding cmdlets are installed when the Active Directory
Domain Services server role is installed.
Nova 4, LLC
1-28
Lesson 4
The Server Core installation option was first introduced in the initial release of Windows Server 2008. It
introduces a stripped down, streamlined version of Windows Server 2008.
This lesson will look at Server Core, its features, capabilities, and limitations, and the tools used to manage
a Server Core installation of Windows Server 2008.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-29
Key Points
The Server Core installation option in Windows Server installs Windows Server 2008 with a minimal
feature set.
Server Core offers a smaller subset of server roles and features than the full installation of Windows Server
2008. Additionally, Server Core does not include the Windows Explorer graphical interface. All local
interaction with a Server Core installation must be done by using command-line tools.
The Server Core minimal feature set provides the following benefits:
Malicious users must be familiar with the command line to make changes to the operating system
when accessing a Server Core installation locally.
Hardware requirements are less restrictive for a Server Core installation because of the stripped down
nature of the operating system.
A Server Core installation requires less maintenance than a full installation. The reduced number of
services and applications require fewer updates than a full-featured operating system. Fewer updates
mean fewer restarts of the operating system. This, in turn, leads to increased availability of the server.
Nova 4, LLC
1-30
Key Points
Server Core supports a subset of the standard Windows 2008 roles, primarily roles that are designed to
provide core network infrastructure.
Server Core supports the following server roles in Windows Server 2008:
DHCP Server
DNS Server
File Services
Print Server
Hyper-V
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
Key Points
Similar to server roles, Server Core supports a subset of standard Windows Server 2008 features.
Server Core supports the following server features in Windows Server 2008:
Failover Clustering
Multipath input\output
Removable Storage
Telnet client
WINS
.NET Framework
Windows PowerShell
1-31
Nova 4, LLC
1-32
Key Points
Server Core management is a slightly more complicated task than managing a full installation of Windows
Server 2008.
For the initial release of Windows Server 2008, manually entering command-line executables is the only
method available to configure a Server Core installation of Windows Server 2008. While this method is a
deterrent to users with malicious intent who gain access to the server, it also means a more complicated
and tedious work load for those who manage the servers.
Oclist.exe can be executed to show a list of roles and features available on the current server, along
with the current installation status of those roles.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-33
Dism.exe
Dism.exe is the Deployment Image Servicing Management Tool, included with Windows Server 2008
R2. This tool has a wide number of applications to Windows image and configuration management.
One of those applications is the installation removal of Server Core server roles and server features.
Issuing the following command using Dism.exe wil install the DHCP role on a Server Core installation.
Dism /online /enable-feature /featurename:DHCPServerRole
In the line of code above, the command line switches perform the following actions.
The /online switch forces Dism.exe to perform the operation on the currently running
installation of windows. Dism.exe can be used to perform operations on offline images of
Windows as well.
The /enable-feature switch ensures that the feature specified will be installed or enabled. It is
important to note that the word feature in this switch does not refer only to server features.
/enable-feature is used to install both server roles and server features. The /disable-feature
switch will remove an installed role.
The /featurename switch is used to specify the server role or server feature to be installed or
removed. In the case of our example, we are performing our operation on the DHCP server role.
To determine the current status of server roles and features, execute the following command.
Dism /online /get-features
Note: The role and feature names used for ocsetup and dism are the same. DHCPServerCore is used to
refer to the DCHP server role for both tools. It is important to note that these names are also case
sensitive. For example, using dhcpservercore as a feature name will result in an error using either tool.
Sconfig.exe
Sconfig is a command-line executable that starts a text-based menu for administering a Server Core
installation. Common administration tasks are available in a numbered list for execution. When an
administrator chooses a number from the list, sconfig carries out the configuration command by
using command-line programs without the administrator having to manually enter code.
Sconfig supports the following configuration areas on a Server Core installation of Windows Server
2008 R2.
Network Settings
Nova 4, LLC
1-34
Shutdown/Restart server
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-35
Nova 4, LLC
1-36
5.
6.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You have been asked to complete the final configuration for a server being deployed to the Contoso,
Ltd.s New York City location. Your supervisor, Ed Meadows, has sent you an email detailing the
requirements for the final configuration steps that need to be taken on the server.
The main tasks for this exercise are as follows:
1.
2.
To: You
From:
Ed Meadows [Ed@contoso.com]
Sent:
Apr 20 2010 14:20
To:
you@contoso.com
Subject: NYC-SVR1 deployment
Hi,
Weve arranged to have the new server for the New York City location physically deployed while you are
onsite there.
The server name is NYC-SVR1 and its to be configured as a print server for the New York office. Theyve
just deployed Windows 7 to all desktops in that location and theyre switching away from users having
printers connected directly to their machines and setting up network printers in various locations in the
office, instead.
After youve completed the initial configuration, the server administration team in New York will take over
the management of the server. Theyre located on the fifth floor and this server will be on the eighth floor,
so theyd like to have some type of remote access to the server to perform their management tasks. I
believe there are four of them who will be working together to manage the server; Ill leave the solution
for this up to you.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-37
One more thing, the New York admins would also like to be able to back up the server on a regular basis,
so Id like you to configure the server to give them the ability to do local backups.
Thats it for now, let me know if you need anything, and enjoy New York.
Regards,
Ed
Task 2: Determine the server roles, server features, and installation types.
1.
You
Apr 24, 2011
Requirements Overview
To determine the server roles and features to be installed on the newly deployed NYC-SVR1
Additional Information
The server must be able to provide network printing capabilities for the New York City office.
Administrators in New York will manage the server from their desktop computers and will also be
responsible for ensuring the new server is backed up.
Questions
1.
What server role(s) should be installed on NYC-SVR1? How should the server role(s) be
configured?
2.
What additional server features will be needed to fulfill the requirements specified by Ed?
3.
Are there any additional management considerations that need to be considered for the
ongoing management of NYC-SVR1?
Results: After completing this exercise, you should have determined the server roles, server features,
and installation types to install on NYC-SVR1, according to the requirements document.
Nova 4, LLC
1-38
Use Server Manager to install the Print and Document Services Server Role.
Use Server Manager to install the Windows Server Backup Features.
Task 1: Use Server Manager to install the Print and Document Services Server Role.
1.
2.
3.
Connect to the 6419B-NYC-SVR1 virtual machine and log on with a user name, Administrator, and
the password, Pa$$w0rd.
Open Server Manager from the Start Menu.
Open the Roles node in Server Manager and add the Print and Document Services server role.
Task 2: Use Server Manager to install the Windows Server Backup Features.
1.
2.
3.
Result: After completing this exercise, you will have used Server Manager to install server roles and
server features.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-39
STATIC
10.10.0.20
255.255.0.0
10.10.0.1
10.10.0.10
None
Domain membership
Computer name
Contoso.com
NYC-SVRCORE
Please install the Windows Server Backup feature on this server so the New York IT staff can perform
backup and recovery operations.
Please enable remote administration to allow the New York IT staff to manage this server remotely by
using Server Manager.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2.
Start Sconfig and use the menu options to configure the IP address settings according to the
information supplied.
3.
Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2.
Run the Dism command using the /online and /get-features switches to confirm that the
WindowsServerBackup feature is not installed..
3.
Run the Dism command using the /online, /enable-feature and /featurename: switches to install
the WindowsServerBackup feature.
Nova 4, LLC
1-40
4.
Run the Dism command using the /online and /get-features switches to verify the Windows Server
Backup feature has been installed.
2.
Enable both Windows Powershell and Server Manager remote administration options. Restart
when prompted and log back on as Administrator with the password of Pa$$w0rd.
Connect to the 6419B-NYC-DC1 virtual machine and log on with the user name, Administrator, and
the password, Pa$$w0rd.
2.
Open Server Manager from the Administrative Tools section on the Start Menu.
3.
4.
Result: After completing this exercise, you should have performed management tasks on a Server Core
installation of Windows Server 2008.
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
1-41
Review Questions
1.
Why would an organization want to limit the server roles installed on a server?
2.
What management tool would you recommend for a new junior administrator who has been asked to
manage a Server Core installation of Windows Server 2008 R2?
Troubleshooting Tip
Cannot connect to
remote servers by using
Server Manager
Tools
Tool
Windows
Server 2008 R2
Server Role
Migration
Guides
Use for
Where to find it
Determining how to
migrate server roles
from previous versions
of the Windows Server
operating system
Microsoft
Simplifying and
Assessment and
streamlining the IT
Planning(MAP)
infrastructure
Toolkit
planning by assessing
existing environments
Start Menu
Nova 4, LLC
1-42
Tool
Use for
Where to find it
Ocsetup.exe
Command-line
Dism.exe
Command-line
Sconfig.exe
Managing a Server
Core installation of
Windows Server 2008
(R2 only)
Version
Module Reference
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
Module 2
Managing Windows Server 2008 Infrastructure Roles
Contents:
2-3
2-18
2-29
2-41
2-46
2-53
2-65
2-1
Nova 4, LLC
2-2
Module Overview
To effectively manage a Windows Server 2008 network, you need to understand the server roles used to
resolve and manage IP addressing. To assist with IP addressing requirements, your network environment
should include two critical server roles, the Domain Name System (DNS) and the Dynamic Host
Configuration Protocol (DHCP). To support many of the new features included with Windows Server 2008,
you need a basic knowledge of not only IPv4, but also IPv6 concepts and transition methods.
This module provides an overview of the benefits and technologies associated with IPv6. You will learn the
features and configuration options available to implement the DNS and DHCP server roles.
Objectives
After completing this module, you will be able to:
Describe the features and concepts related to the DNS server role.
Describe the features and concepts related to the DHCP server role.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-3
Lesson 1
Internet Protocol (IP) version 4 is the most commonly used communication protocol for both the Internet
and internal network environments. Although IPv4 is robust and scalable, new technologies and higher
demand have paved the way for the eventual adoption of IPv6.
To use the various Windows Server 2008 features, such as Network Discovery and DirectAccess (Windows
Server 2008 R2), you need a better understanding of the IPv6 address space and its integration with the
existing IPv4 networks through transition and tunneling technologies.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
2-4
Key Points
Traditionally, IPv4, due to its simplicity and interoperability, has been used to meet the growing demands
of both internal networks and the Internet. However, it is quickly becoming outdated in both public
address space availability and supported functionality.
The various challenges faced by IPv4 include:
Unavailability of the IPv4 address space. With IPv4 public address spaces becoming scarce, many
organizations have started implementing the network address translator (NAT) technology to map
multiple private IP addresses to a single public IP address. NAT decreases the number of public IP
addresses required for internal networks, but it does not support standards-based network layer
security or map all high layer protocols. This can cause connectivity issues between organizations that
use private IP addressing schemes. In addition, the rise of IP-based devices, such as mobile assistants
and household appliances, has increased the need for an efficient method for IP streaming, security,
and address allocation.
Need for simpler configuration. IPv4 relies on manual configuration or automatic configuration
through DHCP. The auto-address configuration of DHCP and IPv4 supports only a local subnet. With
the need to manage and communicate with Internet-based devices, automatic configuration of
addresses and settings that do not rely on a DHCP infrastructure has become important.
Need for more efficient real-time data delivery. The increased use of multimedia streaming over
the Internet has paved the way for quality of service (QoS) requirements that are only efficiently
addressed when integrated within the IP protocol itself.
Security requirements at the IP level. Security over a public network, such as the Internet, requires
encryption services that protect data from being viewed or modified during transit. IPv4 supports the
Internet Protocol Security (IPsec) standard. However, implementation of IPsec in IPv4 is optional and
is typically implemented by using a variety of solutions.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-5
Note: To address many of these concerns, the Internet Engineering Task Force (IETF) has developed
IPv6 as described in Request for Comments (RFC) 4291.
IPv6
The IPv4 header does not include any Packet-flow identification for QoS handling by routers is
packet flow identification for QoS
included in the IPv6 header that uses the Flow Label field
Fragmentation is done by routers and Fragmentation is only by the sending host
the sending host
Header includes a checksum
Internet Group Management Protocol IGMP is replaced with Multicast Listener Discovery (MLD)
(IGMP) is used to manage local
messages
subnet group membership
Internet Control Message Protocol
(ICMP) Router Discovery, which is
optional, is used to determine the
IPv4 address of the best default
gateway
Broadcast addresses are used to send There are no broadcast addresses in IPv6, their function being
traffic to all nodes on a subnet
superseded by multicast addresses. Link-Local Unicast addresses
are designed to be used for addressing on a single link for
purposes such as automatic address configuration,
neighbor discovery, or when no routers are present. Link-Local
multicast scope spans the same topological region as the
corresponding unicast scope.
Must be configured either manually
or through DHCP
Uses pointer (PTR) resource records in Uses PTR resource records in the IP6.ARPA DNS domain to map
the IN-ADDR.ARPA DNS domain to
IPv6 addresses to host names
map IPv4 addresses to host names
Nova 4, LLC
2-6
IPv4
IPv6
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-7
Key Points
The IPv6 standard introduces several benefits to the networking infrastructure such as the following:
Large address space. IPv6 uses a 128-bit address space, which allows for 3.4x1038 or
340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space is designed to be more
efficient for routers, which means that even though there are many more addresses, routers can
process data much more efficiently because of address optimization.
Stateless and Stateful address configuration. Stateless address configuration refers to host IP
configuration without a DHCP server. Stateful address configuration refers to host IP configuration
that uses a DHCP server. IPv6 supports both stateless and stateful address configuration. With
stateless address configuration, hosts automatically configure themselves with IPv6 link-local
addresses along with additional addresses advertised by local routers.
Built-in security. IPv6 has built-in IP security, which facilitates configuration of secure network
connections.
Prioritized delivery. IPv6 contains a field in the packet that allows network devices to determine the
specified rate at which the packet should be processed. This allows traffic prioritization or QoS. For
example, when streaming video traffic, it is critical that the packets arrive in a timely manner. You can
set this field to ensure that network devices determine that the packet delivery is time-sensitive.
Neighbor detection. IPv6 uses the Neighbor Discovery protocol to manage the interaction between
nodes within the same network link. Neighbor Discovery replaces the broadcast-based Address
Resolution Protocol (ARP) with more efficient multicast and unicast communication within the same
network segment.
Extensibility. IPv6 has been designed so that it can be extended with fewer constraints than IPv4.
Nova 4, LLC
2-8
Key Points
A traditional IPv4-based IP address is expressed in four groups of decimal numbers, such as 192.168.1.1.
Each set of numbers represents a binary octet. In the binary system, the preceding number is:
11000000.10101000.00000001.00000001
(4 octets = 32 Bits)
The size of an IPv6 address is 128 bits, which is four times the larger than an IPv4 address. IPv6 addresses
are expressed as hexadecimal addresses. For example, an IPv6 address may look like:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
This may seem counterintuitive for end users. However, the average user relies on DNS name resolution
and seldom types IPv6 addresses manually.
For example, if you convert the decimal number 9 to Hex, the result will be Hex 9. However if you
continue and convert the decimal number 10 to Hex, the result will be Hex A. Similarly, the decimal
number 11 will result in Hex B.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-9
1.
0010000000000001
0010111100111011
1111111000101000
2.
0000110110111000
0000001010101010
1001110001011010
0000000000000000
0000000011111111
Break down each set of 16 bits into sets of four bits and assign a value of 1, 2, 4, or 8 to each of
the four binary numbers starting from the right and moving left.
If the first bit, starting on the right, has a value of 1 assign a value of 1. If the second bit has a
value of 1 assign of a value of 2. If the third bit has a value of 1, assign a value of 4. If the fourth
(and leftmost) bit has a value of 1, assign a value of 8.
To derive the hexadecimal value for this section of four bits, add up the values assigned to each
bit where the bits are set to 1. For the first group [0010], the only bit that is set to 1 is the bit
assigned the 2 value. The rest are set to zero. Thus, the hex value of this set of four bits is 2.
Student Exercise
In the given table, calculate the Hex values for the given binary numbers the 128-bit address. The first one
is done for you.
Binary
Hexadecimal
2001
Nova 4, LLC
2-10
3.
You can simplify IPv6 representation by removing the leading zeros within each 16-bit block.
However, each block must have at least a single digit. After you remove the leading zeros, the
result is as follows:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
4.
To further simplify IPV6 notation, a contiguous sequence of 16-bit blocks that are set to 0 can be
compressed by using the double colon (::). The computer recognizes :: and substitutes the colon
sequence with the number of zeros necessary to make the appropriate IPv6 address.
To determine how many 16-bit blocks are represented by the (::), you can count the number of blocks in
the compressed address, subtract this number from eight. Using the above example, there are seven
blocks. Subtract seven from eight and the result is one. Thus, there's one block of zeros in the address
where the double colon is located.
In a given address, you can use zero compression only once. Otherwise, you cannot determine the
number of 0 bits represented by each instance of a double colon (::).
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-11
Key Points
There are three main types of IPv6 addresses:
Unicast. Identifies a single interface within the address scope. Packets that are addressed to this
address are delivered to a single interface.
Multicast. Identifies multiple interfaces and delivers packets to all interfaces that are identified by the
address. It is used for one-to-many communication over a network infrastructure.
Anycast. Identifies multiple interfaces, but delivers packets to the nearest interface. It is used for oneto-many communication, with delivery to a single interface.
Global. Global unicast addresses can be compared with public IPv4 addresses. This type of address is
globally routable throughout the IPv6 portion of the Internet. The global address starts with 2000: or
is typically written as 2000:/3. The first three bits are always set to 001 to identify and distinguish this
type of address from other IPv6 addresses.
Link-Local. Link-Local addresses can be compared with the IPv4 Automatic Private IP Addressing
(APIPA) that uses 169.254.0.0/16. IPv6 link-local addresses can communicate with hosts on the same
link, and are not routable. Link-local addresses are automatically assigned and always begin with FE80
or FE80::/64.
Unique-Local. Unique-local addresses represent an entire organizational site or a portion of the site.
This type of IPv6 address can be compared with IPv4 private address spaces 10.0.0.0/8, 172.16.0.0./12,
and 192.168.0.0/16. Unique-local addresses are routable throughout an organization, but are not
configured to be routed outside of the organization network. These types of addresses are not
automatically generated, and must be assigned by using auto-assignment methods, which are
supported by IPv6. Unique-local addresses are always expressed as FC00::/7 or FD00::/8.
Nova 4, LLC
2-12
Note: Unique-Local replaces a previous IPv6 type called Site-local addresses, which were defined for
block FEC0::/10. For more information on the deprecating of site local addresses, read RFC 3879 at
http://tools.ietf.org/html/rfc3879.
Loopback Address. A loopback address is used to identify a loopback interface, which allows a node
to send packets to itself. The IPv6 loopback address is expressed as 0:0:0:0:0:0:0:1 or ::1. This can be
compared with the IPv4 loopback address of 127.0.0.1.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-13
Key Points
A network client proceeds through several states as it goes through the autoconfiguration process, and
there are several ways to assign an IP address and additional options. Based on how the router is set up, a
client may use stateless configuration (no DHCP service) or stateful configuration with the DHCP server
involved. Stateful configuration can be used to assign an IP address and additional network settings or
only assign options such as DNS server references and router IP addresses.
During autoconfiguration, the client computer proceeds through the following high-level process:
1.
The IPv6 client autoconfigures a link-local address for each interface used to communicate with other
hosts on the same link.
2.
IPv6 Neighbor Discover performs neighbor solicitation to ensure that there are no address conflicts.
3.
Router discovery takes place to determine the local routers on an attached link.
4.
It is determined whether the node should use a stateful address protocol, such as DHCPv6, for
addresses and other configuration parameters. A host uses stateful address configuration when a
router advertisement is received with either the Managed Address Configuration flag or the Other
Stateful Configuration flag is set to 1. Stateful address configuration is also performed if there are no
routers on the local link.
5.
All network prefixes defined for the link are obtained from the router. Prefixes include the range of
addresses for nodes on the local link and the valid and preferred lifetimes. If the appropriate stateful
flags are set, information may be obtained from DHCP.
Nova 4, LLC
2-14
Using stateful configuration allows organizations to control how IP addresses are assigned by using
DHCPv6. By default, an IPv6 host uses stateless autoconfiguration, but will use stateful address
autoconfiguration, if the following is configured in the Router Advertisement message that a neighboring
router sends:
Managed Address Configuration flag. This flag is also known as the M flag. If this flag is
configured, it instructs the IPv6 host to use DHCPv6 to obtain an IP address.
Other Stateful Configuration flag. This flag is also known as the O flag. If this flag is configured, it
instructs the IPv6 host to use DHCPv6 to obtain other configuration settings such as DNS Server IP
addresses. If your organization wants to leverage technologies such as Network Access Protection
(NAP), you must configure clients with additional options that integrate into DHCP. If there are any
specific scope options that you need to configure, you needs a DHCP server.
It is possible to use a combination of both stateless and stateful configuration. In such a case, you can use
the router to assign IP address ranges and then use DHCPv6 to assign other configuration settings.
Note: On Windows Server 2008-based routers, you can use the following command to configure the M
and O flags:
netsh interface ipv6 set interface Local Area Connection managedaddress=enabled
otherstateful=enabled
Tentative. Verification occurs to determine whether the address is unique. This verification is called
duplicate address detection. A node cannot receive unicast traffic to a tentative address. It can,
however, receive and process multicast Neighbor Advertisement messages sent in response to the
Neighbor Solicitation message, which is been sent during the duplicate address detection. This
ensures that the interface can validate that its address is unique.
Valid. The address has been verified as unique, and can send and receive unicast traffic. The valid
state covers the preferred and deprecated states. The Valid Lifetime field in the Prefix Information
option of a Router Advertisement message determines the time that an address remains in the
tentative and valid states. The valid lifetime must be greater than or equal to the preferred lifetime. A
valid address is either preferred or deprecated.
Preferred. The address enables a node to send and receive unicast traffic. The Preferred Lifetime
field in the Prefix Information option of a Router Advertisement message determines the time that
an address can remain in the tentative and preferred states.
Deprecated. The address is valid, but its use is discouraged for new communication. Existing
communication sessions can continue to use a deprecated address. A node can send and receive
unicast traffic to and from a deprecated address.
Invalid. The address no longer allows a node to send or receive unicast traffic. An address enters the
invalid state after the valid lifetime.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-15
Key Points
As organizations transition from an IPv4-only network to IPv6, hosts must be able to communicate by
using both IP standards. Windows Vista, Windows 7, and Windows Server 2008 support a dual layer IP
architecture that contains both IPv4 and IPv6 Internet layers with a single implementation of the protocol
stack. This dual layer architecture allows for IPv4 packets, IPv6 packets, and IPv6 over IPv4 packets.
Windows Server 2003 and Windows XP use a dual stack architecture that contains a separate
implementation of TCP and UDP for both IPv4 and IPv6. The dual stack architecture provides the same
functionality as dual layer IP architecture to provide support for legacy operating systems.
To communicate over an IPv4 infrastructure, IPv4 tunneling can be used. IPv6 over IPv4 tunneling
encapsulates IPv6 packets within an IPv4 header so that IPv6 packets can be sent over an IPv4
infrastructure.
Within the IPv4 header:
The Source and Destination fields are set to IPv4 addresses of the tunnel endpoints. You can
configure tunnel endpoints manually as part of the tunnel interface. Otherwise, they are derived
automatically from the next-hop address of the matching route for the destination and the tunneling
interface.
Nova 4, LLC
2-16
Key Points
The tunneling technologies used for IPv6 over IPv4 tunneling include:
ISATAP. Local intranets can use Intra-site Automatic Tunnel Addressing Protocol (ISATAP), which
takes advantage of neighbor discovery and autoconfiguration, and it is the primary way in which
internal IPv6 nodes communicate over IPv4. ISATAP uses the interface identifier ::0:5EFE:w.x.y.z,
where w.x.y.z is the private IPv4 address. For public IPv4 addresses, the identifier is written as
::200:5EFE:w.x.y.z.
To allow for ISATAP hosts to communicate between subnets, an ISATAP router can be deployed. An
ISATAP router is an IPv6-based router, which can be used to advertise address prefixes, forward
packets between subnets, and act as a default router for ISATAP hosts.
Note: Windows Server 2008, Windows Vista Service Pack 1, and later do not automatically configure
link-local ISATAP addresses, unless the name ISATAP can be resolved to an ISATAP-based router.
6to4. 6to4 tunneling allows IPv6 routers to communicate over the IPv4 Internet. 6to4 is also
autoconfigured on the host and may require the manual configuration of a 6to4 router. 6to4
addressing converts a standard IPv4 address to an equivalent 6to4 address. For example, IPv4 address
157.60.0.1 would be converted to 2002:9D3C:1::/48. A 6to4 address always starts with 2002.
Teredo. Teredo is a tunneling technology that traverses IPv4 NATs to allow IPv6 networks to
communicate.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-17
Windows Server 2008 R2 and Windows 7 introduces additional support for IPv6. New features include:
IP-HTTPS. As discussed earlier, 6to4 and Teredo are used to tunnel IPv6 traffic across the IPv4
Internet. However, there may be situations where firewalls or web proxy servers are configured to
block this type of traffic. Windows 7 and Windows Server 2008 R2 can use IP-HTTPS to establish
connectivity through firewalls or web proxy servers. IP-HTTPS tunnels IPv6 packets inside an IPv4based secure HTTPS session. You can configure IP-HTTPS by using Netsh.exe or Group Policy settings.
Teredo Server and Relay. Windows Server 2008 R2 includes support for configuring a Teredo server
and relay functionality. When implemented, a client communicates with a Teredo server to configure
a Teredo-based IPv6 address and initiate communication with other Teredo clients on the Internet.
Windows Server 2008 R2 DirectAccess uses the Teredo server functionality to facilitate DirectAccess
with Internet-based clients.
Group Policy Settings for Transition Technologies. Windows Server 2008 R2 and Windows 7
provide Group Policy settings related to IP-HTTPS, Teredo, 6to4, and ISATAP. You can find these
settings in the Group Policy Management Editor at:
Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6
Transition Technologies
Nova 4, LLC
2-18
Lesson 2
The DNS server role is a critical component of a Windows Server 2008 domain infrastructure. DNS
provides name resolution and service location to clients on the network. This lesson provides general
information about the DNS server role and how the DNS name space works. This lesson also provides
details about what has changed for the DNS server role in Windows Server 2008 and Windows Server
2008 R2.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-19
Key Points
Windows Server 2008 and Windows Server 2008 R2 both provide enhancements to DNS that improve the
performance of DNS.
Background zone loading. DNS servers that host large DNS zones that are stored in AD DS are able
to respond to client queries quicker during restarts, because zone data is now loaded in the
background during the startup process.
IP version 6 support. The DNS server role fully supports IPv6, which includes IPv6 host records
(AAAA records) and IPv6 reverse lookup zones.
Support for read-only domain controllers. The DNS Server role in Windows Server 2008 provides
support for primary read-only zones on read-only domain controllers (RODCs). The RODC is a new
type of domain controller that is typically deployed to remote sites that lack physical security. An
RODC is not allowed to write information back to the full Active Directory servers and DNS servers.
When you install the DNS Server service on an RODC, a read-only copy of the Domain DNS zone
(DomainDNSZones) and the Enterprise DNS zone (ForestDNSZones) is replicated to the RODC. Clients
can query DNS on an RODC but cannot update information directly..
Global single names. The DNS Server service in Windows Server 2008 provides a new zone type
called the GlobalNames zone (GNZ), which you can use to hold unique, single-label names across an
entire forest. This eliminates the need to use the NetBIOS-based Windows Internet Name Service
(WINS) to provide support for single-label names. The GNZ provides single-label name resolution for
large enterprise networks that do not deploy WINS. Some networks may require the ability to resolve
static, global records with single-label names that WINS currently provides. These single-label names
refer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manually
created and does not support dynamic registration of records. The GNZ is intended to help
Nova 4, LLC
2-20
organizations migrate to from WINS to DNS for all name resolution requirements. To create a GNZ,
simple create an AD DS- integrated forward lookup zone called GlobalNames. After the zone is
created, it can be enabled by using the following command on every authoritative DNS server in the
forest:
Dnscmd <ServerName> /config /enableglobalnamesupport 1
Global query block list. By default, well-known host names for services such as Web Proxy AutoDiscovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are
listed in a global query block list. This is to help reduce the chance of malicious users from
dynamically registering host computers that pose as legitimate servers for these services. If you need
to use these services, you have to specifically remove the WPAD or ISATAP name from the global
query block list. To modify the block list, you can use the dnscmd command-line tool.
Note: For more information about the DNS server global query block list, read the DNS server global
query block list.DNS Improvements in Windows Server 2008 R2
Note: The content in this section applies only to Windows Server 2008 R2 and Windows 7.
In addition to the enhancements listed above, Windows Server 2008 R2 and the Windows 7 client support
several additional features. These features include:
DNS Security Extensions (DNSSEC). DNSSEC provides the ability for a DNS zone and all records in
the zone to be cryptographically signed. DNS is often subject to various attacks, such as man-in-themiddle, spoofing, and cache-poisoning. DNSSEC helps protect against these threats and provides a
more secure DNS infrastructure. When a DNS server hosting a signed zone receives a query, it returns
the digital signatures in addition to the records queried for. A resolver or another server can obtain
the public key of the public/private key pair and validate that the responses are authentic and have
not been tampered with. To do so, the resolver or server must be configured with a trust anchor for
the signed zone, or for a parent of the signed zone. The DNSSEC implementation in Windows Server
2008 R2 DNS server provides the ability to sign both file-backed and Active Directoryintegrated
zones through an offline zone signing tool. This signed zone will then replicate or zone transfer to
other authoritative DNS servers. When configured with a trust anchor, a DNS server is capable of
performing DNSSEC validation on responses received on behalf of the client.
DNS Devolution. Devolution is a feature of the DNS client that allows network hosts to resolve server
names by appending portions of the primary DNS domain suffix. For example, when a client that is a
member of corp.contoso.com attempts to resolve the name fileserver, the client will attempt to
resolve fileserver.corp.contoso.com and fileserver.contoso.com. In previous versions of Windows, DNS
devolution is always set to 2. This can cause problems with organizations that use more than two
labels for their root domain. Windows Server 2008 and Windows 7 change this default configuration
so that the devolution level is automatically set to the number of labels in the forest root domain. For
example, if the forest root domain is corp.contoso.com, the devolution level is set to 3. When a client
attempts to resolve the name fileserver, it will only attempt fileserver.corp.contoso.com and not
attempt to resolve the second level domain name of contoso.com.
DNS Cache Locking. When a recursive DNS server responds to a query, it will cache the results
obtained so that it can respond quickly if it receives another query requesting the same information.
The period of time the DNS server will keep information in its cache is determined by the Time to Live
(TTL) value for a resource record. Until the TTL period expires, information in the cache might be
overwritten if updated information about that resource record is received. When you enable cache
locking, the DNS server will not allow cached records to be overwritten for the duration of the TTL
value. Cache locking provides for enhanced security against cache-poisoning attacks.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
DNS Socket Pool. When the DNS service starts, the server will pick a source port from a pool of
available sockets to be used for issuing queries. Instead of using a predicable source port, the DNS
server uses a random port number selected from the socket pool. The socket pool makes cachepoisoning attacks more difficult because an attacker must correctly guess the source port of a DNS
query in addition to a random transaction ID to successfully execute the attack.
2-21
Nova 4, LLC
2-22
Key Points
Many organizations implement DNS to support both an internal Active Directory scope as well as an
external Internet presence. With both types of implementations, resource records are used to provide the
name and service resolution requirements for your network.
Resource records contain information about the resources that are managed within a specific DNS zone.
They include information such as the owner of the record, the resource record type, how long the
resource record can remain in the cache, and data specific to the resource record, such as a host IP
address.
Resource records can be added manually, or they can be added automatically by using a process called
dynamic update.
The following table describes the most common types of resource records:
DNS Resource Record
Description
SOA
Start of authority resource record identifies the primary name server for a
DNS zone
NS
Name Server resource record identifies all the name servers in a domain
Host (A) resource record Is the main record that maps a host name to an IP
address
AAAA
CNAME
Alias (CNAME) resource record is an alias record type used to point more
than one name to a single host
For example, www can be used to point to a DNS host name called Server1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-23
Description
MX
SRV
PTR
Nova 4, LLC
2-24
Key Points
DNS name resolution begins with a query from a client to a DNS server. A DNS query can be of two types:
Recursive and iterative.
Recursive. By default, when a DNS server receives a query request from a client, the query is
recursive. Recursion is where the DNS server either answers the query or continues to query other
DNS servers on behalf of the requesting client. The recursive query has one of two possible outcomes,
the IP address of the host is returned to the requesting client or an error message stating that the
server cannot resolve the IP address is sent to the requesting client
Note: If a DNS server is not intended to receive recursive queries, recursion should be disabled on that
server by using the DNS Manager or the dnscmd command-line utility. If you disable recursion on a
DNS server, root hints will not be queried, and you will not be able to use forwarders to other DNS
servers for name resolution.
Iterative. When a DNS server receives a request from a client that it cannot answer by using its local
or cached information, it forwards the request to another DNS server by using an iterative query.
When a DNS server receives an iterative query, it may answer with either the IP address for the
requested host name (if known) or by referring the request to the DNS servers that are responsible for
the domain being queried.
A DNS server can be either authoritative or nonauthoritative for the querys namespace.
Authoritative. A DNS server is authoritative when it hosts a primary or secondary copy of a DNS
zone. If the DNS server is authoritative for the querys namespace, the DNS server will check the zone
and either return the requested address or return an authoritative denial of the request because the
name does not exist in the zone.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
Nonauthoritative. If the local DNS server is nonauthoritative for the querys namespace, the DNS
server will do one of the following:
Use root hints to well-known addresses of multiple root servers to find an authoritative DNS
server to resolve the query.
2-25
Nova 4, LLC
2-26
DNS Forwarding
Key Points
DNS Forwarding can be used to manage name resolution for names outside your network. Using a
forwarder, you can minimize the work and traffic that results from your DNS server performing its own
iterative queries.
When you designate a server as a forwarder, that server is responsible for all external queries. Many
organizations designate an external DNS forwarder located at an ISP, which contains a large cache of
external DNS information due to the extensive amount of DNS queries that are resolved through it.
When a DNS server sends a request to a forwarder, the request is a recursive query. This is different from
the standard name resolution, which uses iterative queries to other DNS servers.
Note: By default, root hints will be used if no forwarders are available. You can use DNS Manager to
modify this default setting on the properties of the DNS server.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-27
Key Points
You can use a conditional forwarder to provide more efficient name resolution between specific DNS
namespaces.
For example, you can configure a DNS server to forward all queries that it receives for names ending with
adatum.com to the IP address of a specific DNS server, or to the IP addresses of multiple DNS servers. Any
query that is specific to the adatum.com domain will be forwarded directly to the appropriate DNS server
instead of the standard iterative query process.
Windows Server 2008 also provides the ability to store conditional forwarders in Active Directory. If you
configure a conditional forwarder to be stored in Active Directory, you can choose to replicate it to all
DNS servers in the forest, all DNS servers in the domain, or all domain controllers in the domain.
Note: If you have conditional forwarders defined for a specific domain, the conditional forwarders will
be used instead of server-based forwarders.
Nova 4, LLC
2-28
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
In the server properties dialog box, click the Forwarders tab, and then configure a forwarder. Click
OK to close the properties dialog box.
4.
5.
Right-click the Conditional Forwarders node and click New Conditional Forwarder. Configure the
conditional forwarder by providing the DNS domain and IP address of the authoritative server.
6.
Configure the conditional forwarder to be stored in Active Directory and configure replication
requirements.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-29
Lesson 3
A DNS zone hosts all or a portion of a DNS domain. A zone is typically configured to be a forward or a
reverse lookup zone and can be replicated to additional DNS servers for redundancy. Zone data can be
stored in a local file that contains the mapping information, or a zone can be integrated into Active
Directory to provide enhanced security and availability. This lesson provides information on the types of
DNS zones and how zones can be replicated between DNS servers.
Objectives
After completing this lesson, you will be able to:
Describe the use and requirements for Active Directory integrated zones.
Nova 4, LLC
2-30
Key Points
You can configure a DNS server to host both forward lookup zones and reverse lookup zones. Each of
these zone types provides name resolution capabilities as described below.
In-addr.arpa. The in-addr.arpa domain is reserved in the DNS namespace to provide a way to
perform reverse queries for IPv4-based IP addresses. The reverse namespace consists of subdomains
within the in-addr-arpa domain, which uses the reverse ordering of the number of an IP address.
Ip6.arpa. The Ip6.arpa domain provides reverse lookup for IPv6-based IP addresses.
A reverse lookup zone is optional. However, you may need to configure a reverse lookup zone if you have
applications that rely on looking up hosts by their IP addresses. Many applications will log this information
in security or event logs. If you see suspicious activity from a particular IP address, you can resolve the
host by using the reverse zone information. In addition, many email security gateways use reverse lookups
to validate that the IP address sending messages is associated with an authorized and approved domain.
To support reverse lookup functionality, perform the following tasks:
1.
Create a reverse lookup zone that corresponds to the subnet network address.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2.
2-31
In the reverse lookup zone, add a pointer record that maps the IP address to the host name.
When the ipconfig/registerdns command is used to manually force a refresh of the client name
registration.
When an IP address is added, removed, or modified in the TCP/IP properties of the client.
Nova 4, LLC
2-32
Key Points
A forward or reverse lookup zone can be configured to support one of three main types of zones:
Primary zone
Secondary zone
Stub zone
Primary Zone
With a standard primary zone, all DNS records are stored in a zone data file located on the DNS server
called zone_name.dns (where zone_name is the name of the zone) which is stored in the
%windir%\System32\Dns folder. When a zone file is used, the server hosting the Primary zone is the only
server that has a writable copy of the DNS database. If the DNS server is a writable domain controller, you
can also choose to store the zone data in Active Directory Domain Services to provide efficient replication
and increased security of the DNS infrastructure. With Active Directory-integrated primary zones, all data
for a zone resides in the directory.
Secondary Zone
A secondary zone is a copy of a primary zone that is hosted on another DNS server. A secondary zone
must be obtained from another DNS server, and is used to provide load balancing and redundancy for
name resolution.
Secondary zones cannot be stored in AD DS.
Stub Zone
A stub zone is a specific type of zone that only provides information about the authoritative name servers
for the zone. When you create a stub zone, you specify one or more authoritative DNS servers that hosts
the zone. The stub zone replicates data from the authoritative server such as the SOA resource record, NS
resource records, and glue records (which are host (A) records) that are used to locate the name servers.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-33
Stub zones are quite useful when an organization contains a large AD DS forest structure consisting of
several parent and child domains. Stub zones are used in this scenario to:
Improve name resolution. When a DNS client queries the DNS server hosting a stub zone, the DNS
server performs recursion by using the stub zones list of name servers. This minimizes the need to
query the Internet or root hints to perform name resolution.
Maintain delegated zone information. The stub zone is updated regularly to ensure that the
current list of authoritative name servers is provided in the stub zone.
Minimize zone transfer traffic. You can use stub zones to distribute a list of authoritative DNS
servers for a zone without using secondary zones. This can minimize zone transfer traffic and improve
name resolution efficiency. However, stub zones do not enhance redundancy or provide load sharing
capabilities like secondary zones.
Note: A stub zone can be configured to store its zone data in Active Directory.
Nova 4, LLC
2-34
Key Points
Primary and stub zones can be stored in the AD DS database when the DNS server is an AD DS
domain controller. This creates an Active Directoryintegrated zone. The benefits of Active
Directoryintegrated zones are significant:
Multimaster updates. Unlike standard primary zones, which can be modified only by a single
primary server, Active Directoryintegrated zones can be written to by any DC to which the zone is
replicated. This removes a single point of failure in the DNS infrastructure. It is particularly important
in geographically distributed environments that use dynamic update zones, because they allow clients
to update their DNS records without having to connect to a potentially distant primary server.
Replication of DNS zone data by using AD DS replication. One of the characteristics of Active
Directory replication is attribute-level replication, in which only changed attributes are replicated. An
Active Directoryintegrated zone can leverage these benefits of Active Directory replication, rather
than replicating the entire zone file as in traditional DNS zone transfer models.
Secure dynamic updates. An Active Directoryintegrated zone can enforce secure dynamic updates.
When you configure an Active Directory-integrated zone to support secure dynamic updates, you can
then use the access control list (ACL) to specify which users or groups have the ability to modify the
zone and the records in the zone. When you create a new Active Directory-integrated zone, it is
configured to use secure dynamic updates by default. Members of the Authenticated Users group are
able to create a new object in the zone. Also, by default, when an authenticated user or computer
creates an object in the zone, it is considered the owner of the object and has full control to modify
or remove the DNS registration as needed.
Granular security. As with other Active Directory objects, an Active Directoryintegrated zone allows
you to delegate administration of zones, domains, and resource records by modifying the access
control list (ACL) on the object.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Right-click the Forward Lookup Zones node and then click New Zone.
3.
Use the New Zone Wizard to create the new forward lookup zone.
4.
Right-click the Reverse Lookup Zones node and then click New Zone.
5.
Use the New Zone Wizard to create the new reverse lookup zone.
2-35
Nova 4, LLC
2-36
Key Points
A zone transfer occurs when a zone is transferred from one DNS server to another DNS server. Zone
transfers synchronize primary and secondary DNS server zones.
A full zone transfer occurs when the entire zone is copied from one DNS server to another. A full zone
transfers is known as an All Zone Transfer (AXFR).
An incremental zone transfer occurs when there is an update to the DNS server, and only the resource
records that were changed are replicated to the other server. This is an Incremental Zone Transfer (IXFR).
Windows Servers also perform fast transfers, which is a type of zone transfer that uses compression and
sends multiple resource records in each transmission.
Not all DNS server implementations support incremental and fast zone transfers. When integrating a
Windows 2008 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensure
that the features you need are supported by the BIND version that is installed.
You can configure zone transfers from the Zone Transfers tab of the zone properties dialog box.
DNS Notify
By default, secondary servers query for updated information every 15 minutes. To ensure that secondary
servers receive zone changes as quickly as possible, you can configure the source server to notify specified
secondary servers when a zone is updated.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-37
Key Points
DNS Dynamic update provides many advantages for automatically adding records to the DNS database.
However, there may be times when the records are not automatically removed when devices leave the
network. For example, if a device registers its own host (A) record and then is improperly disconnected
from the network, a stale resource record may remain in the DNS database.
Having a large number of stale resource records can lead to many problems such as out-of-date resource
records that cause clients to experience name resolution issues and unnecessarily long zone transfers.
The DNS Server service addresses this problem by using the following features:
Time Stamping. Any resource record that is dynamically added to a primary zone contains a time
stamp that is based upon the current date and time of the DNS server. This time stamp is used to
assist in the aging and scavenging process.
Note: If you manually add a resource record, a time stamp of 0 is used. This indicates that the record is
not affected by the aging or the scavenging process.
Aging You can configure a specified refresh time period for the entire DNS server or for specific
zones stored on the server. This refresh period is used to determine when scavenging can take place.
Scavenging. Any records that are beyond the specified refresh period can be automatically removed
by the scavenging process. You can configure scavenging to take place automatically, or you can
manually initiate scavenging.
In the DNS Manager console, open DNS server properties dialog box.
Nova 4, LLC
2-38
2.
On the Advanced tab, select the Enable automatic scavenging of stale records check box and
configure an appropriate scavenging period. The default is 7 days.
3.
If you want to configure aging settings for all zones on the server, right-click the DNS server and click
Set Aging\Scavenging for All Zones. You can configure server-based settings in the Zone D:\rahul
m\MSL_SCD_COURSES\03_Production\03_Production\6_Integration\KonaH\6419Bdialog box.
4.
If you want to configure aging settings for a specific zone, right-click the zone and click Properties.
On the General tab, click the Aging button. You can configure zone-based settings in the Zone
Aging/Scavenging Properties dialog box.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-39
Key Points
DNS functionality may be affected by the following issues:
Network connectivity with other DNS servers. If your DNS server is configured to forward requests
to another DNS server, network connectivity must be maintained to the other DNS server. DNS root
hint queries also require appropriate network connectivity.
Missing records. If a record for a specific host is not registered in the DNS server, name resolution
will fail. This can be caused by incorrectly configured clients, or the records may have been scavenged
prematurely.
Incomplete records. Records require information. If the information is missing to locate the resource
they represent, it can cause clients requesting the resource to return invalid information. A service
record that does not contain a port address is an example of an incomplete record.
Incorrectly configured records. Records that point to an invalid IP address or have invalid
information in their configuration also cause problems when DNS clients try to locate resources.
Monitoring. The Monitoring tab on the Server Properties dialog box can be used to verify the server
configuration by performing a simple query against the DNS server or a recursive query to other DNS
servers.
Global Logs. The Global Logs node in the DNS Manager provides a list of DNS events that have
taken place on the server. This can be useful to determine scavenging or zone transfer details.
Nslookup. Use this to query DNS information. The tool is very flexible and can provide a lot of
valuable information about DNS server status. You also can use it to look up resource records and
Nova 4, LLC
2-40
validate their configuration. You also can test zone transfers, security options, and MX record
resolution.
Dnscmd. Use this command-line tool to manage the DNS server. This tool is useful in scripting batch
files to help automate routine DNS management tasks or to perform simple unattended setup and
configuration of new DNS servers on your network.
Dnslint. Use this tool to diagnose common DNS issues. This command-line utility diagnoses
configuration issues in DNS quickly and can generate a report in the HTML format regarding the
domain status you are testing.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You are the DNS administrator for Contoso.com. You need to perform the following DNS tasks to help
provide a more effective DNS infrastructure:
2-41
Nova 4, LLC
2-42
2.
3.
4.
On NYC-SVR1, open Server Manager and install the DNS Server role.
2.
2.
3.
Verify that all of the resource records are available in the secondary zone.
2.
On NYC-DC1, configure a new Reverse Lookup zone with the following parameters:
Active Directory Zone Replication Scope: All DNS servers running on domain controllers in
the Contoso.com domain
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
Results: At the end of this exercise, you will have installed the DNS Server role and configured
secondary and reverse lookup zones.
2-43
Nova 4, LLC
2-44
2.
On NYC-DC1, use DNS Manager to add an alias for NYC-SVR1.Contoso.com called www.
On NYC-DC1, enable automatic scavenging of stale records to take place every 10 days.
2.
Enable zone aging and scavenging for Contoso.com by using the default 7-day no-refresh and
refresh intervals.
Results: At the end of this exercise, you will have configured a resource record for Contoso.com and
enabled aging and scavenging.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-45
2.
2.
In DNS Manager, refresh the Contoso.com zone and verify that www has been transferred
successfully from the authoritative server.
3.
Open the Local Area Network Properties and modify the TCP/IPv4 settings to use 10.10.0.11 as the
preferred DNS Server.
4.
5.
2.
3.
Run DNSLint from C:\Tools\Dnslint and create a zone report. Hint: use the following command.
4.
Read through the report results and then close all open windows.
Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.
Note: Do not shut down the virtual machines; you will need them for the next lab.
Nova 4, LLC
2-46
Lesson 4
DHCP is used to assign (also called a lease) IPv4-based or IPv6-based IP addresses and other network
settings to computers and devices, which are enabled as DHCP clients. This lesson provides information on
using DHCP and how DHCP is installed and configured to support IP allocation to network clients.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-47
Key Points
The DHCP protocol simplifies the configuration of IP clients in a network environment. Before DHCP was
used widely, each time you added a client to a network, you had to configure it with information about
the network on which you installed it, including the IP address, the networks subnet mask, and the
default gateway for access to other networks.
With the DHCP server role, you can ensure that all clients are consistent with the same types of
configuration information, which eliminates human error during configuration. When key configuration
information changes in the network, you can update it on the DHCP Server without having to change the
information directly on each computer
The DHCP role on Microsoft Windows Server 2008 supports several new features:
Support for DHCPv6. Stateful and stateless configuration is supported for clients in an IPv6
environment. Stateful configuration occurs when the DHCPv6 server assigns the IP address to the
client, along with additional DHCP data. Stateless configuration occurs when the DHCPv6 IP is
assigned automatically by an IPv6-supported router without the need for a DHCP server.
Support for Network Access Protection (NAP). DHCP can be configured to integrate with NAP to
isolate unauthorized computers from the corporate network. NAP is part of a Windows Server 2008
based toolset that controls access to network resources to ensure that a client is compliant with
internal security policies. For example, a configured policy may require all network clients to have
Windows Firewall enabled and have a valid, up-to-date antivirus program installed.
Support for Windows Server 2008 Server Core. You can install DHCP as a role on a Windows
Server 2008 Server Core installation.
Nova 4, LLC
2-48
In addition to these enhancements, Windows Server 2008 R2 supports several additional features, which
are listed as follows:
Link-Layer Filtering. Link-Layer filtering allows you to allow or deny DHCP leases based upon the
media access control (MAC) address presented by the client. You can specify either a full MAC
address, or you can specify a MAC address pattern by using the * as a wildcard. This feature is
currently available only for IPv4 networks.
DHCP Split-Scope Configuration Wizard. A DHCP split-scope configuration allows for increased
fault tolerance and redundancy by using two DHCP servers. The Split-scope Wizard provides an
automated method for configuring the scope properties and minimizes errors that are common
during a manual configuration. The split-scope configuration places part of the DHCP scope on a
secondary server with a time delay, which is configured in scope properties. The time delay on the
secondary server ensures that it will only respond to DHCP clients if the primary DHCP server
becomes unavailable. The secondary DHCP server distributes IP addresses until the primary server is
available again to service clients. This feature is only used for IPv4-based scopes.
DHCP Name Protection. Name protection prevents non-Windows-based computers from directly
registering a name and IP address in DNS. When you enable name protection in DHCP, the DHCP
server registers the A and PTR records into DNS on behalf of the client. If a client already exists with
the same registered name, the update fails. Name protection can be configured for both IPv4 and
IPv6 at the server or scope level and will only work for DNS zones that are configured to support
Secure Dynamic Updates.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-49
Key Points
The DHCP Server role in Windows Server 2008 must be authorized in Active Directory before it begins
leasing IP addresses. It is possible to have a single DHCP server providing IP addresses for subnets that
contain multiple Active Directory domains. Therefore, an Enterprise Administrator account must authorize
the DHCP server.
A DHCP server that is part of the Active Directory domain queries Active Directory for a list of authorized
DHCP servers. If its own IP address is on the list, the DHCP services start, and the server begins to service
DHCP requests. If its IP address is not on the list, the DHCP service does not start and does not service
DHCP requests until it has been authorized.
Nova 4, LLC
2-50
Key Points
The DHCP protocol lease-generation process includes four steps that enable a client to obtain an IP
address. :
1.
The DHCP client broadcasts a DHCPDISCOVER packet. This message is broadcast to each computer in
the subnet. The only computer that responds is the computer that has the DHCP server role or if the
computer is running the DHCP server agent. In the latter case, the agent forwards the message to the
DHCP server with which it is configured.
2.
Any DHCP Server in the subnet will respond by broadcasting a DHCPOFFER packet. This packet
provides the client with a potential address.
3.
The client receives the DHCPOFFER packet. It may receive packets from multiple servers. If the client
receives offers from more than one server, it usually chooses the server that made the fastest
response to its DHCPDISCOVER. This typically is the DHCP server closest to the client. The client then
broadcasts a DHCPREQUEST. The DHCPREQUEST contains a server identifier. This informs the DHCP
servers that the client has chosen to accept the DHCPOFFER.
4.
DHCP servers receive the DHCPREQUEST. The servers that the DHCPREQUEST message does not
accept use the message as notification that the client has declined that servers offer. The chosen
server stores the IP address client information in the DHCP database and responds with a DHCPACK
message. If for some reason the DHCP server cannot provide the address that was offered in the
initial DHCPOFFER, the DHCP server sends a DHCPNAK message.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-51
Key Points
When the DHCP lease has reached 50 percent of the lease time, the client attempts to renew the lease.
This is an automatic process that occurs in the background. Computers may have the same IP address for
a long period of time if they operate continually on a network without being shut down.
To renew the IP address lease, the client sends a unicast DHCPREQUEST message to the original DHCP
server that provided the lease. The server that originally leased the IP address sends a DHCPACK message
back to the client that contains any new parameters that have changed since the original lease was
created.
If the client fails to receive a new IP address lease, it continues to use its previously assigned lease until
87.5 percent of the lease duration has expired. At this point, the client attempts to contact any available
DHCP server by broadcasting DHCPRequest messages and will start a new lease-generation process.
Nova 4, LLC
2-52
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
After the server role is installed, open the DHCP console, right-click DHCP, and then verify that the
server is listed as an authorized DHCP server.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-53
Lesson 5
To effectively manage the DHCP server role, you need to understand scopes and options. This lesson
provides information on how to configure a scope, and the various types of options that can be
configured to support the scope. Finally, the lesson will introduce common issues that you may face and
how to address those issues.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
2-54
Key Points
A DHCP scope is a group of IP addresses on a subnet that are available for lease to network clients.
Each scope will contain the following:
A scope name.
For IPv4 scopes: A subnet mask to determine the subnet for addresses.
Reservations used to ensure that a DHCP client always is assigned the same IP address.
DHCP scope options such as the IP address of the DNS server and the IP address of the router.
To create a DHCP scope, you need to be a member of the Administrators group or the DHCP
Administrators group on the server.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-55
A superscope is also useful when there is a need to move clients gradually into a new IP-numbering
scheme. By having both numbering schemes coexist for the original leases duration, you can move clients
into the new subnet transparently. When you have renewed all client leases in the new subnet, you can
retire the old one.
Multicast scopes
A multicast scope is a collection of IPv4 multicast addresses from the class D IP address range of 224.0.0.0
through 239.255.255.255. These addresses are used when applications need to efficiently communicate
with numerous clients simultaneously. A multicast scope is also known as a Multicast Address Client
Allocation Protocol (MADCAP) scope. Applications that request addresses from these scopes need to
support the MADCAP application programming interface (API).
Nova 4, LLC
2-56
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Right-click the IPv4 node and use the New Scope Wizard to create a new scope. Provide the Name,
IP Address Range, Exclusions, and Options.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-57
Key Points
A DHCP server typically provides more than just an IP address to a client. DHCP also provides information
about network resources such as the IP address of DNS servers and the router. You can apply DHCP
options at the following levels:
Server Options. Scope options configured at the server level affect all scopes hosted on the server.
Scope Options. Scope options configured at the scope level only affect the scope that the options
are configured for.
An option code identifies the DHCP options, and most option code come from the RFC documentation
found on the IETF website.
The following table provides a list of sample IPv4 option codes:.
Option Code
Option Name
003
Router
006
DNS servers
015
023
Default IP Time-to-live
031
033
043
Vendor-specific information
044
WINS/NBNS servers
Nova 4, LLC
2-58
Option Code
Option Name
046
047
NetBIOS scope ID
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-59
Key Points
You may have a group of computers or users that require different configuration options than the rest of
the standard scope. For example, computers that access the network by using a VPN may need to
configure alternate router settings than users who access the network from an internal location.
Option classes provide the ability to receive configuration options based on the following:
User class. You can specify user-class options when you want to set options for a certain class of
users, such as users who connect by using Routing and Remote access or users who are affected by
NAP. You can also configure your own user-class category by using the ipconfig/setclassid
command on each client computer. For example, you may want to provide only laptop computers
with a specific option setting.
Vendor class. The DHCP server role supports the ability to distribute options based on the vendor
class. An example of using DHCP with a vendor class is disabling NetBIOS over TCP/IP for clients that
report a vendor class matching Windows 2000 or Windows XP. Another example is configuring
specific options for a certain computer brand.
Nova 4, LLC
2-60
Key Points
A DHCP reservation occurs when an IPv4 address within a scope is set aside for use with a specific DHCP
client.
It is often desirable to provide servers and printers with a reserved IP address. This ensures that IP
addresses in a predefined scope will not be assigned inadvertently to another device and cause an IP
address conflict. This also ensures that devices with reservations are guaranteed to have an IP address if a
scope is depleted of addresses. Configuring a reservation enables you to centralize the management of IP
addresses without resorting to manually configuring a static IP address.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Expand the scope, and then click the Scope Options node.
3.
4.
5.
6.
7.
Create a new reservation by providing the IP address and MAC address for the client.
8.
2-61
Nova 4, LLC
2-62
Key Points
If you have configured DHCP options at multiple levels (server, scope, class, and reservation levels), DHCP
applies options to client computers in the following order:
1.
Server level
2.
Scope level
3.
Class level
4.
Reserved-client level
For example, if you configure a specific router setting at the Server level, and a router setting is configured
at the Class level, the Class level will override the original setting. Also note that any options configured
for reserved clients will always take precedence over the other levels.
You need to understand these options when you are troubleshooting DHCP.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-63
Key Points
The following table describes and provides examples of common DHCP issues:
Issue
Description
Possible cause
DHCP service
does not start
You install DHCP and configure a The DHCP server is not in the list of authorized
scope but it will not start.
DHCP servers.
Address
conflicts
Failure to
The client does not receive a
obtain a DHCP DHCP address and instead
address
receives an APIPA self-assigned
address.
Address
The client is obtaining an IP
obtained from address from the wrong scope,
incorrect scope causing it to experience
communications problems.
DHCP
database
suffers data
corruption or
loss
DHCP server
The DHCP servers IP scopes have All IPs assigned to a scope are leased.
Nova 4, LLC
2-64
Issue
Description
exhausts its IP
address pool
Possible cause
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-65
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You are the network administrator at Contoso, Ltd. You have just deployed a new subnet and have
decided to configure the DHCP service to provide IP addresses and configuration options. You need to
address the following requirements:
Nova 4, LLC
2-66
Router: 10.10.0.1
A reservation needs to be configured for NYC-SVR1 to automatically assign 10.10.0.55 with the
default scope options.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-67
On NYC-DC1, open Server Manager and install the DHCP Server role.
On NYC-DC1, in the DHCP console, open the Manage authorized servers dialog box and verify that
nyc-dc1.contoso.com is an authorized DHCP server.
Results: At the end of this exercise, you will have installed the DHCP Server role and verified DHCP
authorization.
Nova 4, LLC
2-68
2.
3.
On NYC-DC1, in the DHCP console, use the New Scope Wizard to configure a scope with the
following settings:
Length: 16
On NYC-DC1, in the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Scope Options.
2.
Add a new scope option for 003 Router with an IP address of 10.10.0.1.
On NYC-SVR1, open a command prompt and use ipconfig/all to determine the physical MAC address
for the server. Write down the MAC address here:
On NYC-SVR1, open the Local Area Properties dialog box and configure the network adapter to
obtain both the IP address and DNS server automatically.
2.
IP address: 10.10.0.55
MAC Address: [Enter the value entered for step 1. For example: 00-15-5D-01-71-71]
3.
Switch back to NYC-SVR1 and use the ipconfig command to release and then renew the IP address
configuration.
4.
Verify that NYC-SVR1 receives an IP address of 10.10.0.55 with valid scope options.
Results: At the end of this exercise, you will have configured a DHCP scope, scope options, and a DHCP
reservation.
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
2-69
Nova 4, LLC
2-70
Review Questions
1.
2.
3.
4.
You are presenting to a potential client the advantages of using Windows Server 2008. What are the
new features that you would point out when discussing the Windows Server 2008 DNS server role?
5.
6.
What must you configure before a DNS zone that can be transferred to a secondary DNS server?
7.
What are the four DHCP message broadcasts that are used when a successful address lease occurs?
8.
At what point in a DHCP lease does the client usually renew the lease automatically?
9.
Description
IP-HTTPS
Provides the ability for a DNS zone and all the records in the zone
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
2-71
Description
to be cryptographically signed.
DNS Devolution
When enabled, the DNS server will not allow cached records to be
overwritten for the duration of the TTL value.
Link-Layer Filtering
Tools
Tool
Use for
Where to find it
Server Manager
Managing a
Windows Server
2008 server
Start Menu
DHCP console
Managing DHCP
Administrative Tools
DNS Manager
Managing a DNS
server
Administrative Tools
DNSLint
Generating DNS
configuration
reports
http://download.microsoft.com/download
/2/7/2/27252452-e530-4455-846add68fc020e16/dnslint.v204.exe
Nova 4, LLC
2-72
Nova 4, LLC
Configuring Access to File Services
Module 3
Configuring Access to File Services
Contents:
3-3
3-13
3-23
3-36
3-43
3-1
Nova 4, LLC
3-2
Module Overview
File services is one of the core pieces of functionality in a Microsoft Windows Server 2008 network
environment. The files stored on your servers contain information that spans the entire scope of your
organization. This information may be available on a single server, or it may be shared on the network for
multiple users to access. This information must be safeguarded and protected from unauthorized use, as
well as made available to authorized users.
This module will not only introduce you to the concepts and terminology involved in file services, but also
provide guidance in the practical management of a file services infrastructure within the Windows Server
2008 environment.
Objectives
After completing this module, you will be able to:
Manage New Technology File System (NTFS) file and folder permissions.
Nova 4, LLC
Configuring Access to File Services
Lesson 1
To manage access to resources, you must understand how the Windows Server 2008 operating system
uses a number of different objects and methods to control access to resources. You need to evaluate
certain aspects of the operating system environment to ensure that the level of access for any given
scenario is clearly defined.
This lesson helps you understand what these objects, methods, and operating system variables are and
how they work together to provide a secure and reliable access control mechanism for the Windows
Server environment.
Objectives
After completing this lesson, you will be able to:
3-3
Nova 4, LLC
3-4
Key Points
In basic terms, a security principal defines who you are within the Windows Server environment.
Specifically, a security principal is represented by a user, group, or computer object that you can use for
authentication and assigning access to resources, such as files or folders, on an NTFS volume or objects
within an Active Directory domain.
In Windows Server 2008, a security principal is stored and managed in one of the following two locations:
Nova 4, LLC
Configuring Access to File Services
3-5
Security Identifier
Each security principal created, whether stored in the local SAM or the Active Directory, is issued a security
identifier (SID).
A security principals SID is issued when the security principal is created. A SID is represented by an
alphanumeric value that uniquely identifies the security principal within the Windows environment,
whether in a local SAM database or within Active Directory.
When displayed in text, each SID begins with the letter S followed by its various numeric components,
separated by hyphens.
S-1-5-21-1673587447-2629168963-360789496-1000
In the above SID, a user account in a Windows Server 2008 domain is referenced. Like all SIDs, it starts
with the letter number. The second number, 1, refers to the SIDs revision number. The number 5
represents the SID authority value; in this case, the Windows security authority. The next four numbered
groupings represent the sub-authority values or what makes this particular SID unique. In the case of a
computer not joined to a domain, this represents the computer itself as a security principal. In a domain
environment, this number represents both the domain itself and the first computer that was declared as a
domain controller for the domain. The last value, in this case, 1000, is referred to as the relative identifier
or RID.
Relative Identifier
The relative identifier (RID) is used to uniquely identify user accounts or groups within an individual
computer or domain. Each user-created account and group is represented by a system-generated RID,
beginning with 1000. System-generated accounts and groups, such as the Administrator and Guest
accounts or the BUILTIN\Administrators group, are represented by constant value RIDs that remain the
same across any installation of Windows. For example, a RID of 500 will always be used to identify the
System Administrator account in any computer or domain. As such, the SID for the Administrator account
in the domain that the given SID belongs to appears as follows:
S-1-5-21-1673587447-2629168963-360789496-500
The following table illustrates the RID value for some other common Windows accounts and groups:
Relative Identifier(RID) Value Windows Account or Group Object
500
Administrator account
501
Guest account
512
544
BUILTIN\Administrators group
545
BUILTIN\Users group
Nova 4, LLC
3-6
Key Points
An access token is a protected object that contains information about the identity and rights associated
with a user account.
Nova 4, LLC
Configuring Access to File Services
3-7
Key Points
Permissions are the rules used to determine what operations can be performed on a specific object, such
as a file or a folder by a specific user. Permissions can be granted or denied by the owner of an object and
by anyone with rights to modify permissions for that object. Typically, this includes administrators on the
system and on the domain. If you own an object, you can grant any user or security group any permission
on that object, including the permission to take ownership.
Permissions are assigned in the Windows environment by either granting or denying a specific level of
access to a security principal; most often a user or a group. Local principals are used to assign permissions
for local resources, and domain-based principals are used to assign permissions for resources in an Active
Directory domain.
Permissions can be assigned to an object in one of two ways.
Explicit Permissions
When permissions are set directly on an object within the Windows environment, such as a file or folder,
the permissions are explicitly applied. The permissions have been assigned to the object directly by
modifying the security settings in the objects properties dialog box.
Inherited Permissions
Resources in a Windows environment, such as files and folders, are typically arranged in a nested or tree
structure. Typically, a folder contains other folders or files, and those folders may contain further files or
folders.
Permission inheritance allows for child objects to inherit the permissions settings of their parent object.
This behavior allows explicit permissions to be assigned to a small number of objects and have inheritance
pass those permissions settings down to child objects within the object structure.
Nova 4, LLC
3-8
Inheritance behavior can be controlled for each object, either choosing to inherit its parents permission
settings or to have its own explicitly defined set of permissions.
Nova 4, LLC
Configuring Access to File Services
3-9
Key Points
The main idea behind access control is that principals, such as users, groups, or computers, request access
to resources, such as files, folders, and printers.
A SID for the principal to which the rule is applied. This is typically the SID of a user or group.
A list of the types of access controlled by the ACE. This list contains specific capabilities (read, write,
modify, and full control) that the SID is either allowed or denied.
Nova 4, LLC
3-10
Note: If a DACL contains no ACEs, access is denied to the object for everyone.
All explicit ACEs are placed in a group before any inherited ACEs. This means that explicitly defined
permissions always override those inherited from a parent.
2.
Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3.
Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the child
object's parent come first, followed by ACEs inherited from the grandparent, and so on.
4.
For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.
In general, according to these rules, explicitly defined permissions take priority over inherited permissions
and within those two groups, denied permissions take precedence over allowed permissions.
The results for the example below are as follows:
Thread 1 that uses Adam Carters access token is denied access to the object.
Thread 2 that uses Bobby Moores access token is permitted to Read, Write, and Execute the object in
question.
DACL
Deny Access
ACE
1
Allow Access
ACE
2
Thread 1
Access Token
Adam Carter
Marketing Group
Production Group
Research Group
Production Group
(SID)
Write
Thread 2
Access Token
Allow Access
ACE
3
Bobby Moore
Production Group
Read, Execute
Although the example in the table does not specifically denote whether the permissions are explicitly
defined or inherited, you can see that the Deny Access for Read, Write, and Execute permissions takes
precedence over any of the Allow Access permissions, thereby denying Adams thread the access to this
object.
Nova 4, LLC
Configuring Access to File Services
Note: Objects also have System Access Control Lists (SACLs) that can contain ACEs just like a DACL.
However, the ACEs in an SACL are used to record access to an object for auditing purposes rather
than control access for security purpose like the DACL.
3-11
Nova 4, LLC
3-12
Key Points
Beginning in Windows Server 2003 Service Pack 1, Windows Server allows for access-based enumeration
of folders that a server shares over the network.
When you enable access-based enumeration, users see shared files and folders only if they are given the
appropriate access permissions for the folder or files.
Access-based enumeration provides a more streamlined and efficient experience for end users, because
they see only files that they have permission to access.
Click the Start button, click Administrative Tools, and then click Share and Storage Management.
2.
In the main pane of the Share and Storage Management window, right-click one of the shared
folders, and then click Properties.
3.
4.
In the Advanced dialog box, select the Enable access-based enumeration check box.
When the Enable access-based enumeration check box is selected, access-based enumeration is
enabled on the shared folder. This setting is unique to each shared folder on the server.
Nova 4, LLC
Configuring Access to File Services
3-13
Lesson 2
NTFS has been the primary file system of the Windows Server operating system for more than 15 years.
One of the keys to its longevity is the logical and efficient way that NTFS manages file properties like
permissions and the way that NTFS has evolved and enhanced its interaction with Windows operating
systems.
To manage and use a Windows Server environment effectively, you need to know the methods that NTFS
uses to assign and propagate properties to files and folders.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
3-14
Key Points
NTFS permissions are assigned to files or folders on a storage volume formatted with NTFS. The
permissions assigned to NTFS files and folders govern user access of these files and folders.
The following points describe the key aspects of NTFS permissions:
NTFS permissions can be assigned to an individual file or folder, or sets of files or folders.
NTFS permissions can be assigned individually to objects which include users, groups and computers.
NTFS permissions are controlled by denying or allowing specific types of NTFS file and folder access,
such as read or write.
NTFS permissions can be inherited from parent folders. By default, the NTFS permissions assigned to a
folder will be also assigned to newly created folders or files within that parent folder.
Nova 4, LLC
Configuring Access to File Services
3-15
Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a
file or a folder take precedence over those that are inherited from a parent folder.
Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions,
any Deny permissions that exist override conflicting Allow permissions within the group.
Therefore, taking these rules into account, NTFS permissions apply in the following order:
1.
Explicit Deny
2.
Explicit Allow
3.
Inherited Deny
4.
Inherited Allow
It is important to remember that NTFS permissions are cumulative, and these rules are applied only when
two NTFS permission settings conflict with each other.
Note: Further detail regarding conflicting and inherited permissions will be covered later in this lesson.
Right-click the file or folder you want to assign permissions for and click Properties.
2.
3.
To open an editable permissions dialog box so you can modify existing permissions or add new users
or groups, click the Edit button.
Note: More complex permissions settings will be discussed later in this lesson.
Nova 4, LLC
3-16
Key Points
Assignable NTFS permissions fall into two categories, Standard and Advanced.
Standard Permissions
Standard permissions provide the most commonly used permission settings for files and folders, and are
presented for assignment in the main NTFS permissions assignment window.
Standard permissions for NTFS files and folders consist of the following:
File permissions
Description
Full Control
Modify
Read
Write
Allows the user to view the contents of the folder only; no access is given to
actual folder contents.
Note: Giving users Full Control permissions on a file or a folder not only gives them the ability to
perform any file system operation on the object, but also the ability to change permissions on the
object. They can also remove permissions on the resource for any or all users, including you.
Nova 4, LLC
Configuring Access to File Services
3-17
Advanced Permissions
Advanced permissions allow for a much finer level of control over NTFS files and folders. Advanced
permissions are accessible from the Security tab of a file or folders Properties sheet by clicking the
Advanced button.
Advanced permissions for NTFS files and folders consist of the following:
File Permissions
Description
Traverse
Folder/Execute File
The Traverse Folder permission applies only to folders. This permission allows or
denies the user from moving through folders to reach other files or folders,
even if the user has no permissions for the traversed folders. The Traverse folder
takes effect only when the group or user is not granted the Bypass Traverse
Checking user right. The Bypass Traverse Checking user right checks user rights
in the Group Policy snap-in. By default, the Everyone group is given the Bypass
Traverse Checking user right.
The Execute File permission allows or denies access to program files that are
running.
If you set the Traverse Folder permission on a folder, the Execute File
permission is not automatically set on all files in that folder.
The List Folder permission allows the user to view file names and subfolder
names. The List Folder permission applies only to folders and affects only the
contents of that folder. This permission is not affected if the folder that you are
setting the permission on is listed in the folder list. Also, this setting has no
effect on viewing the file structure from the command-line interface.
The Read Data permission applies only to files and allows or denies the user
from viewing data in files.
Read Attributes
The Read Attributes permission allows the user to view the basic attributes of a
file or a folder such as read-only and hidden attributes. Attributes are defined
by NTFS.
Read Extended
Attributes
The Read Extended Attributes permission allows the user to view the extended
attributes of a file or folder. Extended attributes are defined by programs and
can vary by program.
Create Files/Write Data The Create Files permission applies only to folders and allows the user to create
files in the folder.
The Write Data permission applies only to files and allows the user to make
changes to the file and overwrite existing content by NTFS.
Created
Folders/Append Data
The Create Folders permission applies only to folders and allows the user to
create folders in the folder.
The Append Data permission applies only to files and allows the user to make
changes to the end of the file but not from deleting or overwriting existing
data.
Write Attributes
The Write Attributes permission allows the user to change the basic attributes
of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply that you can create or delete
files or folders; it includes only the permission to make changes to the
attributes of a file or folder. To allow Create or Delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete.
Nova 4, LLC
3-18
File Permissions
Description
Write Extended
Attributes
The Write Extended Attributes permission allows the user to change the
extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders; it includes only the permission to make changes
to the attributes of a file or folder. To allow Create or Delete operations, view
the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete sections in this article.
The Delete Subfolders and Files permission applies only to folders and allows
the user to delete subfolders and files; even if the Delete permission is not
granted on the subfolder or file.
Delete
The Delete permission allows the user to delete the file or folder. If you have
not been assigned Delete permission on a file or folder, you can still delete the
file or folder if you are granted Delete Subfolders and Files permissions on the
parent folder.
Read Permissions
Read permissions allows the user to read permissions about the file or folder,
such as Full Control, Read, and Write.
Change Permissions
Change Permissions allows the user to change permissions on the file or folder,
such as Full Control, Read, and Write.
Take Ownership
The Take Ownership permission allows the user to take ownership of the file or
folder. The owner of a file or folder can change permissions on it, regardless of
any existing permissions that protect the file or folder.
Synchronize
The Synchronize permission allows different threads to wait on the handle for
the file or folder and synchronize with another thread that may signal it. This
permission applies only to multiple-threaded, multiple-process programs.
Note: Standard permissions are actually combinations of several individual Advanced permissions
grouped into commonly file and folder usage scenarios.
Nova 4, LLC
Configuring Access to File Services
3-19
Key Points
By default, NTFS uses inheritance to propagate permissions throughout an NTFS folder structure. When a
file or a folder is created, it is automatically assigned the permissions set on any folders that exist above it
in the hierarchy of the folder structure.
Folder or File
NTFS Permission
Adams Permissions
Marketing (folder)
Marketing Pictures (folder)
New York (folder)
Fall_Composite.jpg (file)
ReadMarketing Group
None explicitly set
WriteNew York Editors
None explicitly set
Read
Read (inherited)
Read (i) + Write
Read (i) + Write (i)
In this example, Adam is a member of two groups that are assigned permissions for files or folders within
the folder structure.
The top-level folder, Marketing, has an entry for the Marketing Group giving them read access.
In the next level, the Marketing Pictures folder has no explicit permissions set, but because of
permissions inheritance, Adam also has Read access to this folder and its contents from the
permissions set on the Marketing folder.
Nova 4, LLC
3-20
In the third level, the New York folder has Write permissions assigned to one of Adams groups, New
York Editors. In addition to this explicitly assigned Write permission, the New York folder also inherits
the Read permission from the Marketing folder. These permissions will continue to pass down to file
and folder objects, cumulating with any explicit permissions set on those files.
The fourth and last level is the Fall_Composite.jpg file. Even though no explicit permissions have been
set for this file, Adam has both Read and Write access to the file, due to the inherited permissions
from both the Marketing folder and the New York folder.
Permission Conflicts
It is possible that explicitly set permissions on a file or folder will conflict with permissions inherited from a
parent folder. In these cases, the explicitly assigned permissions will always override the inherited
permissions.
In the given example, if Adam Carter was denied Read access to the Marketing folder, but then explicitly
allowed Read Access to the New York folder, this access permission would take precedence over the
inherited Deny Read access permission.
Blocking Inheritance
It is also possible to disable the inheritance behavior for a file or a folder (and its contents) on an NTFS
volume. This can be done to explicitly define permissions for a set of objects without including any of the
inherited permissions from any parent folders.
Windows provides an option for blocking inheritance on a file or a folder within the Advanced section of
the Security tab. To block inheritance on a file or folder, complete the following steps:
1.
Right-click the file or folder where you want to block inheritance and click Properties.
2.
In the Properties window, click the Security tab and then click the Advanced button.
3.
In the Advanced Security Settings window, click the Change Permissions button.
4.
In the next window, clear the Include inheritable permissions from this objects parent check box.
Note: At this point, you are prompted to either add the existing permissions as a starting point for your
explicitly assigned permissions or remove existing permissions on the object to start with a blank
permissions slate.
Nova 4, LLC
Configuring Access to File Services
3-21
Key Points
NTFS permissions depend on the NTFS structure to maintain their integrity. When you move or copy files
or folders from their original location, NTFS permissions can be affected, depending on the nature of the
move or copy operation.
Note: It is important to define the move and copy process prior to defining the rules that apply to
moving and copying files.
Moving a file or folder causes the object to be relocated to the new destination. After a move operation
is complete, the file or folder no longer exists in the old location.
Copying a file or folder simply makes a copy of the object and places it in the new destination. The
original copy of the file remains in the same state in the original location.
The following rules apply when moving or copying files or folders to another location:
1.
When moving or copying files or folders to another volume, all NTFS permissions are lost. If the
destination volume is NTFS, your files or folders will inherit the NTFS permissions of the parent folder
on the destination volume.
Note: When files are sent to another volume, it is always a copy operation. If you select move from
the Windows Explorer interface, the actual file operation copies the file to the destination and deletes
the files from the original location.
2.
When copying files or folders to another location on the same NTFS volume, the original NTFS
permissions assigned to the original objects are lost. The objects inherit NTFS permissions settings
from the destination parent folder.
Nova 4, LLC
3-22
3.
When moving files or folders to another location on the same NTFS volume, the original explicitly
defined NTFS permissions are retained for the objects in their new location. If no explicit permissions
are defined, the objects inherit from their parent folder in the new location.
Nova 4, LLC
Configuring Access to File Services
3-23
Lesson 3
Configuring and maintaining NTFS permissions for your file and folder structure is an important part of
administering a file server. However, if your file server must provide those files and folders to your users
on the network, the resources must be set up as shared folders in Windows Server 2008.
Shared folders provide the basis for providing network access to file resources, and their configuration
and deployment should be planned and managed effectively. This lesson will introduce you to the File
Services role in Windows Server 2008 and provide details on sharing and protecting your file structure.
Objectives
After completing this lesson, you will be able to:
Create shared folders by using Windows Explorer and Share and Storage Management.
Nova 4, LLC
3-24
Key Points
The File Services role provides not only the ability to share your files and folders, but also helps manage
storage, enable file replication, provide network resources to non-Windows clients, and manage access to
and use of your shared folder structure proactively.
The File Services role consists of the following role services that work together to provide a full-featured
file management solution:
File Server is the core of the File Services role. It manages shared folders and enables users to access
files on the server from the network.
Distributed File System (DFS) allows administrators to configure a distributed system for shared
folders. This distribution allows for the same set of shared folders to be hosted on different servers.
DFS Replication allows you to replicate shared folders between servers, and DFS Namespace makes it
possible to use a single network share address to allow access to multiple physical DFS locations.
File Server Resource Manager (FSRM) enables the management of file usage through quotas, file
screening policies, and storage reports.
Services for Network File System allow you to configure NFS to allow access to your shared folders
from UNIX client computers.
Windows Search Service permits indexing of files and folders on your file server. This allows for more
efficient searches from clients that are compatible with Windows Search Service.
Windows Server 2003 File Services provides file services for Windows Server 2003 computers.
BranchCache for Network Files enables computers in branch offices to cache commonly downloaded
files from shared folders and then provide those files to other computers in the branch office. This
reduces network bandwidth usage and provides faster access to the files. This Role Service is available
only in Windows Server 2008 R2.
Nova 4, LLC
Configuring Access to File Services
3-25
Note: The commonly used File Services components (DFS, FSRM, and BranchCache) will be covered in
more detail later in this course.
Nova 4, LLC
3-26
Key Points
Shared folders are the key component of accessing files on your server from the network.
When you share a folder, the folder and all its contents are made available to multiple users
simultaneously over the network. Shared folders maintain a separate set of permissions from the NTFS
permissions on folders contents. These permissions are used to provide an extra level of security for files
and folders made available on the network.
Most organizations deploy dedicated file servers to host shared folders. You can store files in shared
folders according to categories or functions. For example, you can put shared files for the Sales
department in one shared folder and shared files for the Marketing department in another.
Note: The sharing process happens strictly at the folder level. It is not possible to share only an
individual file or a group of files.
Using the Provision a Shared Folder Wizard from the Share and Storage Management console.
Nova 4, LLC
Configuring Access to File Services
3-27
Using the File Sharing Wizard, either from the folders right-click menu or by clicking the Share
button on the Sharing tab of the folders Properties window.
Using Advanced Sharing by clicking the Advanced Sharing button on the Sharing tab of the folders
Properties window.
Administrative Shares
Administrative or hidden shares can be created for shared folders that need to be available from the
network, but not to users browsing the network.
You can access an administrative share by entering in its UNC path, but the folder will not show up when
you browse the server by using Windows Explorer. Administrative shares also typically have a more
restrictive set of permissions assigned to the shared folder to reflect the administrative nature of the
folders contents.
To hide a shared folder, append the dollar symbol ($) to the folders name. For example, a shared folder
on NYC-SVR1 named Sales can be made into a hidden share by naming it as Sales$. The share is
accessible over the network by using the UNC name:
\\NYC-SVR1\Sales$
Nova 4, LLC
3-28
Key Points
Shared folder permissions apply only to users who access the folder over the network. They do not affect
users who access the folder locally on the computer where the folder is stored.
Just like NTFS permissions, you can assign shared folder permissions to user, group, or computer objects.
However, unlike NTFS permissions, shared folder permissions are not configurable for individual files or
folders within the shared folder. Shared folder permissions are set once for the shared folder itself and
apply universally to the entire contents of the shared folder for users who access the folder over the
network.
The following permissions can be applied to a shared folder:
Shared Folder Permission Description
Read
Users can display folder and file names, display file data and attributes, run
program files and scripts, and navigate the folder structure within the
shared folder.
Change
Users can create folders, add files to folders, change data in files, append
data to files, change file attributes, delete folders and files, and perform all
tasks permitted by the Read permission.
Full Control
Users can change file permissions, take ownership of files, and perform all
tasks permitted by the Change permission.
Note: When you assign Full Control permissions on a shared folder to a user, that user can modify
permissions on the shared folder, which includes removing all users, including you, from the shared
folders permissions list. In most cases, Change permission should be assigned instead of Full Control.
When a shared folder is created, the default assigned shared permission is Read for the Everyone group.
Nova 4, LLC
Configuring Access to File Services
3-29
By default, Windows Server 2008 allows the following groups to create shared folders: Administrators and
Server Operators.
Question: Can you list at least one example of when an administrator might give Full Control permissions
to a user for a shared folder?
Nova 4, LLC
3-30
Key Points
In this demonstration, you will see how to:
Create a shared folder and assign permissions by using the Share and Storage Management console.
Demonstration Steps:
1.
2.
3.
Share the folder by using the Advanced Sharing button on the Sharing tab of the properties
window.
4.
5.
6.
Use the Provision a Shared Folder Wizard to create and share the C:\Marketing folder, giving
Change permissions to the Contoso\Marketing group.
Nova 4, LLC
Configuring Access to File Services
3-31
Key Points
Windows Server 2008 provides the ability to cache network file for offline use. Files can be made available
for clients to cache locally, so the files are available for use when the client computer is disconnected from
the network.
Optionally, offline files and folders are edited or modified by the client, and the changes are synchronized
with the network copy of the files the next time the client is reconnected to the network. The
synchronization schedule and behavior of offline files is controlled by the client operating system.
Offline files are available to Windows XP, Windows Vista, Windows 7, Windows Server2003, Windows
Server 2008 and Windows Server 2008 R2 clients.
On a Windows Server 2008 computer, the Caching button in the Advanced Sharing window brings up the
Offline Settings window for a shared folder. The following options are available within the Offline Settings
window:
Only the files and programs that users specify are available offline. This is the default option
when you set up a shared folder. When you use this option, no files or programs are available offline
by default, and users control which files and programs they want to access when they are not
connected to the network.
Note: There is an Enable BranchCache option that enables BranchCache for the shared folder.
BranchCache will be discussed in more detail later in this course.
No files or programs from the shared folder are available offline. This option blocks Offline Files
on the client computers from making copies of the files and programs on the shared folder.
All files and programs that users open from the shared folder are automatically available
offline. Whenever a user accesses the shared folder or volume and opens a file or program in it, that
file or program is automatically made available offline to that user. Files and programs that are
Nova 4, LLC
3-32
automatically made available offline remain in the Offline Files cache and synchronize with the
version on the server until the cache is full or the user deletes the files. Files and programs that are
not opened are not available offline.
If you select the Optimized for performance check box, executable files (EXE, DLL) that are run from
the shared folder by a client computer are automatically cached on that client computer. The next
time the client computer runs the executable files, it will access its local cache instead of the shared
folder on the server.
Note: The Offline Files feature must be enabled on the client computer for files and programs to be
automatically cached. In addition, the Optimized for performance option does not have any effect on
client computers that use Windows Vista or later as these operating systems automatically perform
the program-level caching specified by this option.
Question: Which client computer type would make the best use of offline files?
Nova 4, LLC
Configuring Access to File Services
3-33
Key Points
New features introduced in Windows Server 2008 R2 and Windows 7 further enhance the offline file and
folder experience, which provides optimized offline file synchronization and access to improve the enduser offline files experience.
Nova 4, LLC
3-34
Exclusion List
The Exclusion List feature allows for the exclusion of certain file types (large audio or video files) from the
Offline Files synchronization process on Windows 7 clients. This reduces synchronization overhead and
disk space usage on the server and speeds up backup and restore operations. The list of file types is
configured by using Group Policy.
Transparent Caching
With transparent caching, the first time a user opens a file in a shared folder, Windows 7 reads the file
from the server and then stores it in the Offline Files cache on the local hard disk drive. The subsequent
times that a user opens the same file, Windows 7 retrieves the cached file from the hard disk drive instead
of reading it from the server. To provide data integrity, Windows 7 always contacts the server to ensure
that the cached copy is up to date. The cache is never accessed if the server is unavailable, and updates to
the file are always written directly to the server.
Transparent caching is not enabled by default. IT administrators can use a Group Policy setting to enable
transparent caching, improve the efficiency of the cache, and configure the amount of hard disk drive
space that the cache uses.
Note: All the features mentioned in this topic require the client computer to be running Windows 7
Professional, Enterprise, or Ultimate edition. The features also apply to Windows Server 2008 R2
computers acting as offline files clients.
Nova 4, LLC
Configuring Access to File Services
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Share the E:\Labfiles\Mod03 folder as Mod03 by using the Advanced Sharing button on the
Sharing tab of the properties window.
3.
In the Caching settings, make the folders contents available for offline synchronization.
4.
5.
Right-click the mapped network drive and make the files available for offline use.
3-35
Nova 4, LLC
3-36
Lesson 4
Assigning permissions for a single user or a group on a single resource is a straightforward task, and it is
not difficult to determine the results. However, in a typical enterprise environment, permission
assignments are not often simple. Multiple group membership, blocked inheritance and combined NTFS
and shared folder permissions can make determining the actual permissions a user is assigned a complex
task.
Objectives
After completing this lesson, you will be able to:
Describe best practices for implementing NTFS and Shared folder permissions.
Nova 4, LLC
Configuring Access to File Services
3-37
Key Points
Effective NTFS permissions refer to the cumulative permissions given to a user for an object in relation to
both explicitly defined and inherited permissions allocated to the object for a user and any groups the
user has membership in.
The following principles determine effective permissions:
Cumulative permissions are the combination of the highest NTFS permissions granted to the
user and all the groups of which the user is a member. For example, if a user is a member of a
group that has Read permission and a member of a group that has Modify permission, the user has
Modify permission.
Deny permissions override equivalent Allow permissions. An explicit Allow permission can
override an inherited deny permission. For example, if a user is denied write access to a folder, but is
explicitly allowed write access to a subfolder or a particular file, the explicit Allow overrides the
inherited Deny.
NTFS file permissions take priority over folder permissions. For example, if a user has Modify
permission to a folder, but only has Read permission to certain files in that folder, the effective
permission for those files will be Read.
Every object is owned in an NTFS volume or in Active Directory. The owner controls how
permissions are set on the object and to whom permissions are granted. For example, a user can
create a file in a folder where the user typically has Modify permission. However, because that user
created the file, the user can change the permissions. Then, the user can grant oneself Full Control
over the file.
Nova 4, LLC
3-38
Right-click the file or folder that you want to analyze permissions for and then click Properties.
2.
3.
In the Advanced Security Settings window, click the Effective Permissions tab.
4.
Nova 4, LLC
Configuring Access to File Services
3-39
Key Points
In this discussion, you are presented with a scenario in which you are asked to apply NTFS permissions.
You need discuss in class the possible solutions to the scenario.
Scenario
Adam is a member of the Marketing group and the Sales group. The graphic on the slide shows folders
and files on the NTFS partition.
Question: The Marketing group has Write permission, and the Sales group has Read permission for the
Reports folder. Which permissions does Adam have for the Reports folder?
Question: The Marketing group has Read permission for the Reports folder. The Sales group has Write
permission for the New York folder. Which permissions does Adam have for the Region file?
Question: The Marketing group has Modify permission for the Reports folder. The Region file should be
available only to the Sales group, and the Sales group should only be able to read the Region file. What
do you do to ensure that the Sales group has only Read permission for the Region file?
Nova 4, LLC
3-40
Key Points
When enabling access to network resources on an NTFS volume, use the most restrictive NTFS permissions
to control access to folders and files, combined with the most restrictive shared folder permissions that
control network access.
NTFS and shared folder permissions work together to control access to file and folder resources accessed
from the network.
Nova 4, LLC
Configuring Access to File Services
3-41
Key Points
In this discussion, you will determine effective NTFS and shared folder permissions.
Scenario
The figure shows two shared folders that contain folders or files that have NTFS permissions. Look at each
example and determine a users effective permissions.
In the first example, the Users folder has been shared, and the Users group has the shared folder
permission Full Control. User1, User2, and User3 have been granted the NTFS permission Full Control only
to their folder. These users are all members of the Users group.
Question: In diagram 1, discuss what the effective permissions are for User1, User2, and User3. Can User1
take full control of User2s directory? Give reasons. How does using the share permission instead of the
NTFS permission prevent users from accessing other Users directories?
Question: In diagram 2, you have shared the Data folder to the Sales group, granting Full Control
permissions. Within the Data directory, you have given the Sales group Read permissions on the NTFS
Sales folder. When users in the Sales group try to save a file in the \Data\Sales directory, they get an
access-denied error. Give reasons. Which permission must be changed and why?
Nova 4, LLC
3-42
Key Points
Here are several considerations to make administering permissions more manageable:
Grant permissions to groups instead of users. Groups can always have individuals added or
deleted, while permissions on a case-by-case basis are difficult to track.
Use Deny permissions only when necessary. Because deny permissions are inherited exactly like
allow permissions, assigning deny permissions to a folder can result in users not being able to access
files lower in the folder structure. Deny permissions should be assigned in the following situations:
To exclude one specific permission when you have granted Full Control permissions already to a
user or a group.
Never deny the Everyone group access to an object. If you deny everyone access to an object, you
deny administrators access. Instead, remove the Everyone group, as long as you grant permissions for
the object to other users, groups, or computers.
Grant permissions to an object that is as high in the folder structure as possible so that the
security settings are propagated throughout the tree. For example, instead of bringing groups
representing all departments of the company together into a Read folder, assign Domain Users
(which is a default group for all user accounts on the domain) to the share. In this manner, you
eliminate the need to update department groups before new users receive the shared folder.
Use NTFS permissions instead of shared permissions for fine-grained access. Configuring both
NTFS and shared folder permissions can be difficult. Consider assigning the most restrictive
permissions for a group that contains many users at the shared folder level and then by using NTFS
permissions to assign more specific permissions.
Nova 4, LLC
Configuring Access to File Services
3-43
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
5.
6.
Password: Pa$$w0rd
7.
Domain: Contoso
8.
9.
Lab Scenario
Contoso, Ltd has recently deployed a new file server, NYC-SVR1, to its New York location. The New York
office has staff from both the Production and Research departments. Both departments require the ability
to save their documents to the new file server. Their files will be created in the E:\Labfiles\Mod03 folder.
The Production department work together on tasks and projects, and all members need the ability to save
files to the folder from their desktop. Any member of the Production team should be able to modify the
folders saved by anyone in the Production department. The Production department manager, Susanna
Stubberod, needs a folder for her monthly reports configured, so her staff can view the reports, but only
she should be able to make changes to files in the folder.
The Research department needs a folder to store the project results. All project results will be saved
directly to the server locally from an application installed on NYC-SVR1. All members of the Research
Nova 4, LLC
3-44
department should be able to make modifications to the files if they are logged on to NYC-SVR1. The
Research department needs to access their files from the network, but no changes should be allowed to
be made to the files, because that will interfere with the application. Max Stevens of the Research
department also uses a laptop, NYC-CL1, which he frequently takes offsite. He needs access to the
Research department files when he is not connected to the network.
The main tasks for this exercise are as follows:
1.
2.
3.
Nova 4, LLC
Configuring Access to File Services
3-45
Discussion Questions:
1.
What folder structure should be created on NYC-SVR1 to support the requirements of this scenario?
2.
Which NTFS permissions should be assigned to the Production departments folder structure to fulfill
the scenario requirements? Which permissions should be assigned to the shared folder?
3.
Which NTFS permissions should be assigned to the Research departments folder structure to fulfill
the scenario requirements? Which permissions should be assigned to the shared folder?
4.
How will you make the Research departments files available to Max Stevens when he is offsite with
the NYC-CL1?
Result: In this exercise, you discussed and determined solutions for a shared folder implementation.
Nova 4, LLC
3-46
2.
3.
Create a shared folder structure by using the Share and Storage Management console.
4.
2.
Verify that the File Services role has been installed with the File Server role service.
3.
2.
Create the E:\Labfiles\Mod03\Production folder and assign the Production group Full Control
permissions.
3.
Share the Production folder, assign the Contoso\Production group Change permissions on the shared
folder, and remove the Everyone group.
4.
5.
6.
Task 3: Create shared folders by using the Share and Storage Management Console
1.
2.
Run the Provision a Shared Folder Wizard to provision a share named Research located at
E:\Labfiles\Mod03\Research.
3.
Assign the following NTFS permissions to the E:\Labfiles\Mod03\Research folder. Assign Full Control
for the Research group.
4.
Assign the following shared folder permissions to the Research shared folder. Assign Read for the
Research group.
2.
3.
Nova 4, LLC
Configuring Access to File Services
3-47
2.
Test to ensure that Max cannot create any new documents on the Research folder (Drive R).
3.
2.
Test to ensure that Scott has Full Control to \\NYC-SVR1\Production and no access to \\NYCSVR1\Production\Reports.
3.
4.
5.
Test to ensure that Susanna has Full Control to \\NYC-SVR1\Production and \\NYCSVR1\Production\Reports.
6.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
3-48
Review Questions
1.
What is a common reason to use advanced NTFS permissions rather than the standard set of NTFS
permissions?
2.
What advantages does creating a shared folder by using the Share and Storage Management tools
have over using Windows Explorer?
Description
New features that enhance the Offline Files experience for Windows
Server 2008 R2 and Windows 7 computers.
Tools
Tool
Share and Storage
Management
Console
Use for
Provisioning shared
folders and storage
objects
Where to find it
Installed with the File Services role and found on
the Administrative Tools menu.
Nova 4, LLC
Configuring and Managing Distributed File System
Module 4
Configuring and Managing Distributed File System
Contents:
Lesson 1: Distributed File System Overview
4-3
4-14
4-20
4-28
4-1
Nova 4, LLC
4-2
Module Overview
Many organizations maintain a large number of file servers containing vast amounts of data needed by
users. With so many file resources on the network, it is often a challenge for users to locate files quickly
and efficiently.
Larger enterprise organizations may manage multiple data sites, which often introduces additional
challenges, such as increased network traffic over wide area network (WAN) connections, and ensuring
the availability of files during WAN or server failures.
This module introduces the Distributed File System (DFS) solution that you can use to meet these
challenges by providing fault-tolerant access and WAN-friendly replication of files located throughout an
enterprise.
Objectives
After completing this module, you will be able to:
Nova 4, LLC
Configuring and Managing Distributed File System
4-3
Lesson 1
DFS in Microsoft Windows Server 2008 incorporates technology to provide efficient access and high
availability to file resources.
This lesson introduces DFS Namespaces and DFS Replication, and discusses scenarios and requirements for
deploying a DFS solution within your network environment.
Objectives
After completing this lesson, you will be able to:
Define DFS.
Nova 4, LLC
4-4
Key Points
To access a typical file share, most users need to know which file server the share is located on, and the
name of the share to access. Many large organizations may have hundreds of file servers, dispersed
geographically. This introduces a number of challenges for users to find and access files efficiently.
Distributed File System is a Windows Server 2008 role service that is included with the File Server role. The
DFS role service can be used to logically combine shared folders located on different servers into a virtual
namespace. Users only need to know the name of the virtual namespace, to access the shared folder
structure.
Another benefit of DFS is the ability to replicate both the virtual namespace and the shared folders to
multiple servers within the organization. This can ensure that the shares are fault tolerant and the shared
folders are located as close as possible to users, thereby providing efficient access to the data.
DFS includes two technologies that are implemented as role services. These technologies are:
DFS Namespaces. DFS Namespaces (DFS-N) allows administrators to group shared folders located
on different servers into one or more logically structured namespaces. Each namespace appears to
users as a single shared folder with a series of subfolders. The subfolders typically point to shared
folders that are located on various servers in multiple geographical sites throughout the organization.
DFS Replication. DFS Replication (DFS-R) is a multi-master replication engine used to synchronize
files between servers for both local and WAN network connections. DFS-R supports replication
scheduling, bandwidth throttling, and Remote Differential Compression (RDC). When enabled and
applied, RDC updates only the portions of files that have changed since the last replication. DFS-R can
be used in conjunction with DFS Namespaces or can be used as a stand-alone file replication
mechanism.
Nova 4, LLC
Configuring and Managing Distributed File System
4-5
Key Points
Even though DFS Namespaces and DFS Replication are separate role services, they can be used together
to provide high availability and data redundancy. The following process describes how DFS Namespaces
and DFS Replication work together:
1.
2.
User accesses folder in the DFS namespace. When a user attempts to access a folder in a DFS
namespace, the client computer contacts the server hosting the namespace root. The host server can
be a stand-alone server hosting a stand-alone namespace, or the host server can use a domain-based
configuration that is stored in Microsoft Active Directory Domain Services (AD DS) and replicated
to various locations to provide high availability. The namespace server sends back to the client
computer a referral containing a list of servers that host the shared folders (called folder targets)
associated with the folder being accessed.
Client computer accesses the first server in the referral. The client computer caches the referral
information and then contacts the first server in the referral. This referral typically is a server in the
clients own site, unless there is no server located within the clients site. In this case, the administrator
can configure a target priority which helps to determine the next best server to which a user will
contact to access a file resource.
For example, in the diagram, the Marketing folder that is published within the namespace actually
contains two shared folders (folder targets). One share is located on a file server in New York, and the
other share is located on a file server in London. The shared folders are kept synchronized by DFS-R. Even
though multiple servers host the source folders, this fact is transparent to users, who only access a single
folder in the namespace. If one of the target folders becomes unavailable, users can be redirected to the
remaining targets within the namespace.
Nova 4, LLC
4-6
DFS Scenarios
Key Points
Several key scenarios can benefit from DFS Namespaces and DFS Replication. These scenarios include:
Data collection
Data distribution
Data Collection
DFS technologies can collect files from a branch office and replicate them to a hub site, thus allowing the
files to be used for a number of specific purposes. Critical data can be replicated to a hub site by using
DFS-R, and then backed up at the hub site by using standard backup procedures. This increases the
branch office data recoverability if a server fails, because files will be available in two separate locations
and backed up. Additionally, companies can reduce branch office costs by eliminating backup hardware
and onsite information technology (IT) personnel expertise. Replicated data can also be used to make
Nova 4, LLC
Configuring and Managing Distributed File System
4-7
branch office file shares fault tolerant. If the branch office server fails, clients in the branch office can
access the replicated data at the hub site.
Data Distribution
You can use DFS-N and DFS-R to publish and replicate documents, software, and other line-of-business
data throughout your organization. DFS-N and folder targets can increase data availability and distribute
client load across various file servers.
Note: Do not use DFS Replication in an environment where multiple users update or modify the same
files simultaneously on different servers. Doing so can cause DFS Replication to move conflicting copies
of the files to the hidden DfsrPrivate\ConflictandDeleted folder. When multiple users need to modify
the same files at the same time on different servers, use the file check-out feature of a product such as
Windows SharePoint Services to ensure that only one user is working on a file.
Nova 4, LLC
4-8
Key Points
You can create either a domain-based or stand-alone namespace. Each type has different characteristics.
Domain-Based Namespace
A domain-based namespace can be used when:
You need to hide the name of the namespace servers from users. This also makes it easier to replace a
namespace server or migrate the namespace to a different server. Users will then use the
\\domainname\namespace format as opposed to the \\servername\namespace format.
If you choose to deploy a domain-based namespace, you will also need to choose whether to use the
Windows 2000 Server mode or the Windows Server 2008 mode. Windows Server 2008 mode provides
additional benefits such as support for access-based enumeration; increased replication performance, and
it increases the number of folder targets from 5,000 to 50,000. Access-based Enumeration enables you to
hide folders that users do not have permission to view.
To use Windows Server 2008 mode, the following requirements must be met:
The Active Directory forest must be at Microsoft Windows Server 2003 or higher forest functional
level.
The Active Directory domain must be at the Microsoft Windows Server 2008 domain functional
level.
Nova 4, LLC
Configuring and Managing Distributed File System
4-9
Note: You can migrate a domain-based namespace from Windows 2000 Server mode to Windows
Server 2008 mode by using the DFSutil command-line tool. You can also enable or disable Access-based
Enumeration by using the Share and Storage Management MMC.
Stand-Alone Namespace
A standalone namespace must be used when:
Your organization does not meet the requirements for a Windows Server 2008 mode, domain-based
namespace, and you have requirements for more than 5,000 DFS folders. Stand-alone DFS
namespaces support up to 50,000 folders with targets.
Nova 4, LLC
4-10
Key Points
A DFS namespace is a virtual view of shared folders in an organization. As the administrator, you select
which shared folders to present in the namespace, design the hierarchy in which those folders appear, and
determine the names that the shared folders show in the namespace. When a user views the namespace,
the folder structure appears to reside on a single disk.
Folders
Folders are the primary namespace elements. They appear under the namespace root (\\server\rootname
or \\domain\rootname) and help build the namespace hierarchy. As with standard disk structures, folders
are organized into tree structures similar to the way you use folders on a hard disk to organize files. When
you create a folder by using the DFS Management console, you type a name for the folder and specify
whether to add any folder targets.
Folder Targets
A folder target is based upon a Universal Naming Convention (UNC) path to one of the following
locations:
To increase the folders redundancy, you can specify multiple folder targets. If one of the folder targets is
not available, the client will attempt to access the next folder target in the referral. This increases the data
availability in the folder.
Nova 4, LLC
Configuring and Managing Distributed File System
4-11
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
If necessary, use the Add Roles Wizard to install the File Services server role. If the role is already
installed, use the Add Role Services Wizard to install the required role services.
3.
Select the Distributed File System role services. Note that you can select the DFS Namespaces and
DFS Replication role services individually, if required.
Nova 4, LLC
4-12
Key Points
Microsoft Windows Server 2008 R2 provides a number of enhancements and new features to both DFSN and DFS-R. The following sections discuss these new capabilities:
Note: The content in this section only applies to Windows Server 2008 R2.
Performance improvements. The DFS Namespaces service takes less time to start, which increases
performance especially with large domain-based namespaces with 5,000 or more folder targets.
Windows Server 2008 R2 also includes three new performance counters that can be used to monitor
DFS Namespaces:
DFS Namespace Service API Queue. Displays the number of requests in the queue waiting to
be processed by the DFS Namespace service.
DFS Namespace Service API Requests. Provides a number of objects showing the information
of DFS requests as average response time, requests processed, requests failed, and requests
processed per second.
DFS Namespace Service Referrals. Provides a number of objects showing the information of
referral requests processed by the DFS Namespace service. Information includes average
response time, requests processed, requests failed, and requests processed per second.
New DFS Management tool support. A number of enhancements to the DFS Management tool
include the following:
Nova 4, LLC
Configuring and Managing Distributed File System
4-13
a shared folder by using Share and Storage Management, or by using the Dfsutil command for
DFS folders. Windows Server 2008 R2 provides an additional enhancement by allowing you to
enable and configure access-based enumeration for a namespace by using the DFS Management
tool.
Support for selectively enabling or disabling namespace root referrals. The DFS Management
tool provides the ability to enable or disable namespace servers. This allows you to control
whether a server is available for referrals.
Failover cluster support. The DFS Replication service in Windows Server 2008 R2 is now designed to
coordinate with a Windows Server 2008 R2-based failover cluster. You can add a failover cluster as a
member of a replication group.
Read-only replicated folders. Prior to Windows Server 2008 R2, the only way to configure a readonly replicated folder was to manually set share permissions and access control lists on the folders,
which required additional administrative effort. Windows Server 2008 R2 provides the ability to
configure a replicated folder as a read-only or a read-write member. You can use either the DFS
Management tool or the Dfsradmin command-line tool to configure read-only replicated folders.
Note: Read-only domain controllers based upon Windows Server 2008 R2 use read-only replicated
folders to secure the SYSVOL folder.
Improvements to the Dfsrdiag.exe command-line tool. Windows Server 2008 R2 includes changes
to the Dfsrdiag.exe command-line tool. The following switches provided enhanced diagnostic
capabilities:
Replstate. Displays a summary of the replication status across all connections on the specified
replication group member.
IdRecord. Displays the DFS Replication ID record and version of a specified file or folder. You can
use this information to determine if a file has replicated properly to another member.
FileHash. Computes and displays a hash value for a particular file. This can be used to compare
two files to ensure that they are identical.
Nova 4, LLC
4-14
Lesson 2
Configuring a DFS Namespace consists of several tasks, including creating the namespace structure,
creating folders within the namespace, and adding folder targets. You may also choose to perform
additional management tasks, such as configuring the referral order, enabling client fail back, and
implementing DFS replication. This lesson provides information on how to complete these configuration
and management tasks to deploy an effective DFS solution.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Configuring and Managing Distributed File System
4-15
Key Points
You use DFS namespaces to publish content for users. To configure a namespace for publishing content
to users, perform the following procedures:
1.
2.
3.
4.
Create a namespace. Use the New Namespace Wizard to create the namespace from within the DFS
Management console. To create a namespace, you must specify a namespace server, a namespace
name and a namespace type (either domain-based or stand-alone). You can also specify whether the
namespace is enabled for Windows Server 2008 mode.
Create a folder in the namespace. After the namespace is created, add a folder in the namespace
that will be used to contain the content that you want to publish. During the folder creation, you
have the option to add folder targets, or you can perform a separate task to add, edit, or remove
folder targets later.
Add folder targets. After a folder is created within the namespace, the next task is to create folder
targets. The folder target is a shared folders UNC path on a specific server. You can browse for shared
folders on remote servers and create shared folders as needed. You can also add multiple folder
targets to increase the folders availability in the namespace. If you add multiple folder targets,
consider using DFS-R to ensure that the content is the same between the targets.
Set the ordering method for targets in referrals. A referral is an ordered list of targets that a client
computer receives from the namespace server when a user accesses a namespace root or folder.
When a client receives the referral, the client attempts to access the first target in the list. If the target
is not available, the next target is attempted. By default, targets in the clients site are always listed
first in the referral. You can configure the method for ordering targets outside the clients site on the
Referrals tab of the Namespace Properties dialog box. You have the choice of configuring the
lowest cost, random order, or configuring the ordering method to exclude targets outside the
clients site.
Nova 4, LLC
4-16
Note: Folders inherit referral settings from the namespace root. You can override the namespace
settings on the Referrals tab of the Folder Properties dialog box by excluding targets outside the
clients site.
Set target priority to override referral ordering. You may have a specific folder target that you
want everyone to use from all site locations, or you may have a specific folder target that should be
used last among all targets. You can configure these scenarios by overriding the referral ordering on
the Advanced tab of the Folder Target Properties dialog box.
Enable client failback. If a client cannot access a referred target, the next target is selected. Client
failback will ensure that clients fail back to the original target after it is restored. You can configure
client failback on the Referrals tab of the Namespace Properties dialog box by selecting the check
box next to Clients fail back to preferred targets. All folders and folder targets inherit this option.
However, you can also override a specific folder to enable or disable client failback features if
required.
Replicate folder targets using DFS-R. You can use DFS-R to keep the contents of folder targets in
sync. The next lesson discusses DFS-R in detail.
Additional ReadingChecklist:
Nova 4, LLC
Configuring and Managing Distributed File System
4-17
Key Points
To perform DFS namespace management tasks, a user either has to be a member of an administrative
group or has to be delegated specific permission to perform the task. You can right-click the namespace
and then click Delegate Management Permissions to delegate the required permissions.
The following table describes the groups that can perform DFS administration by default, and the method
for delegating the ability to perform DFS management tasks:
Task
Delegation method
Create a domain-based
namespace.
Domain admins
Domain admins
Manage a domain-based
namespace.
Local
administrators on
each namespace
server
Create a stand-alone
namespace.
Local
administrators on
each namespace
server
Manage a stand-alone
Local
Nova 4, LLC
4-18
Task
namespace.
administrators on
each namespace
server
Create a replication
group or enable DFS
replication on a folder.
Domain admins
Delegation method
Nova 4, LLC
Configuring and Managing Distributed File System
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Use the New Namespaces Wizard to create a new namespace. Configure options such as the
namespace type and Windows Server 2008 mode.
3.
Use the New Folder dialog box to create a main folder, and then add Folder Targets as required.
4-19
Nova 4, LLC
4-20
Lesson 3
To configure DFS-R effectively, it is important to understand the terminology and requirements associated
with the feature. This lesson provides information on the specific elements, requirements, and scalability
considerations as they relate to DFS-R, and provides a process for configuring an effective replication
topology.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Configuring and Managing Distributed File System
4-21
Key Points
DFS-R provides a way to keep folders synchronized between servers across both well-connected and
limited bandwidth connections. It is important to take note of the following key points related to DFS-R:
DFS-R can use Remote Differential Compression (RDC). RDC is a client-server protocol that can be
used to efficiently update files over a limited bandwidth network. RDC detects data insertions,
removals, and re-arrangements in files, enabling DFS-R to replicate only the changed file blocks when
files are updated. RDC is only used for files that are 64 kilobytes (KB) or larger by default. DFS-R also
supports cross-file RDC, which allows DFS replication to use RDC, even when a file with the same
name does not exist at the client. Cross-file RDC can determine files that are similar to the file that
needs to be replicated, and it uses blocks of similar files that are identical to the replicating file to
minimize the amount of data that needs to be replicated. To use cross-file RDC, one member of the
replication connection must be running an edition of the Windows operating system that supports
cross-file RDC.
DFS-R uses a hidden staging folder to stage a file before sending or receiving it. Staging folders act as
caches for new and changed files to be replicated from sending members to receiving members. The
sending member begins staging a file when it receives a request from the receiving member. The
process involves reading the file from the replicated folder and building a compressed representation
of the file in the staging folder using the XPRESS compression format. XPRESS is similar to ZIP or RAR
compression. Any files that are placed in staging are compressed with XPRESS unless the file has an
extension that is included on a specific exclusion list After being constructed, the staged file is sent to
the receiving member; if remote differential compression is used, only a fraction of the staging file
might be replicated. The receiving member downloads the data and builds the file in its staging
folder. After the file download is completed on the receiving member, DFS-R decompresses the file
and installs it into the replicated folder. Each replicated folder has its own staging folder, which by
default is located under the local path of the replicated folder in the DfsrPrivate\Staging folder.
DFS-R detects changes on the volume by monitoring the update sequence number (USN) journal,
and replicates changes only after the file is closed.
Nova 4, LLC
4-22
DFS-R uses a version vector exchange protocol to determine which files need to be synchronized. The
protocol sends less than 1 KB per file across the network to synchronize the metadata associated with
changed files on the sending and receiving members.
DFS-R uses a conflict resolution heuristic of last writer wins for files that are in conflict (that is, a file
that is updated at multiple servers simultaneously) and earliest creator wins for name conflicts. Files
and folders that lose the conflict resolution are moved to a folder known as the Conflict and Deleted
folder. You can also configure the service to move deleted files to the Conflict and Deleted folder for
retrieval, should the file or folder be deleted. Each replicated folder has its own hidden Conflict and
Deleted folder, which is located under the local path of the replicated folder in the
DfsrPrivate\ConflictandDeleted folder.
DFS-R is self-healing and can automatically recover from USN journal wraps, USN journal loss, or DFS
Replication database loss.
DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces to
obtain configuration and monitoring information from the DFS Replication service.
Nova 4, LLC
Configuring and Managing Distributed File System
4-23
Key Points
A replication group consists of a set of member servers that participate in replicating one or more
replicated folders. There are two main types of replication groups:
Multipurpose replication group. Use to configure replication between two or more servers for
publication, content sharing, or other scenarios.
Replication group for data collection. Configures a two-way replication between two servers, such
as a branch office server and a hub server. This group type is used to collect data from the branch
office server to the hub server. You can then use standard backup software to back up the hub server
data.
Topology
Replication schedule
Bandwidth throttling
The replicated folders stored on each member can be located on different volumes in the member.
Replicated folders do not need to be shared folders or part of a namespace, though the DFS Management
snap-in makes it easy to share replicated folders, and optionally, publish them in an existing namespace.
Nova 4, LLC
4-24
DFS-R Requirements
Key Points
To use DFS-R, you must be aware of specific replication requirements. These requirements include:
Ensure that the Active Directory schema has been updated to include the new DFS replication objects.
If you plan to use DFS Replication, the Active Directory schema must be updated to at least the
version equal to Microsoft Windows Server 2003 R2, so that it includes the Active Directory classes
and attributes that DFS Replication uses. To use read-only replicated folders, the schema must include
the Windows Server 2008 or newer schema additions. To upgrade the schema, on the schema
operations master, run adprep.exe /forestprep. This tool is available in the Windows\sources\adprep
folder of the Windows Server 2008 installation media.
All Servers in a replication group must be in the same forest. You cannot enable replication across
servers in different forests.
The servers that will participate in DFS Replication must run a Windows Server 2003 R2, Windows
Server 2008, or Windows Server 2008 R2 operating system. You must install the DFS Replication
service role on each server that will take part in replication, and you must install the DFS Management
snap-in on one server to manage replication. DFS replication is supported on all x64 editions of
Windows Server 2008 R2 and on all x86 and x64 editions of Windows Server 2008. DFS is not
supported on Itanium-based computers..
To support failover clustering, the failover cluster server must be running Windows Server 2008 R2.
Antivirus software must be compatible with DFS Replication in that antivirus software can cause
excessive replication if their scanning activities alter the timestamp on files in a replicated folder.
Contact your antivirus software vendor to check for compatibility.
Nova 4, LLC
Configuring and Managing Distributed File System
4-25
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Use the New Folder Target dialog box to create an additional folder target to be used for
replication.
3.
Use the New Replication Group Wizard to configure options such as the Replication Group Type,
Replication Group name, Replication group members, and Topology selection.
Nova 4, LLC
4-26
Key Points
Windows Server 2008 provides a number of tools that can be used to monitor and troubleshoot DFS-R.
The tools include:
Diagnostic Reports. You can run a diagnostic report for the following:
Health Report. Shows extensive replication statistics and reports on replication health and
efficiency.
Propagation Test. Generates a test file in a replicated folder to be used to verify replication and
provide statistics for the propagation report.
Propagation Report. Provides information about the progress for a test file that is generated
during a propagation test. This report will ensure that replication is functional.
Verify Topology. Used to verify and report on the status of the replication group topology. This will
report any members that are disconnected.
Dfsrdiag.exe. This command-line utility can be used to monitor the replication state of the DFS
replication service.
Nova 4, LLC
Configuring and Managing Distributed File System
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Under the Replication node, right-click the replication group, and then click Create Diagnostic
Report.
3.
4.
4-27
Nova 4, LLC
4-28
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You are a network administrator for Contoso, Ltd. Your organization currently stores files on a number of
servers located throughout the infrastructure. To simplify file access for users and provide high availability
and redundancy of the file services, you decide to implement a DFS solution. For this project, you must
complete the following tasks:
Install the DFS role service to include DFS namespaces and DFS replication.
Create a domain-based DFS namespace called, CorpDocs, with NYC-SVR1 as the namespace server.
Nova 4, LLC
Configuring and Managing Distributed File System
4-29
Configure availability and redundancy by adding additional folder targets and replicating the folder
targets for the PolicyFiles folder.
Nova 4, LLC
4-30
2.
2.
Use the Add Role Services wizard to install the Distributed File System role services and configure
the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
2.
In the details pane, under the File Services section, use the Add Role Services wizard to install the
Distributed File System role services and configure the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
Results: After completing this exercise, you have installed the DFS role service on NYC-SVR1 and NYCDC1.
Nova 4, LLC
Configuring and Managing Distributed File System
4-31
2.
Task 1: Use the New Namespace Wizard to create the CorpDocs namespace.
1.
2.
3.
Use the DFS Management console to verify that the \\NYC-SVR1\CorpDocs namespace is enabled.
Results: After completing this exercise, you have created the CorpDocs namespace and configured it to
use access-based enumeration.
Nova 4, LLC
4-32
2.
3.
2.
In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: MarketingTemplates
In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: PolicyFiles
Results: After completing this exercise, you have configured Folder Targets for the CorpDocs
namespace.
Nova 4, LLC
Configuring and Managing Distributed File System
4-33
2.
3.
2.
In DFS Management, under Contoso.com\CorpDocs\PolicyFiles, create a new folder target with the
following configuration:
Shared folder permissions: Administrators have full access; other users have read and write
permissions
In DFS Management, complete the Replicate Folder Wizard with the following configuration:
Replication Group Schedule and Bandwidth: Replicate continuously using the specified
bandwidth
2.
Verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1.
3.
From the DFS Management console, configure the NYC-DC1 member to be read-only.
On NYC-SVR1, in the DFS Management console, under Replication, use the Diagnostic Report
Wizard to create a Health report. Use NYC-SVR1 as the reference member.
2.
Results: After completing this exercise, you will have configured DFS Folder Replication and produced a
diagnostic report.
Nova 4, LLC
4-34
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
Configuring and Managing Distributed File System
4-35
Review Questions
1.
2.
3.
What is the difference between a domain-based DFS namespace and a stand-alone DFS namespace?
4.
What is the default ordering method for client referral to folder targets?
5.
6.
Which folder is used to cache files and folders where conflicting changes are made on two or more
members?
Tools
Tool
Used for
Where to Find It
Dfsutil
Performing advanced
operations on DFS
namespaces
Nova 4, LLC
4-36
Tool
Used for
Where to Find It
Dfsdiag
Dfsrdiag
Monitoring replication
Dfscmd.exe
DFS
Performing tasks related
Managemen to DFS namespaces and
t
replication
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
Module 5
Managing File Resources Using File Server Resource
Manager
Contents:
5-3
5-11
5-19
5-22
5-28
5-33
5-36
5-49
5-1
Nova 4, LLC
5-2
Module Overview
The files on your servers are constantly changing with content being added, removed, and modified. The
Microsoft Windows Server 2008 File Service role is designed to help administrators in an enterprise
environment manage the continually growing amount of data. The file storage requirements and
demands within an enterprise are constantly changing and adapting to new requirements or policies.
When storage requirements change and the data being stored changes as well, you need to manage an
increasingly larger and complex storage infrastructure. Therefore, to meet the needs of your organization,
you need understand and control how the existing storage is used.
This module introduces you to File Server Resource Manager (FSRM), a built-in component of Windows
Server 2008 that helps you address and manage these issues.
Objectives
After completing this module, you will be able to:
Describe FSRM.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
Lesson 1
FSRM is a set of tools that allow you to understand, control, and manage the quantity and type of data
stored on your servers. Using FSRM, you can place quotas on storage volumes, screen files and folders,
generate comprehensive storage reports, control the file classification infrastructure, and use file
management tasks to perform scheduled actions on sets of files. These tools not only help you monitor
existing storage resources, but also aid in planning and implementing future policy changes.
Objectives
After completing this lesson, you will be able to:
5-3
Nova 4, LLC
5-4
Key Points
Capacity management is a proactive process of determining the current and future capacity needs for
your enterprise's storage environment. As the size and complexity of the data increase, the need for
capacity management also increases. To effectively meet the storage needs of your organization, you
need to track how much storage capacity is available, how much storage space you need for future
expansion, and how you are using the environments storage.
Determining existing storage use. To manage your storage environment and ensure that you can
perform the simplest capacity management task, you need to understand your environments current
storage requirements. Knowing how much data is being stored on your servers, what types of data is
being stored, and how that data is currently being used is the benchmark for measuring the various
aspects of capacity management in your environment.
Establishing and enforcing storage use policies. Capacity management includes ensuring that your
storage environment is being used to its full potential. Managing growth is important to ensure that
your storage environment is not overwhelmed by unplanned or unauthorized data storage on your
servers. Modern media data such as audio, video, and graphic files consume a large amount of
storage space and, if left unchecked, the unauthorized storage of these types of files can consume the
storage space required for legitimate business use.
Anticipating future requirements. Storage requirements are constantly changing. New projects and
new organizational initiatives require increased storage. New applications and imported data require
additional storage. If you are not able to anticipate or prepare for events like these, your storage
environment may not be able to meet the storage requirements.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-5
Analyze how storage is being used. The first step in capacity management is analyzing the current
storage environment. Accurate analysis begins with proper tools that provide usable and organized
information regarding the current state of your storage environment.
Define storage resource management policies. A robust set of policies are necessary to maintain
the current storage environment and ensure that storage growth happens in a manageable and
predictable way. Preventing unauthorized files from being saved to your servers, ensuring that data is
stored in the right location, and ensuring that users have the required storage are a few of the key
areas your capacity management policies may address.
Implement policies to manage storage growth. After implementing capacity management policies,
you need to have an effective tool to ensure that the policies established are technically enforced.
Quotas placed on a users data storage must be maintained, restricted files must be prevented from
being saved, and business files must be stored in the proper locations.
Implement a system for reporting and monitoring. Also, a reporting and notification system must
be established to inform you how policies are enforced, besides the general state of your capacity
management system and data storage situation.
Nova 4, LLC
5-6
Key Points
FSRM is a role service of the File Services role in Windows Server 2008. You can install it as part of the File
Services role by using Server Manager. Then, you can use the FSRM console to manage FSRM on your
server.
FSRM is intended to act as a capacity management solution for your Windows Server2008 server. It
provides a robust set of tools and capabilities that allow you to effectively manage and monitor your
servers storage capacity.
FSRM contains five components that work together to provide a capacity management solution.
Quota Management
Quota management allows you to create, manage, and obtain information about quotas that are used to
set a storage limit on a volume or folder (and its contents). By defining notification thresholds, you can
send email notifications, log an event, run a command or script, or generate reports when users approach
or exceed a quota.
Quota management also allows you to create and manage quota templates to simplify the quota
management process.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-7
Quota usage
Files that may negatively affect capacity management, such as large files, duplicate files, or unused
files
List and filter files according to owner, file group, or a specific file property.
Note: Storage reports can be run based on a schedule or generated on demand.
Nova 4, LLC
5-8
Key Points
FSRM has several configuration options that apply globally to all FSRM components.
You can access these options by using the following steps:
1.
2.
Right-click the root File Server Resource Manager node in the left pane, and then click Configure
Options.
FSRM Options
In the File Server Resource Manager Options properties sheet, several tabs allow you to configure various
aspects of FSRM.
Email Notifications
This tab allows you to provide the name or address of an SMTP server name, along with other details that
FSRM will use to send email notifications.
Notification Limits
Notification limits allow you to specify a time period that FSRM will wait between sending notifications to
avoid excessive notifications from a repeatedly exceeded quota or unauthorized file detection. It allows
you set separate values for email notifications, entries recorded to the event log, and commands being
run or reports being generated. The default value for each is 60 minutes.
Storage Reports
The Storage Reports tab allows you to configure and view the default parameters for any existing storage
reports.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-9
Report Locations
This tab allows you to view and modify the location in which the following three different types of storage
reports are stored: incident reports, scheduled reports, and on demand reports. By default, each category
is stored in its own folder: %systemdrive%\Storage Reports.
Note: If FSRM generates a large number of storage reports, you may want to relocate the storage
report folders to another physical volume to decrease disk I/O load on your system volume. You may
also want to change the location if the size of your storage reports causes a capacity issue on your
system volume.
Automatic Classification
This tab allows you to provide a schedule that governs the automatic classification of files. Within the tab,
you can specify which logs to generate and if and how to generate a report of the classification process.
Both servers must be running Windows Server 2008 R2 with FSRM installed.
The Remote File Server Resource Manager Management exception must be enabled from within
Windows Firewall manually through the Control Panel applet or by using Group Policy.
You must be logged on to the local computer with an account that is a member of the local
Administrators group on the remote computer.
Dirquota.exe: Create and manage quotas, auto-apply quotas, and quota templates.
Filescrn.exe: Create and manage file screens, file screen exceptions, file screen templates, and file
groups.
Storrept.exe: Configure report parameters and generate storage reports on demand. You can also
create report tasks and then use Schtasks.exe to schedule the tasks.
Note: The command-line tools are added to the system path when you install File Server Resource
Manager, and they must be run from an Administrator Command Prompt window.
Nova 4, LLC
5-10
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
4.
5.
View the FSRM Quota Management, File Screening Management, Storage Report Management,
Classification Management, and File Management Tasks components.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-11
Lesson 2
Data is the core component of your server infrastructure. Under most circumstances, the server
infrastructure provides the data contained in the files on the server to your users or applications.
The requirement for data storage continues to grow. Whether files are added to your servers by users or
applications, quota management can help you to ensure that users and applications use the only the
amounts of space allotted to them.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
5-12
Key Points
In FSRM quota management allows you to limit the disk space that is allocated to a volume or folder. The
quota limit applies to the entire folder subtree.
Using quotas, you can manage capacity restrictions in a variety of ways. For example, you can use a quota
to ensure that individual users do not consume excessive amounts of storage with their home drives, or
limit the amount of space consumed by multimedia files in a particular folder.
Quota Types
Two different types of quotas can created within quota management.
A hard quota prevents users from saving files after the space limit is reached, and it generates
notifications when the volume of data reaches each configured threshold.
A soft quota does not enforce the quota limit, but it generates all the configured notifications.
Quota Notifications
To determine what happens when the quota limit approaches, you can configure notification thresholds.
For each threshold you define, you can send email notifications, log an event, run a command or script, or
generate storage reports. For example, you might want to notify the administrator and the user who
saved the file when a folder reaches 85 percent of its quota limit and then send another notification when
the quota limit is reached. In some cases, you might want to run a script that raises the quota limit
automatically when a threshold is reached.
Creating Quotas
When you create a quota on a volume or a folder, you can base the quota on a quota template or use
custom properties. Whenever possible, base a quota on a quota template. You can reuse a quota template
to create additional quotas, and it simplifies ongoing quota maintenance.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-13
FSRM can also generate quotas automatically. When you configure an auto-apply quota, you apply a
quota template to a parent volume or folder. Then, a quota based on the template is created for each of
the existing subfolders, and a quota is automatically generated for each new subfolder that is created.
Question: In which scenario would you want to use a soft quota?
Nova 4, LLC
5-14
Key Points
In the earlier versions of Windows, the only option for managing storage was by using the native NTFS
quota system.
NTFS quotas allow an administrator to declare a general storage limit on a per user basis for an NTFS
formatted volume. This method governs a users storage consumption across the volume, regardless of
which folder it is in. NTFS quotas do not account for NTFS compression, which means that even though a
compressed file may take up less physical room than if it were uncompressed, the quota will be applied
based on the files uncompressed size.
NTFS disk quotas are based on file ownership, so operating system accounts are not immune to disk
quotas. System accounts such as the local system are also susceptible to running out of disk space due to
disk quotas having been set.
FSRM quota management introduces some key advantages over NTFS quotas. The following table
outlines the key difference between FSRM-based quota management and using NTFS disk quotas.
Quota Feature
NTFS Quotas
FSRM Quotas
Quota Tracking
By folder or by volume
Notification mechanisms
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-15
Key Points
FSRM gives you the flexibility in creating, using, and managing templates for quotas.
A quota template defines a space limit, the quota type (hard or soft), and a set of notifications to be
generated when the quota limit is approached or exceeded.
Quota templates simplify the creation and maintenance of quotas. Using a quota template, you can apply
a standard storage limit and a standard set of notification thresholds to many volumes and folders on
servers throughout your organization.
You can use the 200 MB Limit Reports to User template to place a hard 200 MB limit on the personal
folder of each user and send storage reports to users who exceed the quota.
For some folders, you might want to use the 200 MB Limit with 50 MB Extension template to grant a
one-time 50MB quota extension to users who exceed the 200 MB quota limit.
Nova 4, LLC
5-16
Other default templates are designed for monitoring disk usage through soft quotas such as the
Monitor 200 GB Volume Usage template and the Monitor 500 MB Share template. When you use
these templates, users can exceed the quota limit, but email and event log notifications are generated
when they do so.
Question: What advantage does creating 50 quotas from a template have over creating each quota
individually?
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
Key Points
In this demonstration, you will see how to:
5-17
Nova 4, LLC
5-18
Key Points
In addition to the information in the notifications sent by quotas, you can find about quota usage by
viewing the quotas in quota management within the FSRM console by generating a Quota Usage report
or by creating soft quotas for monitoring the overall disk usage.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-19
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You need to begin the implementation and configuration of FSRM for NYC-SVR1. The first step in this
process is installing the FSRM role service.
You have also been asked to establish an initial quota governing user data directories. You must configure
a quota template that allows users a maximum of 100 MB of data in their user folders. When users exceed
85 percent of the quota, or when they attempt to add files larger than 100 MB, an event should be logged
to the Event Viewer on the server.
Nova 4, LLC
5-20
2.
3.
4.
After the installation is complete, close the Add Role Services Wizard.
5.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-21
2.
3.
In the File Server Resource Manager console, use the Quota Templates node to configure a template
that sets a hard limit of 100 MB on the maximum folder size. Make sure this template also notifies the
Event Viewer when the folder reaches 85 percent and 100 percent capacity.
Use the File Server Resource Manager console and the Quotas node to create a quota on the
E:\Labfiles\Mod05\Users folder by using the quota template that you created in Task 1. Configure
the quota to auto apply on existing and new subfolders.
2.
Create an additional folder named Max in the E:\Labfiles\Mod05\Users folder, and ensure that the
new folder is listed in the quotas list in FSRM.
Open a command prompt and use the fsutil file createnew file1.txt 89400000 command to create
a file in the E:\Labfiles\Mod05\Users\Max folder.
2.
3.
Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then press
Enter.
Hint: fsutil file createnew file2.txt 16400000
4.
5.
Nova 4, LLC
5-22
Lesson 3
Both the integrity of the data stored on your servers and the availability of free storage space for creating
new data are extremely important in your storage environment. If non-business files are allowed to be
stored on servers, both integrity and availability can be compromised.
File screening by using FSRM allows you prevent unauthorized files from being stored on your servers.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-23
Key Points
File Screening Management allows you to create file screens to block files from being saved on a volume
or in a folder tree. A file screen affects all folders in the designated path. You use file groups to control the
types of files that file screens manage. For example, you might create a file screen to prevent users from
storing audio and video files in their personal folders on the server.
Like all components of FSRM, you can choose to generate email or other notifications when a file
screening event occurs.
Active screening prevents users from saving unauthorized file types on the server and generates
configured notifications when they attempt to do so.
Passive screening sends configured notifications to users who are saving specific file types, but it does
not prevent users from saving those files.
Nova 4, LLC
5-24
Key Points
Before you begin working with file screens, you must understand the role of file groups in determining
which files are screened. A file group is used to define a namespace for a file screen or a file screen
exception, or to generate a Files by File Group storage report.
Files to exclude: Files to which the file group does not apply.
For example, an Audio Files file group might include the following file name patterns:
Files to include:*.mp*: Includes all audio files created in the current and future MPEG formats (MP2,
MP3, and so forth).
Files to exclude:*.mpp: Excludes files created in Project (.mpp files), which would otherwise be
included by the *.mp* inclusion rule.
FSRM provides several default file groups, which you can view in File Screening Management by clicking
the File Groups node. You can define additional file groups or change the files to include and exclude.
Any change that you make to a file group affects all existing file screens, templates, and reports to which
the file group has been added.
Note: For convenience, you can modify file groups when you edit the properties of a file screen, file
screen exception, file screen template, or the Files by File Group report. Note that any changes that you
make to a file group from these property sheets affect all items that use that file group.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-25
Key Points
To simplify file screen management, you can create your file screens based on file screen templates. A file
screen template defines the following:
Notifications to be generated.
You can configure two screening types in a file screen template. Active screening does not allow users to
save any files related to the selected file groups configured with the template. Passive screening allows
users to save files, but provides notifications for monitoring.
FSRM provides several default file screen templates, which you can use to block audio and video files,
executable files, image files, and email files, to meet common administrative needs. To view the default
templates, select the File Screen Templates node in the File Server Resource Manager console tree.
By creating file screens exclusively from templates, you can manage your file screens centrally by updating
the templates instead of individual file screens.
Note: File Screens are created from File Screen Templates just like Quotas are created from Quota
Templates, as discussed in Lesson 2.
Nova 4, LLC
5-26
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
Create a new File Group called MPx Media Files that includes all files with a file extension beginning
with .mp. Exclude .mpp files from this File Group.
4.
Create a new File Screen Template called Block MPx Media Files by using the MPx Media Files File
Group and configure it to send a warning to the event log.
5.
Create a new File Screen for E:\Labfiles\Mod05 by using the Block MPx Media Files File Screen
Template.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-27
Key Points
Occasionally, you need to allow exceptions to file screening. For example, you might want to block video
files from a file server, but you need to allow your training group to save video files for their computerbased training. To allow files that other file screens are blocking, create a file screen exception.
A file screen exception is a special type of file screen that overrides any file screening that would
otherwise apply to a folder, and all its subfolders in a designated exception path. That is, it creates an
exception to any rules derived from a parent folder. To determine which file types the exception will allow,
file groups are assigned.
File Screen Exceptions are created by specifically choosing the Create File Screen Exception from the File
Screens node under File Screening Management in FSRM.
Note: File Screen Exceptions always override File Screens with conflicting settings. Therefore, you must
plan and implement File Screen Exceptions carefully.
Nova 4, LLC
5-28
Lesson 4
Knowing and using the tools to enforce capacity management measures is only part of a capacity
management solution. To effectively manage your storage environment, you need to stay informed
regarding the status of your servers and how your enforcement policies are working.
This lesson will introduce storage reports in FSRM. Storage reports allow you to view information about
how FSRM components are operating on your server.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-29
Key Points
FSRM can generate reports that help you understand file usage on the storage server. You can use the
storage reports to monitor disk usage patterns (by file type or user), identify duplicate files and dormant
files, track quota usage, and audit file screening.
From the Storage Reports Management node, you can create report tasks, which are used to schedule one
or more periodic reports, or you can generate reports on demand. For on-demand and scheduled reports,
current data is gathered before the report is generated. Reports can also be generated automatically to
notify you when a user exceeds a quota threshold or saves an unauthorized file.
Description
Duplicate Files
Lists files that appear to be duplicates (files with the same size and
last-modified time). Use this report to identify and reclaim disk space
that is wasted due to duplicate files.
Lists file screening events that have occurred on the server for a
specific number of days. Use this report to identify users or
applications that violate screening policies.
Lists files that belong to specific file groups. Use this report to identify
file group usage patterns and file groups that occupy large amounts
of disk space. This can help you determine which file screens to
configure on the server.
Files by Owner
Lists files, grouped by file owners. Use this report to analyze usage
patterns on the server and users who use large amounts of disk space.
Nova 4, LLC
5-30
Report
Description
Files by Property
Large Files
Lists files that are of a specific size or larger. Use this report to identify
files that are consuming the most disk space on the server. This can
help you quickly reclaim large quantities of disk space.
Lists files that have not been accessed for a specific number of days.
This can help you identify seldom-used data that might be archived
and removed from the server.
Lists files that have been accessed within a specified number of days.
Use this report to identify frequently used data that must be highly
available.
Quota Usage
Lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage levels so
that you can take appropriate action.
Saving Reports
Regardless of how you generate a report, or whether you choose to view the report immediately, the
report is saved on the disk. Incident reports are saved in the Dynamic HTML (DHTML) format. You can
save scheduled and on-demand reports in DHTML, HTML, XML, CSV, and text formats.
Scheduled reports, on-demand reports, and incident reports are saved in separate folders within a
designated report repository. By default, the reports are stored in the subdirectories of the
%Systemdrive%\StorageReports\ folder. To change the default report locations, in the File Server
Resource Manager Options dialog box, on the Report Locations tab, specify where to save each type of
storage report.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-31
Key Points
A report task is a set of storage management reports that run based on a schedule.
The report task specifies which reports to generate and what parameters to use, which volumes and
folders to report on, how often to generate the reports, and which file formats to save them in.
When you schedule a set of reports, the reports are saved in the report repository. You also have the
option of sending the reports to a group of administrators by email.
Report tasks can be scheduled by using the following steps from within FSRM.
1.
2.
Right-click Storage Reports Management and click Schedule a New Report Task (or click
Schedule a New Report Task in the Actions pane). The Storage Reports Task Properties dialog
box appears.
Note: To minimize the impact of report processing on server performance, generate multiple reports on
the same schedule so that the data is only gathered once.
Nova 4, LLC
5-32
Key Points
During daily operations, you may want to generate reports on demand to analyze the different aspects of
the current disk usage on the server. Before the reports are generated, current data is gathered.
When you generate reports on demand, the reports are saved in the report repository, but no report task
is created for later use. You can optionally view the reports immediately after they are generated or send
the reports to a group of administrators by email.
1.
2.
Right-click Storage Reports Management, and then click Generate Reports Now (or click
Generate Reports Now in the Actions pane). The Storage Reports Task Properties dialog box
appears.
Note: When generating an on-demand report, you can wait for the reports to be generated and then
immediately display them. If you choose to open the reports immediately, you must wait while the
reports are generated. Processing time varies, depending on the types of reports and the data scope.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-33
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. You
need to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be saved
on the server. Your manager has asked you to ensure that the saving of Microsoft Project files (.mpp) is
not affected by your file screening setup.
You have also been asked to provide a report to your manager about the attempts to save these media
files on NYC-SVR1.
Nova 4, LLC
5-34
2.
Open the File Server Resource Manager Configuration Options dialog box and enable the Record
file screening activity in auditing database option on the File Screen Audit tab.
Note: This step is to allow recording of File Screen events that supply data for the a File Screen Audit
report to be run in Exercise 2
3.
Create a File Screen based on the Block MPx Media Files File Screen Template for the
E:\Labfiles\Mod05\Users directory.
2.
2.
3.
Copy musicfile.mp3 into E:\Labfiles\Mod05\Users. You will be notified that the system was unable
to copy the file to E:\Labfiles\Mod05\User.
Results: After this exercise, you should have configured file screening by creating a file group, a file
screen template, and a file screen.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
2.
Right-click Storage Reports Management, select Generate Reports Now and then provide the
following parameters:
3.
Report on E:\Labfiles\Mod05\Users.
5-35
Nova 4, LLC
5-36
Lesson 5
Most applications manage files based on the directory they are contained in. This leads to complicated file
layouts that require a lot of attention from administrators. Such layout can also lead to frustration among
the users.
In Windows Server 2008 R2, Classification Management and File Management tasks enable administrators
to manage groups of files based on various file and folder attributes. With Classification Management and
File Management tasks, you can automate file and folder maintenance tasks such as cleaning up stale data
or protecting sensitive information.
In this lesson, you will learn how Classification Management and File Management tasks work to together
to make it easier for you to manage and organize the files and folders on your servers.
Note: The capabilities and components described in this lesson are available only in Windows Server
2008 R2.
Objectives
After completing this lesson, you will be able to:
Describe how Classification Rules are used to automatically assign Classification Properties.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-37
Nova 4, LLC
5-38
Key Points
Most applications manage files based on their location or the folder they are contained in. This leads to
complicated folder structure that often negatively affects the usability of the files and folders and
increases administrative requirements.
To reduce the cost and risk associated with this type of data management, the File Classification
infrastructure uses a platform that allows administrators to classify files and apply policies based on that
classification. The storage layout is unaffected by data management requirements, and the organization
can adapt more easily to a changing business and regulatory environment.
Classification Management is designed to ease the burden and management of data that is spread out in
your organization. Files can be classified in a variety of ways. In most scenarios, classification is performed
manually. The File Classification infrastructure in Windows Server 2008 R2 allows organizations to convert
these manual processes into automated policies. Administrators can specify file management policies
based on a files classification and apply corporate requirements for managing data based on business
value. They can easily modify the policies and use tools that support classification to manage their files.
You can use file classification to perform the following actions:
1.
Define classification properties and values, which can be assigned to files by running classification
rules.
2.
Create, update, and run classification rules. Each rule assigns a single predefined property and value
to files within a specified directory based on installed classification plug-ins.
3.
When running a classification rule, reevaluate files that are already classified. You can choose to
overwrite existing classification values or add the value to properties that support multiple values.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-39
Key Points
Classification properties are used to assign values to files. There are many property types that you can
choose from, as listed in the table below. You can define these properties based on the needs of your
organization. Classification properties are assigned to files that use classification rules, which will be
discussed in the next topic.
The following table defines the available property types and the policy that is applied when a file is
reclassified:
Yes/No
A Boolean property that can be Yes or No. When multiple values are
combined, a No value overwrites a Yes value.
Date-Time
A simple date and time property. When multiple values are combined,
conflicting values prevent reclassification.
Number
Ordered List
String
Multi-string
Nova 4, LLC
5-40
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-41
Key Points
A classification rule assigns a Classification Property to a file system object. A classification rule includes
information detailing when to assign a classification property to a file.
Is the rule enabled? On the Rule Settings tab, the Enabled check box allows you to specifically
disable or enable the classification rule.
What is the scope of the rule? On the Rule Settings tab, the scope parameter allows you to select a
folder or folders that the classification rule will apply to. When the rule is run, it processes and
attempts to classify all file system objects within this location.
What classification mechanism will the rule use? On the rules Classification tab, you must choose
a classification method that the rule will use to assign the classification property. By default, there are
two methods that you can choose from:
Folder Classifier. The folder classifier mechanism assigns properties to a file based on the files
folder path.
Content Classifier: The content classifier searches for strings or regular expressions in files. This
means that the content classifier classifies a file based on the textual contents of the file, such as
whether it contained a specific word, phrase, or numeric value or type.
What property will the rule assign? The main function of the classification rule is to assign a
property to a file object based on how the rule applies to that file object. You must specify a property
and the specific value of that property to be assigned by the rule on the Classification tab.
What additional classification parameters will be used? The core of the rules logic lies in the
additional classification parameters. Clicking the Advanced button on the Classification tab takes you
to the Additional Classification Parameters window. Here, you can specify additional parameters like
strings or regular expressions that, if found in the file system object, will cause the rule to apply itself.
Nova 4, LLC
5-42
This could be something like looking for the phrase Social Security Number or any number with the
format 000-000-000 to apply a Yes value for a Confidential classification property to the file. This
classification could then be leveraged to perform some tasks on the file system object like moving it
to a secure location.
A classification parameter can be one of the following three types:
RegularExpression. Match a regular expression by using the .NET syntax. For example, \d\d\d
will match any three-digit number.
StringCaseSensitive: Match a case-sensitive string. For example, Confidential will only match
Confidential and not confidential or CONFIDENTIAL.
String: Match a string, regardless of case. Confidential will match both Confidential and
CONFIDENTIAL.
Classification Scheduling
You can run classification rules in two ways, on-demand or based on a schedule. Either way you choose,
each time you run classification, it uses all rules that you have left in the Enabled state.
Configuring a schedule for classification allows you to specify a regular interval at which file classification
rules will run, ensuring that your servers files are regularly classified and up to date with the latest
classification properties.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-43
Key Points
In this demonstration you will see how to:
Demonstration Steps:
1.
Open File Server Resource Manager and expand the Classification Management node.
2.
Using the Classification Properties node, create a new Classification Property named Confidential
with the Yes/No property type.
3.
Using the Classification Rules node, create a new Classification Rule named Confidential
Documents.
4.
Configure the rule to classify documents with a value of Yes for the Confidential classification
property if the file contains the string value payroll.
5.
6.
Using the Classification Rule node, manually run Classification With All Rules Now and view the
report.
Nova 4, LLC
5-44
Key Points
Although Classification Management provides a powerful mechanism to catalog, categorize, and classify
your file system objects, you should consider certain factors when dealing with Classification
Management.
For ordered list properties, the highest property value takes priority.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
For multiple choice properties, the property sets are combined into one set.
For multiple string properties, a multistring value is set that contains all the unique strings of the
individual property values.
5-45
Nova 4, LLC
5-46
Key Points
File management tasks automate the process of finding subsets of files on a server and applying simple
commands to them on a scheduled basis. Files are identified by classification properties that have been
assigned to the file by a classification rule.
File management tasks include a file expiration command, and you can also create custom tasks. You can
define files that will be processed by a file management task through the following properties:
Location
Classification properties
Creation time
Modification time
File name
You can also configure file management tasks to notify file owners of any impending policy that will be
applied to their files.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-47
Nova 4, LLC
5-48
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Create a file management task named Expire Confidential Documents with a scope of
E:\Labfiles\Mod05\Data.
3.
On the Action tab, configure the task for file expiration to E:\Labfiles\Mod05\Expired.
4.
5.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-49
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The Finance department of Contoso, Ltd has discovered that several payroll documents are being stored
in locations that are not secure.
You have been asked to use the Classification Management and File Management Tasks components of
FSRM to ensure that all payroll-related files are located in a secure location.
Nova 4, LLC
5-50
2.
3.
Scope: E:\Labfiles\Mod05\Data
4.
5.
Click the Additional Classification Parameters tab and add the following parameters.
Name: String
Value: payroll
6.
Right-click the Classification Rules node and Run Classification With All Rules Now and selecting
the Wait for classification to complete execution option.
7.
View the generated report and ensure that January.txt is displayed in the report.
8.
9.
Nova 4, LLC
Managing File Resources Using File Server Resource Manager
5-51
Open the File Server Resource Manager and create a File Management task and configure the
properties according to the following steps.
2.
3.
4.
Scope: E:\Labfiles\Mod05\Data.
Property conditions:
Property: Confidential
Operator: Equals
Value: Yes
5.
On the Schedule tab, create a schedule to run at 9:00 A.M. every day, starting today.
6.
Right-click the newly created task, and then click Run File Management Task Now. Select the
option to wait for task to complete execution and then review the report. Ensure that January.txt is
listed in the report.
7.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
5-52
Review Questions
1.
What criteria need to be met to use FSRM for managing a servers file structure?
2.
In what ways can Classification Management and File Management Tasks decrease administrative
overhead when dealing with a complex file and folder structure?
Description
Tools
Tool
File Server
Resource Manager
Use for
Managing your file
server infrastructure
Where to find it
Install the FSRM role service as part of the File
Services server role
Nova 4, LLC
Configuring and Securing Remote Access
Module 6
Configuring and Securing Remote Access
Contents:
Lesson 1: Configuring a Virtual Private Network Connection
6-3
6-16
6-26
6-31
6-39
6-48
6-56
6-1
Nova 4, LLC
6-2
Module Overview
For an organization to support its distributed workforce, it must implement technologies that enable
remote users to connect to the organizations network infrastructure. These technologies include virtual
private networks (VPNs) and DirectAccess. You need to understand how to configure and secure your
remote access clients by using network policies and, where appropriate, Network Access Protection (NAP).
This module explores these remote access technologies.
Objectives
After completing this module, you will be able to:
Configure NAP.
Nova 4, LLC
Configuring and Securing Remote Access
6-3
Lesson 1
A VPN provides a point-to-point connection between the components of a private network through a
public network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a
connection to a VPN servers listening virtual port.
To properly implement and support a VPN environment within your organization, you must understand
how to select a suitable tunneling protocol, configure VPN authentication, and configure the Network
Policy and Access Services server role to support your chosen configuration.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
6-4
Key Points
To emulate a point-to-point link, the data is encapsulated or wrapped and prefixed with a header. This
header provides routing information that enables the data to traverse the shared or public network to
reach its endpoint.
To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted on
the shared or public network are indecipherable without encryption keys. The link in which the private
data is encapsulated and encrypted is known as a VPN connection.
There are two types of VPN connections:
Remote access
Site-to-site
Remote Access VPN connections enable your users working at home, customer site, or through a public
wireless access point to access resources on your organizations private network by using the
infrastructure that a public network provides, such as the Internet.
From the users perspective, the VPN is a point-to-point connection between their computer, the VPN
client, and your organizations resources. The exact infrastructure between the client and the resource is
irrelevant because it appears logically as if the data is sent over a dedicated private link.
Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices or with other organizations over a
public network while helping to maintain secure communications.
A VPN connection routed across the Internet logically operates as a dedicated wide area network (WAN)
link. When networks connect over the Internet, a router forwards packets to another router across a VPN
connection.
Nova 4, LLC
Configuring and Securing Remote Access
6-5
A site-to-site VPN connection connects two portions of a private network. For example, a branch office
router, acting as a VPN server, can create a VPN connection between itself and a corporate hub router
across the Internet. As the calling router, the branch office router authenticates itself to the answering
router on the corporate hub, and, for mutual authentication, the answering router authenticates itself to
the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN
connection typically do not originate at the routers.
In a site-to site VPN connection, the packets sent from either router across the VPN connection typically
do not originate at the routers.
Encapsulation. With VPN technology, private data is encapsulated with a header that contains
routing information that allows the data to traverse the transit network.
Authentication. Authentication for VPN connections takes the following three different forms:
To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the
connection by using a PPP user-level authentication method and verifies that the VPN client has the
appropriate authorization. If you use mutual authentication, the VPN client also authenticates the
VPN server, which provides protection against computers that are masquerading as VPN servers.
To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to
exchange either computer certificates or a preshared key. In either case, the VPN client and server
authenticate each other at the computer level. It is recommended that you use computer-certificate
authentication because it is a much stronger authentication method. Computer-level authentication is
only performed for L2TP/IPsec connections.
To verify that the data sent on the VPN connection originated at the connections other end and was
not modified in transit, the data contains a cryptographic checksum based on an encryption key
known only to the sender and the receiver. Data origin authentication and data integrity are only
available for L2TP/IPsec connections.
Data encryption. To ensure the confidentiality of data as it traverses the shared or public transit
network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption
processes depend on both the sender and the receiver by using a common encryption key.
Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone
who does not have the common encryption key. The encryption keys length is an important security
parameter. You can use computational techniques to determine the encryption key. However, such
techniques require more computing power and computational time as the encryption keys get larger.
Therefore, it is important to use the largest possible key size to ensure data confidentiality.
Nova 4, LLC
6-6
Key Points
Authentication of access clients is an important security concern. Authentication methods typically use an
authentication protocol that is negotiated during the connection establishment process.
PAP
Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication
protocol. It is negotiated if the remote access client and remote access server cannot negotiate a more
secure form of validation.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication
protocol that uses the Message Digest 5 (MD5) one-way encryption scheme to hash the response to a
challenge issued by the remote access server. CHAP is an improvement over PAP because the password is
never sent over the link. Instead, the password is used to create a one-way hash from a challenge string.
The server, knowing the client's password, can duplicate the operation and compare the result with that
sent in the client's response.
A server running routing and remote access supports CHAP so that remote access clients that require
CHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you should
consider using another authentication protocol, such as MS-CHAP version 2.
MSCHAPv2
Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) is an encrypted password, and
mutual-authentication process that works as follows:
1.
The authenticator (the remote access server or the computer running Network Policy Server) sends a
challenge to the remote access client that consists of a session identifier and an arbitrary challenge
string.
Nova 4, LLC
Configuring and Securing Remote Access
2.
The remote access client sends a response that contains a one-way encryption of the received
challenge string, the peer challenge string, the session identifier, and the user password.
3.
The authenticator checks the response from the client and sends back a response containing an
indication of the success or failure of the connection attempt and an authenticated response based
on the sent challenge string, the peer challenge string, the clients encrypted response, and the user
password.
4.
The remote access client verifies the authentication response and, if correct, uses the connection. If
the authentication response is not correct, the remote access client terminates the connection.
6-7
Configure the smart card or other certificate (TLS) EAP type in network policies.
Enable smart card authentication on the dial-up or VPN connection on the remote access client.
Nova 4, LLC
6-8
Key Points
PPTP, L2TP, and SSTP depend heavily on the features originally specified for PPP. PPP was designed to
send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets
within PPP frames and then transmits the encapsulated PPP packets across a point-to-point link. PPP was
defined originally as the protocol to use between a dial-up client and a network access server.
PPTP
PPTP enables you to encrypt and encapsulate in an IP header multi-protocol traffic, which is then sent
across an IP network or a public IP network, such as the Internet. You can use PPTP for remote access and
site-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is a
PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet.
Encapsulation: PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses
Transmission Control Protocol (TCP) connection for tunnel management and a modified version of
Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of the
encapsulated PPP frames can be encrypted, compressed, or both.
Encryption: The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using
encryption keys generated from the MS-CHAPv2 or EAP-TLS authentication process. VPN clients must
use the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP frames can be
encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously
encrypted PPP frame.
L2TP
L2TP enables you to encrypt multi-protocol traffic to send over any medium that supports point-to-point
datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and
Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F.
Nova 4, LLC
Configuring and Securing Remote Access
6-9
Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP
relies on IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as
L2TP/IPsec.
Both the VPN client and server must support L2TP and IPsec. Client support for L2TP is built in to the
Windows XP, Windows Vista, and Windows 7 remote access clients, and VPN server support for L2TP
is built in to members of the Windows Server 2008 and Windows Server 2003 family.
Note: L2TP is installed with the TCP/IP protocol.
Encryption: The L2TP message is encrypted with one of the following protocols by using encryption
keys generated from the IKE negotiation process: Advanced Encryption Standard (AES) 256, AES 192,
AES 128, and 3DES encryption algorithms.
SSTP
SSTP is a tunneling protocol that uses the Secure Hypertext Transfer Protocol (HTTPS) protocol over TCP
port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic.
SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the
HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL
provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS
layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload.
Encapsulation: SSTP encapsulates PPP frames in IP datagrams for transmission over the network. SSTP
uses a TCP connection (over port 443) for tunnel management and as PPP data frames.
Encryption: The SSTP message is encrypted within the SSL channel of the HTTPS protocol.
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. Because
of its support for mobility (MOBIKE), IKEv2 is much more resilient to changing network connectivity,
making it a good choice for mobile users who move between access points and even switch between
wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client moves
from one wireless hotspot to another or when it switches from a wireless to a wired connection; this ability
is a requirement of VPN Reconnect.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods.
Encapsulation: IKEv2 encapsulates datagrams by using IPsec ESP or AH headers for transmission over
the network.
Nova 4, LLC
6-10
Encryption: The message is encrypted with one of the following protocols by using encryption keys
generated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192,
AES 128, and 3DES encryption algorithms.
IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2.
Note: IKEv2 is the default VPN tunneling protocol in Windows 7.
Nova 4, LLC
Configuring and Securing Remote Access
6-11
Key Points
Before you deploy your organizations VPN solution, consider the following factors:
To accept incoming connections, your VPN server requires two network interfaces: determine which
network interface connects to the Internet and which network interface connects to your private
network. During configuration, you must choose which network interface connects to the Internet. If
you specify the incorrect interface, your remote access VPN server will not operate correctly.
Determine whether remote clients receive IPv4 addresses from a Dynamic Host Configuration
Protocol (DHCP) server on your private network or from the remote access VPN server that you are
configuring. If you have a DHCP server on your private network, the remote access VPN server can
lease ten addresses at a time from the DHCP server and assign those addresses to remote clients. If
you do not have a DHCP server on your private network, the remote access VPN server can generate
and assign IP addresses automatically to remote clients. If you want the remote access VPN server to
assign IP addresses from a range that you specify, you must determine what that range should be.
Determine whether you want connection requests from VPN clients to be authenticated by a RADIUS
server or by the remote access VPN server that you are configuring. Adding a RADIUS server is useful
if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS
clients to your private network.
Determine whether IPv4 VPN clients can send DHCP messages to the DHCP server on your private
network. If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages
from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a
DHCP server is on a different subnet from your remote access VPN server, ensure that the router
between subnets can relay DHCP messages between the clients and the server. If your router is
running Windows Server 2008 or Windows Server 2008 R2, you can configure the DHCP Relay Agent
service on the router to forward DHCP messages between subnets.
Ensure that the individual responsible for the deployment of your VPN solution has the necessary
administrative group memberships to install the server roles and configure the necessary services;
membership of the local Administrators group is required to perform these tasks.
Nova 4, LLC
6-12
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
4.
5.
6.
7.
Nova 4, LLC
Configuring and Securing Remote Access
6-13
Key Points
After you complete the steps in the Add Roles Wizard and complete the configuration in Routing and
Remote Access, your server is ready for use as a remote access VPN server.
The following are the additional tasks that you can perform on your remote access/VPN server:
Configure static packet filters. Add static packet filters to better protect your network.
Configure services and ports. Choose which services on the private network you want to make
available for remote access users.
Adjust logging levels for routing protocols. Configure the level of event details that you want to log.
You can decide which information you want to track in log files.
Create a Connection Manager profile for users. Manage the client connection experience for users
and simplify troubleshooting of client connections.
Add Active Directory Certificate Services (AD CS). Configure and manage a certification authority (CA)
on a server for use in a PKI.
Increase remote access security. Protect remote users and the private network by enforcing use of
secure authentication methods, requiring higher levels of data encryption, and more.
Increase VPN security. Protect remote users and the private network by requiring use of secure
routing and tunneling protocols, configuring account lockout, and more.
Consider implementing VPN Reconnect. VPN Reconnect uses IKEv2 technology to provide seamless
and consistent VPN connection, automatically re-establishing a VPN when users temporarily lose their
Internet connections.
Nova 4, LLC
6-14
Key Points
In dynamic business scenarios, users must be able to securely access data anytime, from anywhere and
access it continuously, without interruption. For example, users might want to securely access data on the
companys server in the head office, from a branch office, or while on the road.
To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows
Server 2008 R2 and Windows 7. This enables users to securely access the companys data by using a VPN
connection, which will automatically reconnect if connectivity is interrupted. It also enables roaming
between different networks.
VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to provide seamless and
consistent VPN connectivity. VPN Reconnect automatically re-establishes a VPN connection when Internet
connectivity is available again. Users who connect by using a wireless mobile broadband benefit most
from this capability.
Consider a user with a laptop running Windows 7. When the user travels to work in a train, the user
connects to the Internet by using a wireless mobile broadband card and then establishes a VPN
connection to the companys network. When the train passes through a tunnel, the Internet connection is
lost. After the train comes out of the tunnel, the wireless mobile broadband card automatically reconnects
to the Internet. With earlier versions of Windows client and server operating systems, VPN did not
reconnect automatically. Therefore, the user needed to manually repeat the multistep process of
connecting to the VPN. This was time-consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows Server 2008 R2 and Windows 7 automatically re-establish active VPN
connections when the Internet connectivity is re-established. Even though the reconnection might take
several seconds, users stay connected and have uninterrupted access to internal network resources.
The system requirements for using the VPN Reconnect feature are as follows:
Nova 4, LLC
Configuring and Securing Remote Access
PKI infrastructure, because a computer certificate is required for a remote connection with VPN
Reconnect. Certificates issued by either an internal or public CA can be used.
6-15
Nova 4, LLC
6-16
Lesson 2
Network policies determine whether a connection attempt is successful, and if such an attempt is
successful, the network policy defines connection characteristics, such as day and time restrictions, session
idle-disconnect times, and other settings.
Understanding how to configure network policies is essential if you are to successfully implement VPNs
based on the Network Policy and Access Services Server role within your organization.
Objectives
After completing this lesson, you will be able to:
Describe how network polices are used to control and secure a VPN connection.
Nova 4, LLC
Configuring and Securing Remote Access
6-17
Key Points
The Network Policy and Access Services role in Windows Server 2008 R2 provides the following network
connectivity solutions:
NAP. NAP is a client health policy creation, enforcement, and remediation technology that is
included in the NAP included with Windows XP with SP3, Windows Vista, Windows 7 client operating
systems and in the Windows Server 2008 and Windows Server 2008 R2 operating systems. With NAP,
you can establish and automatically enforce health policies, which can include software requirements,
security update requirements, required computer configurations, and other settings. If client
computers do not comply with a health policy, you can restrict their network access until their
configuration is updated and brought into compliance. Depending on how you choose to deploy
NAP, noncompliant clients can be updated automatically so that users can regain full network access
quickly without manually updating or reconfiguring their computers.
Secure wireless and wired access. When you deploy 802.1X wireless access points, it provides
wireless users with a secure password-based authentication method, which is easy to deploy. When
you deploy 802.1X authenticating switches, wired access allows you to secure your network by
ensuring that intranet users are authenticated before they can connect to the network or obtain an IP
address by using DHCP.
Remote access solutions. With remote access solutions, you can provide users with VPN and
traditional dial-up access to your organizations network. You also can connect branch offices to your
network with VPN solutions, deploy full-featured software routers on your network, and share
Internet connections across the intranet.
Central network policy management with RADIUS server and proxy. Rather than configuring
network access policy at each network access server, such as wireless access points, 802.1X
authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location
that specify all aspects of network connection requests, including who is allowed to connect, when
they can connect, and the level of security they must use to connect to your network.
Nova 4, LLC
6-18
Key Points
Network policies are sets of conditions, constraints, and settings that enable you to designate who is
authorized to connect to the network and the circumstances under which they can, or cannot, connect.
Additionally, when you deploy NAP, health policy is added to the network policy configuration so that
NPS performs client health checks during the authorization process.
You can view network policies as rules; each rule has a set of conditions and settings. NPS compares the
rules conditions with the properties of connection requests. If a match occurs between the rule and the
connection request, the settings that you define in the rule are applied to the connection.
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the lists first rule, then the second, and so on, until a match is found.
Note: After a matching rule is determined, further rules are disregarded. It is important to order your
network policies appropriately.
Each network policy has a Policy State setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate the policy when authorizing connection requests.
Overview. These properties allow you to specify whether the policy is enabled; whether the policy
grants or denies access; and whether a specific network connection method, or type of network
access server, is required for connection requests. Overview properties also enable you to specify
whether to ignore the dial-in properties of user accounts in AD DS. If you select this option, NPS uses
only the network policys settings to determine whether to authorize the connection.
Nova 4, LLC
Configuring and Securing Remote Access
6-19
Conditions. These properties allow you to specify the conditions that the connection request must
have to match the network policy. If the conditions configured in the policy match the connection
request, NPS applies the network-policy settings to the connection. For example, if you specify the
network access server IPv4 address (NAS IPv4 Address) as a condition of the network policy and NPS
receives a connection request from a NAS that has the specified IP address, the condition in the policy
matches the connection request.
Constraints. Constraints are additional parameters of the network policy that are required to match
the connection request. If the connection request does not match a constraint, NPS automatically
rejects the request. Unlike the NPS response to unmatched conditions in the network policy, if a
constraint is not matched, NPS does not evaluate additional network policies. The connection request
is denied.
Settings. These properties allow you to specify the settings that NPS applies to the connection
request if all of the policys network policy conditions are matched.
When you add a new network policy by using the NPS MMC snap-in, you must use the New Network
Policy Wizard. After you have created a network policy by using the wizard, you can customize the policy
by double-clicking it in NPS to obtain the policy properties.
Nova 4, LLC
6-20
Key Points
NPS uses network policies and the dial-in properties of user accounts to determine whether to authorize a
connection request to your network. You can configure a new network policy in either the NPS MMC
snap-in or the Routing and Remote Access Service MMC snap-in.
The value that you specify as the network connection method is used to configure the Policy Type
condition automatically. If you keep the default value, NPS evaluates the network policy that you
create for all network connection types through any type of network access server. If you specify a
network connection method, NPS evaluates the network policy only if the connection request
originates from the type of network access server that you specify. For example, if you specify Remote
Desktop Gateway, NPS evaluates the network policy only for connection requests that originate from
Remote Desktop Gateway servers.
On the Specify Access Permission page, you must select Access granted if you want the policy to
allow users to connect to your network. If you want the policy to prevent users from connecting to
your network, select Access denied. If you want user account dial-in properties in AD DS to determine
access permission, you can select the Access is determined by User Dial-in properties (which override
NPS policy) check box.
Note: To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group.
Nova 4, LLC
Configuring and Securing Remote Access
2.
3.
4.
6-21
In the console tree, right-click Network Policies, and then click New. The New Network Policy
Wizard opens.
Use the New Network Policy Wizard to create a policy.
Configure the Network Policy properties (described in the remainder of this topic).
Policy Name. Type a friendly and meaningful name for the network policy.
Access Permission. Designate whether the policy grants or denies access. Also, specify whether NPS
should ignore the dial-in properties of user accounts in AD DS when using the policy to perform the
connection attempts authorization.
Unspecified. If you select Unspecified, NPS evaluates the network policy for all connection
requests that originate from any type of network access server and for any connection method.
Remote Desktop Gateway. If you specify Remote Desktop Gateway, NPS evaluates the network
policy for connection requests that originate from servers that are running Remote Desktop
Gateway.
Remote Access Server (VPN-Dial-up). If you specify Remote Access Server (VPN-Dial-up), NPS
evaluates the network policy for connection requests that originate from a computer running
Routing and Remote Access service configured as a dial-up or VPN server. If another dial-up or
VPN server is used, the server must support the RADIUS protocol and the authentication
protocols that NPS provides for dial-up and VPN connections.
DHCP Server. If you specify DHCP Server, NPS evaluates the network policy for connection
requests that originate from servers that are running DHCP.
Health Registration Authority. If you specify Health Registration Authority, NPS evaluates the
network policy for connection requests that originate from servers that are running Health
Registration Authority.
HCAP Server. If you specify HCAP server, NPS evaluates the network policy for connection
requests that originate from servers that are running HCAP.
Groups. These specify user or computer groups that you configure in AD DS and to which you want
the other rules of the network policy to apply when group members attempt to connect to the
network.
HCAP. These conditions are used only when you want to integrate your NPS NAP solution with Cisco
Network Admission Control. To use these conditions, you must deploy Cisco Network Admission
Nova 4, LLC
6-22
Control and NAP. You also must deploy an HCAP server running both Internet Information Services
(IIS) and NPS.
Day and Time Restrictions. The Day and Time Restrictions condition allows you to specify, at a
weekly interval, whether to allow connections on a specific set of days and times.
For example, you can configure this condition to allow access to your network only between the
hours of 8 A.M. and 5 P.M., Monday through Thursday. With this condition value, users whose
connection requests match all conditions of the network policy cannot connect to the network on
Fridays, Saturdays, Sundays, and during other weekdays between the hours of 5 P.M. and 8 A.M., but
they can connect between Monday and Thursday between 8 A.M. and 5 P.M.
Conversely, you can specify the days and times during which you want to deny network connections.
If you specify days and times during which to deny connections, users can access your network on the
unspecified days and times. For example, if you configure this condition to deny connections all day
on Sunday, users cannot connect at any time on Sundays, but they can connect Monday through
Saturday at any time.
NAP. Settings include Identity Type, MS-Service Class, NAP-Capable Computers, Operating System,
and Policy Expiration.
Note: The Identity Type condition is for NAP DHCP and IPsec deployments to allow client health
checks when NPS does not receive an Access-Request message that contains a value for the UserName attribute. In these circumstances, client health checks are performed, but authentication and
authorization are not.
Connection Properties. Settings include Access Client IPv4 Address, Access Client IPv6 Address,
Authentication Type, Allowed EAP Types, Framed Protocol, Service Type, and Tunnel Type.
RADIUS Client Properties. Settings include Calling Station ID, Client Friendly Name, Client IPv4
Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.
Important: Client computers, such as wireless laptop computers and other computers running clientoperating systems, are not RADIUS clients. RADIUS clients are network access serverssuch as wireless
access points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-up
serversbecause they use the RADIUS protocol to communicate with RADIUS servers such as NPS
servers.
Gateway. Settings include Called Station ID, NAS Identifier, NAS IPv4 Address, NAS IPv6 Address, and
NAS Port Type.
Authentication Methods. Allows you to specify the authentication methods that are required for the
connection request to match the network policy.
Nova 4, LLC
Configuring and Securing Remote Access
6-23
Idle Timeout. Allows you to specify the maximum time, in minutes, that the network access server
can remain idle before the connection disconnects.
Session Timeout. Allows you to specify the maximum amount of time, in minutes, that a user can be
connected to the network.
Called Station ID. Allows you to specify the telephone number of the dial-up server that clients use
to access the network.
Day and time restrictions. Allows you to specify when users can connect to the network.
NAS Port Type. Allows you to specify the access media types that are allowed for users to connect to
the network.
RADIUS Attributes
Important: If you plan to return to RADIUS clients any additional RADIUS attributes or vendor-specific
attributes (VSAs) with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs
to the appropriate network policy.
RADIUS attributes are described in Request for Comments (RFC) 2865, RFC 2866, RFC 2867, RFC 2868, RFC
2869, and RFC 3162. RFCs and Internet drafts for VSAs define additional RADIUS attributes.
NAP. With NAP Enforcement, you can specify how you want to enforce NAP, remediation server
groups, troubleshooting URL, and auto-remediation.
Routing and Remote Access. Includes Multilink and Bandwidth Allocation Protocol (BAP), IP filters,
encryption, and IP settings.
Nova 4, LLC
6-24
Key Points
In this demonstration, you will see how to create a VPN policy and test it.
Demonstration Steps:
1.
2.
Nova 4, LLC
Configuring and Securing Remote Access
6-25
Key Points
When NPS performs authorization of a connection request, it compares the request with each network
policy in the ordered list of policies, starting with the policy with the highest processing order and moving
down the list.
If NPS finds a network policy in which the conditions match the connection request, NPS uses the
matching network policy and the dial-in properties of the user account to perform the authorization.
If you configure the dial-in properties of the user account to grant or control access through network
policy, and the connection request is authorized, NPS applies the settings that you configure in the
network policy to the connection.
If NPS does not find a network policy that matches the connection request, NPS rejects the
connection unless the dial-in properties on the user account are set to grant access.
If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.
Nova 4, LLC
6-26
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. would like to implement a remote access solution for its employees, so they can connect to
the corporate network while away from the office. Contoso, Ltd. requires a network policy that mandates
that VPN connections are encrypted for security reasons. You are required to enable and configure the
necessary server services to facilitate this remote access.
For this project, you must complete the following tasks:
Nova 4, LLC
Configuring and Securing Remote Access
6-27
2.
Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients.
3.
Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTP
connections.
Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.
1.
2.
3.
Add the Network Policy and Access Services role with the following role services:
a.
b.
Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for
Remote Access clients.
1.
2.
In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable
Routing and Remote Access.
3.
b.
c.
d.
On the IP Address Assignment page, select the From a specified range of addresses option.
e.
On the Address Range Assignment page, create an address pool with 75 entries with a start
address of 10.10.0.60.
f.
On the Managing Multiple Remote Access Servers page, accept the defaults.
g.
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25
L2TP connections.
1.
In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then
right-click Ports, and then click Properties.
2.
b.
Nova 4, LLC
6-28
c.
3.
4.
Results: At the end of exercise, you enabled routing and remote access on the NYC-EDGE1 server.
Nova 4, LLC
Configuring and Securing Remote Access
6-29
Constraints: Connections disallowed between 11P.M. and 6 A.M. Monday through Friday
2.
In the Network Policy Server console, create a new policy with the following settings:
a.
b.
c.
d.
e.
f.
Constraints: Day and time restrictions = 11PM to 6AM Monday thru Friday Denied.
g.
2.
Ensure that the Secure VPN policy is the first in the list of any policies.
3.
2.
3.
4.
5.
a.
IP Address: 131.107.0.20
b.
c.
b.
Nova 4, LLC
6-30
a.
b.
Password: Pa$$w0rd
c.
Domain: Contoso
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
Configuring and Securing Remote Access
Lesson 3
NAP enables you to create customized health-requirement policies to validate computer health before
allowing access or communication, as well as automatically update compliant computers to ensure
ongoing compliance and limit the access of noncompliant computers to a restricted network until they
become compliant.
NAP with VPN protection enables you to control access to your organizations private network based
upon the health characteristics of the VPN clients health status. It is important that you can configure
NAP appropriately if you wish to implement this protection.
Objectives
After completing this lesson, you will be able to:
Describe NAP.
Describe the advantages of using Network Access protection with a VPN solution.
6-31
Nova 4, LLC
6-32
Key Points
NAP for Windows Server 2008, Windows Server 2008 R2, Windows 7, and Windows Vista provides
components and an application programming interface (API) that help you enforce compliance with your
organizations health-requirement policies for network access or communication.
NAP enables you to create solutions for validating computers that connect to your networks, as well as
provide needed updates or access to needed health update resources and limit the access or
communication of noncompliant computers.
You can integrate NAPs enforcement features with software from other vendors or with custom
programs. You can customize the health-maintenance solution that developers within your organization
may develop and deploy, whether for monitoring the computers accessing the network for health policy
compliance, automatically updating computers with software updates to meet health policy requirements,
or limiting the access of computers that do not meet health policy requirements to a restricted network.
Remember that NAP does not protect a network from malicious users. Rather, it helps you maintain the
health of your organizations networked computers automatically, which in turn helps maintain your
networks overall integrity. For example, if a computer has all the software and configuration settings that
the health policy requires, the computer is compliant and will have unlimited network access; however.
NAP does not prevent an authorized user with a compliant computer from uploading a malicious
program to the network or engaging in other inappropriate behavior.
Aspects of NAP
NAP has three important and distinct aspects:
Health state validation. When a computer attempts to connect to the network, the computers
health state is validated against the health-requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant. In a monitoring-only environment, all
computers have their health state evaluated and the compliance state of each computer is logged for
analysis. In a limited access environment, computers that comply with the health-requirement policies
Nova 4, LLC
Configuring and Securing Remote Access
6-33
have unlimited network access. Computers that do not comply with health-requirement policies may
find their access limited to a restricted network.
Health policy compliance. You can help ensure compliance with health-requirement policies by
choosing to update noncompliant computers automatically with missing software updates or
configuration changes through management software, such as Microsoft System Center
Configuration Manager. In a monitoring-only environment, computers will have network access
before they are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically and you can define exceptions for computers that are not NAP compatible.
Limited access. You can protect your networks by limiting the access of noncompliant computers.
You can base limited network access on a specific amount of time or on what the noncompliant
computer can access. In the latter case, you define a restricted network containing health update
resources, and the limited access will last until the noncompliant computer comes into compliance.
You also can configure exceptions so that computers that are not compatible with NAP do not have
their network access limited.
Nova 4, LLC
6-34
Key Points
With NAP with VPN enforcement, a computer must be compliant to obtain unlimited network access
through a remote access VPN connection. For noncompliant computers, network access is limited through
a set of IP packet filters that the VPN server applies to the VPN connection.
VPN enforcement enforces health policy requirements every time a computer attempts to obtain a
remote access VPN connection to the network. VPN enforcement also actively monitors the health status
of the NAP client and applies the restricted networks IP packet filters to the VPN connection if the client
becomes noncompliant.
The components of VPN enforcement consist of NPS in Windows Server 2008 R2 and a VPN EC that is
part of the remote access client in Windows 7, Windows Vista, Windows XP Service Pack 3, and Windows
Server 2008 R2. VPN enforcement provides strong limited network access for all computers accessing the
network through a remote access VPN connection.
Nova 4, LLC
Configuring and Securing Remote Access
6-35
Key Points
The components of a VPN enforcement solution consist of the following:
NAP clients. Computers that support the NAP platform for system health-validated network access
or communication.
NAP enforcement points. Computers or network-access devices that use NAP or that you can use
with NAP to require evaluation of a NAP clients health state and provide restricted network access or
communication. NAP enforcement points use a NPS that is acting as a NAP health policy server to
evaluate the health state of NAP clients, whether network access or communication is allowed, and
the set of remediation actions that a noncompliant NAP client must perform. NAP enforcement
points include the following:
VPN server. This is a computer that runs Windows Server 2008 R2 and Routing and Remote
Access, and that enables VPN intranet connections via remote access.
DHCP server. This is a computer that runs Windows Server 2008 R2 and the DHCP Server service,
and that provide automatic IPv4 address configuration to intranet DHCP clients.
NAP health policy servers. These are computers that run Windows Server 2008 R2and the NPS
service, and that store health-requirement policies and provide health-state validation for NAP. NPS is
the replacement for the Internet Authentication Service (IAS) and the RADIUS server and proxy that
Windows Server 2003 provides. NPS also acts as an authentication, authorization, and accounting
(AAA) server for network access. When acting as an AAA server or NAP health policy server, NPS
typically runs on a separate server for centralized configuration of network access and healthrequirement policies. The NPS service also runs on Windows Server 2008 R2based NAP
enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server.
However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS
messages with a NAP health policy server.
Health requirement servers. These are computers providing the current system health state for NAP
health policy servers. An example of these would be a health-requirement server for an antivirus
program that tracks the latest version of the antivirus signature file.
Nova 4, LLC
6-36
AD DS. This Windows directory service stores account credentials and properties and Group Policy
settings. Although not required for health-state validation, Active Directory is required for IPsecprotected communications, 802.1X-authenticated connections, and remote access VPN connections.
Remediation servers. These are computers that contain health update resources that NAP
clients can access to remediate their noncompliant state. Examples include antivirus signature
distribution servers and software update servers.
NAP clients with limited access. These are computers placed on the restricted network when
they do not comply with health-requirement policies.
Nova 4, LLC
Configuring and Securing Remote Access
6-37
Key Points
VPN enforcement uses a set of remote-access IP packet filters to limit VPN client traffic so that it can
reach only the resources on the restricted network. The VPN server applies the IP packet filters to the IP
traffic that it receives from the VPN client, and silently discards all packets that do not correspond to a
configured packet filter.
VPN Initiation. The VPN client initiates a connection to the VPN server. The VPN server requests that
the VPN client identify itself. The NAP enforcement client (EC) on the VPN client responds, providing
the VPN clients user name.
2.
Request SSoH. The VPN server sends this response to the NAP health policy server. The NAP health
policy server contacts the VPN client, and the two exchange a series of messages to negotiate a
secure session. Then the NAP health policy sends a System Statement of Health (SSoH) request to the
VPN client.
3.
Generate SSoH. The VPN NAP EC, on the client, queries the local NAP Agent for the SSoH and passes
it to the NAP health policy server.
4.
Authentication. The NAP health policy server requests that the VPN client authenticate itself, and the
VPN client authenticates itself to the NAP health policy server.
5.
Generate SoHR. The NPS service on the NAP health policy server passes the SSoH to the NAP
Administration Server component which in turn passes it to the appropriate System Health Validators
(SHVs). The SHVs analyze their SoH contents and return Statement of Health Response (SoHRs) to the
NAP Administration Server, which in turn passes it to the NPS.
6.
Compare SoHR with health policies. The NPS service compares the SoHRs with the configured
health policies and creates the SSoHR and then sends the SSoHR to the VPN client.
7.
Determine access. The NPS service sends a RADIUS Access-Accept message to the VPN server:
Nova 4, LLC
6-38
8.
If the VPN connection is limited, the RADIUS Access-Accept message also contains a set of IP
packet filters that limit the VPN client to the restricted network.
If the VPN connection is unlimited, the RADIUS Access-Accept message does not contain IP
packet filters to limit network access. After the VPN connection completes, the NAP client will
have unlimited network access.
Complete connection. The VPN client and VPN server complete the VPN connection.
If the VPN client is noncompliant, the VPN connection has the packet filters applied, and the VPN client
only can reach the resources on the restricted network.
Nova 4, LLC
Configuring and Securing Remote Access
Lesson 4
To ensure the correct configuration of VPN enforcement with NAP, you must understand which
components you must deploy and how to configure the required settings.
Objectives
After completing this lesson, you will be able to:
6-39
Nova 4, LLC
6-40
Key Points
SHAs and SHVs, which are NAP infrastructure components, provide health-state tracking and validation.
Windows 7 includes a Windows Security Health Validator SHA that monitors the Windows Security Center
settings. Windows Server 2008 R2 includes a corresponding Windows Security Health Validator SHV. NAP
is designed to be flexible and extensible, and interoperates with any vendors software that provides SHAs
and SHVs that use the NAP API.
An SHV receives a SoH from the NAP Administration Server and compares the system health status
information in the SoH with the required system health state. For example, if the SoH is from an antivirus
SHA and contains the last virus-signature file version number, the corresponding antivirus SHV can check
with the antivirus health requirement server for the latest version number to validate the NAP clients SoH.
The SHV returns a SoHR to the NAP Administration Server. The SoHR can contain information about how
the corresponding SHA on the NAP client can meet current system-health requirements. For example, the
SoHR that the antivirus SHV sends could instruct the NAP clients antivirus SHA to request the latest
version, by name or IP address, of the antivirus signature file from a specific antivirus signature server.
Nova 4, LLC
Configuring and Securing Remote Access
6-41
Key Points
Health policies consist of one or more SHVs and other settings that allow you to define client-computer
configuration requirements for the NAP-capable computers that attempt to connect to your network.
When NAP-capable clients attempt to connect to the network, the client computer sends a SoH to the
NPS. The SoH is a report of the client configuration state, and NPS compares the SoH with the
requirements that the health policy defines. If the client configuration state does not match the
requirements that the health policy defines, NPS takes one of the following actions, depending on the
NAP configuration:
It places the NAP client on a restricted network where it can receive updates from remediation servers
that bring the client into compliance with health policy. After the NAP client achieves compliance,
NPS enables it to connect.
It allows the NAP client to connect to the network despite its noncompliance with health policy.
You can define NPS client-health policies by adding one or more SHVs to the health policy.
After you configure a health policy with one or more SHVs, you can add it to the Health Policies condition
of a network policy that you want to use to enforce NAP when client computers attempt connection to
your network.
Nova 4, LLC
6-42
Key Points
A remediation server group is a list of restricted network servers that provide resources that bring
noncompliant NAP-capable clients into compliance with your defined client health policy.
A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers
into compliance with health policy, as NPS defines. For example, a remediation server can host antivirus
signatures. If health policy requires that client computers have the latest antivirus definitions, the
following work together to update noncompliant computers: an antivirus SHA, an antivirus SHV, an
antivirus policy server, and the remediation server.
Nova 4, LLC
Configuring and Securing Remote Access
6-43
Key Points
To correctly establish VPN NAP enforcement, you must complete the following high-level configuration
tasks.
RADIUS clients. If you deployed Routing and Remote Access on a separate server computer, you
must configure the NAP VPN server as a RADIUS client in NPS.
Protected Extensible Authentication Protocol (PEAP) is configured to enable health checks and
allow secure password or certificate-based authentication.
Compliant network policy conditions are set to require the client to match compliant health
policy.
Noncompliant network policy conditions are set to require the client to match noncompliant
health policy.
Non-NAP-capable network policy conditions are set to require the client is not NAP-capable.
Nova 4, LLC
6-44
Access settings: Full access is granted for compliant computers. In full enforcement mode, limited
access is granted for noncompliant computers. Either full or limited access is granted for nonNAP-capable computers. If remediation server groups are not used, IP filters are configured in
noncompliant policy settings and optionally, in non-NAP-capable policy settings to provide
restricted access.
System health validators. Error codes are configured, and depending on the SHV, health checks are
configured on the NAP health policy server or the health requirement server.
Remediation server groups. Remediation server groups are required if IP filters are not used to
configure restricted access settings.
Authentication provider. If the NAP VPN server and the NAP health policy server are on different
computers, you must configure the NAP VPN server for RADIUS authentication by using the NAP
health policy server.
Authentication methods. Configure the NAP VPN server to allow the PEAP authentication method.
Client address assignment. Choose whether to assign VPN clients an IPv4 address by using DHCP or
a static address pool.
NAP Agent service. You can start the NAP Agent service by using either Group Policy or local policy
settings.
VPN connection. You must configure a VPN connection on each client computer. You must
configure logon security settings to use Protected Extensible Authentication Protocol (PEAP) with
either MSCHAP v2 or certificate-based authentication.
Quarantine checks. When configuring client PEAP properties in the advanced security settings of the
VPN connection, you must select the Enable Quarantine checks check box.
Remote access enforcement client. You can enable the remote access enforcement client with
either Group Policy or local policy settings.
Nova 4, LLC
Configuring and Securing Remote Access
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
4.
5.
6-45
Nova 4, LLC
6-46
Key Points
You should remember these basic guidelines when you configure NAP clients:
Some NAP deployments that use Windows Security Health Validator require that you enable Security
Center. For example, both Windows Vista and Windows XP with SP3 require Security Center to be
enabled.
The Network Access Protection service is required when you deploy NAP to NAP-capable client
computers. By default, this is not.
You also must configure the NAP enforcement clients on the NAP-capable computers.
Open the Group Policy Management console, and then click Add.
2.
In the Select Group Policy Object dialog box, click Finish, and then click OK.
3.
In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.
4.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
Nova 4, LLC
Configuring and Securing Remote Access
6-47
Click Start, click Control Panel, click System and Security, click Administrative Tools, and then
double-click Services.
2.
In the services list, scroll down, and double-click Network Access Protection Agent.
3.
In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.
4.
Click Start.
Open the NAP client configuration console. To do this, click Start, click All Programs, click
Accessories, click Run, type NAPCLCFG.MSC, and then click OK.
2.
Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to
enable or disable, and then click Enable or Disable.
Note: To perform this procedure, you must be a member of the Administrators group on the local
computer, or you must have been delegated the appropriate authority. If the computer is joined to a
domain, members of the Domain Admins group might be able to perform this procedure. As a security
best practice, consider performing this procedure by using the Run as command.
Nova 4, LLC
6-48
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. is required to extend its virtual private network solution to include Network Access
Protection.
There have been a number of problems with users connecting to the Contoso network with a VPN from
their unmanaged home computers. It is important to ensure that these computers are in compliance with
Contoso health policies.
As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers
automatically into compliance. You will do this by using Network Policy Server, creating client compliance
policies, and configuring an NAP server to check the current health of computers.
Nova 4, LLC
Configuring and Securing Remote Access
6-49
Nova 4, LLC
6-50
2.
3.
Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPN
server.
4.
2.
3.
From the Certificate Templates console, open the properties of the Computer certificate template.
4.
On the Security tab, grant the Authenticated Users group the AllowEnroll permission.
5.
2.
Add the Certificates snap-in with the focus on the local computer account.
3.
4.
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
5.
6.
7.
Using Server Manager, install the NPS Server with the following role services: Network Policy
Server and Remote Access Service.
8.
9.
Under Network Access Protection, open Default Configuration for the Windows Security Health
Validator.
10. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all
network connections.
11. Create a health policy with the following settings:
a.
Name: Compliant
b.
c.
Name: Noncompliant
Nova 4, LLC
Configuring and Securing Remote Access
b.
c.
Name: Compliant-Full-Access
b.
c.
d.
Name: Noncompliant-Restricted
b.
c.
Note: A setting of Access granted does not mean that noncompliant clients are granted full network
access. It specifies that the policy should continue to evaluate the clients matching these conditions.
d.
Settings:
i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of
client computers is not selected.
ii. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and
IPv4 output filter, Source network = 10.10.0.10/255.255.255.255.
b.
c.
d.
e.
Authentication methods:
i. Select Override network policy authentication settings
ii. Add Microsoft: Protected EAP (PEAP).
iii. Add Microsoft: Secured password (EAP-MSCHAP v2)
f.
Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is
enabled.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS)
configured as a VPN server
1.
2.
6-51
Nova 4, LLC
6-52
3.
b.
c.
Choose the interface called Public and clear the Enable security on the selected interface by
setting up static packet filters check box.
d.
e.
Complete the process by accepting defaults when prompted and confirming any messages by
clicking OK.
4.
In the Network Policy Server, click the Connection Request Policies node and disable Microsoft
Routing and Remote Access Service Policy. This was created automatically when Routing and
Remote Access was enabled.
5.
Close the Network Policy Server management console and the Routing and Remote Access console.
2.
Type: Custom
b.
All programs
c.
3.
d.
Default scope
e.
f.
Default profile
g.
Results: In this exercise, you configured and enabled a VPN-enforced NAP scheme.
Nova 4, LLC
Configuring and Securing Remote Access
6-53
2.
3.
4.
2.
Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer
Configuration/Administrative Templates/Windows Components/Security Center/Turn on
Security Center (Domain PCs only) setting.
3.
2.
3.
4.
Run services.msc and configure the Network Access Protection Agent service for automatic startup.
5.
6.
2.
Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection
Internet Protocol Version 4 (TCP/IPv4) settings:
a.
IP address: 131.107.0.20
b.
c.
d.
b.
c.
d.
Nova 4, LLC
6-54
2.
e.
Password: Pa$$word
f.
Domain: CONTOSO
After you have created the VPN, modify its settings by viewing the properties of the connection and
then selecting the Security tab. Use the following settings to reconfigure the VPN:
a.
b.
3.
4.
In the Network Connections window, right-click the Contoso VPN connection, and then click
Connect.
b.
c.
View the details of the Windows Security Alert. Ensure that the correct certificate information is
displayed and then click Connect.
Verify that your computer meets the health requirements of the NAP policy:
a.
Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted.
b.
Ping10.10.0.10.
5.
6.
b.
Modify the Default Configuration of the Windows Security Health Validator so that An
antivirus application is application is on check box is enabled on the Windows 7/Windows
Vista selection.
7.
8.
Verify your computer does not meet the health requirements of the NAP policy:
9.
a.
Verify that a message is displayed in the Action Center that states that the computer doesnt
meet security standards.
b.
Use IPCONFIG /all to verify that the System Quarantine State is Restricted.
Nova 4, LLC
Configuring and Securing Remote Access
1.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
6-55
Nova 4, LLC
6-56
Lesson 5
Overview of DirectAccess
Organizations often rely on VPN connections to provide remote users with secure access to data and
resources on the corporate network. VPN connections are easy to configure and are supported by
different clients. However, VPN connections must be first established, and it may require additional
configuration on the corporate firewall. Also, VPN connections usually enable remote access to the entire
corporate network. Moreover, organizations cannot effectively manage remote computers. To overcome
such limitations in VPN connections, organizations can implement DirectAccess, available in Windows
Server 2008 R2 and Windows 7, to provide a seamless connection between the internal network and the
remote computer when there is Internet connectivity. Using DirectAccess, organizations can easily
manage remote computers.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Configuring and Securing Remote Access
Key Points
What are some of the challenges you face when implementing VPNs?
6-57
Nova 4, LLC
6-58
What Is DirectAccess?
Key Points
Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamless
remote access to intranet resources without establishing the VPN connection first. The DirectAccess
feature also ensures seamless connectivity on application infrastructure for internal users and remote
users.
Unlike VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables
any application on the client computer to have complete access to intranet resources. DirectAccess also
enables you to specify resources and client-side applications that are restricted for remote access.
Organizations benefit from DirectAccess because remote computers can be managed as if they are local
computersusing the same management and update serversto ensure they are always up to date and
in compliance with security and system health policies. You can also define more detailed access control
policies for remote access when compared with defining access control policies in VPN solutions.
DirectAccess is designed with the following benefits:
Always-on connectivity. Whenever the user connects the client computer to the Internet, the client
computer is connected to the intranet also. This connectivity enables remote client computers to
access and update applications easily. It also makes intranet resources always available and enables
users to connect to the corporate intranet from anywhere and anytime, thereby improving their
productivity and performance.
Bidirectional access. DirectAccess can be configured so that DirectAccess clients not only have
access to intranet resources, but also have access from the intranet to those DirectAccess clients.
Therefore, DirectAccess can be bidirectional so that DirectAccess users have access to intranet
resources, and you can have access to DirectAccess clients when they are connecting over a public
Nova 4, LLC
Configuring and Securing Remote Access
6-59
network. This ensures that the client computers are always updated with recent security patches, the
domain Group Policy is enforced, and there is no difference whether users are on the corporate
intranet or on the public network.
This bidirectional access also results in:
Increased security.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This tighter degree of control allows security architects to precisely control remote
users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so
that users can ensure that their communication is safe. You can use a granular policy to define who
can use DirectAccess and from where.
Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and NAP
solutions, resulting in the seamless integration of security, access, and health requirement policies
between the intranet and remote computers.
Nova 4, LLC
6-60
Key Points
To deploy and configure DirectAccess, your organization must support the following infrastructure
components.
DirectAccess Server
The server must have at least two physical network adapters installed, one connected to the Internet
and the other to the intranet.
The server must have at least two consecutive static, public IPv4 addresses assigned to the network
adapter that is connected to the Internet.
On the DirectAccess server, you can install the DirectAccess Management Console feature by using Server
Manager. You can use the DirectAccess Management Console to configure DirectAccess settings for the
DirectAccess server and clients and monitor the status of the DirectAccess server. You may need more
than one DirectAccess server, depending on the deployment and scalability requirements.
DirectAccess Clients
To deploy DirectAccess, you also need to ensure that the client meets certain requirements:
The client should be running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows
Server 2008 R2.
The client must have a relevant computer certificate with which to identify itself.
Nova 4, LLC
Configuring and Securing Remote Access
6-61
Note: You cannot deploy DirectAccess on clients running Windows Vista, Windows Server 2008, or
other earlier versions of Windows operating systems.
DirectAccess Servers
Generally installed in the perimeter network, these servers provide intranet connectivity for DirectAccess
clients on the Internet.
PKI
You must implement a PKI to issue computer certificates for authentication, and where desirable, health
certificates when using NAP. You need not implement public certificates.
Group Policy
Although not required, it is easier to use Group Policy to provide for centralized administration and
deployment of DirectAccess settings instead of relying on the Netsh command-line tool. The DirectAccess
Setup Wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
DNS Server
At least one running Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix
(http://go.microsoft.com/fwlink/?LinkID=159951), Windows Server 2008 SP2 or later, or a third-party DNS
server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP).
Nova 4, LLC
6-62
Key Points
To separate Internet traffic from Intranet traffic for DirectAccess, Windows Server 2008 R2 and Windows 7
include the Name Resolution Policy Table (NRPT), a feature that allows DNS servers to be defined per DNS
namespace, rather than per interface. The NRPT stores a list of rules. Each rule defines a DNS namespace
and configuration settings that describe the DNS clients behavior for that namespace. When a
DirectAccess client is on the Internet, each name query request is compared with the namespace rules
stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT
rule.
If a name query request does not match a namespace listed in the NRPT, the request is sent to the DNS
servers configured in the TCP/IP settings for the specified network interface. For a remote client, the DNS
servers will typically be the Internet DNS servers configured through the Internet service provider (ISP).
For a DirectAccess client on the intranet, the DNS servers will typically be the intranet DNS servers
configured through Dynamic Host Configuration Protocol (DHCP).
Single-label names, such as http://internal, will typically have configured DNS search suffixes appended to
the name before they are checked against the NRPT.
If no DNS search suffixes are configured and the single-label name does not match any other single-label
name entry in the NRPT, the request will be sent to the DNS servers specified in the clients TCP/IP
settings.
Namespaces, for example, internal.contoso.com, are entered into the NRPT, followed by the DNS servers
to which requests matching that namespace should be directed. If an IP address is entered for the DNS
server, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. You need
not specify any additional security for such configurations. However, if a name is specified for the DNS
server, such as dns.contoso.com in the NRPT, the name must be publicly resolvable when the client
queries the DNS servers specified in its TCP/IP settings.
Nova 4, LLC
Configuring and Securing Remote Access
6-63
The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resources
and Internet DNS for name resolution of other resources. Dedicated DNS servers are not required for
name resolution. DirectAccess is designed to prevent the exposure of your intranet namespace to the
Internet.
Some names need to be treated differently with regards to name resolution; these names should not be
resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers
specified in the clients TCP/IP settings, you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the name
resolution mechanism first tries to use the local name cache, second the hosts file, then NRPT, and finally
sends the query to the DNS servers specified in the TCP/IP settings.
Nova 4, LLC
6-64
Key Points
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
1.
The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the network
location server URL.
Because the FQDN of the network location server URL corresponds to an exemption rule in the NRPT,
the DirectAccess client sends the DNS query to a locally-configured DNS server (an intranet-based
DNS server). The intranet DNS server resolves the name.
2.
The DirectAccess client accesses the HTTPS-based URL of the network location server, during which
process; it obtains the certificate of the network location server.
3.
Based on the Certificate Revocation List (CRL) Distribution Points field of the network location servers
certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to
determine if the network location servers certificate has been revoked.
4.
Based on a HTTP 200 Success of the network location server URL (successful access and certificate
authentication and revocation check), the DirectAccess client removes the DirectAccess rules in the
NRPT.
5.
The DirectAccess client computer attempts to locate and log on to the AD DS domain using its
computer account.
Because there are no longer any DirectAccess rules in the NRPT, all DNS queries are sent via interfaceconfigured DNS servers (intranet DNS servers).
6.
Based on the successful computer logon to the domain, the DirectAccess client assigns the Domain
profile to the attached network.
Because the DirectAccess connection security tunnel rules are scoped for the Public and Private
profiles, they are removed from the list of active Connection Security rules.
Nova 4, LLC
Configuring and Securing Remote Access
6-65
The DirectAccess client has successfully determined that it is connected to its intranet and does not use
DirectAccess settings (NRPT rules or Connection Security tunnel rules). It can access intranet resources
normally. It can also access Internet resources through normal means, such as a proxy server (not shown).
Nova 4, LLC
6-66
Key Points
When a DirectAccess client starts, it assumes that it is not connected to the intranet. The NRPT has
DirectAccess-based rules, and Connection Security rules for DirectAccess tunnels are active. Internetconnected DirectAccess clients use the following process to connect to intranet resources:
The client tries to resolve the FQDN of the network location server URL. Because the FQDN of the
network location server URL corresponds to an exemption rule in the NRPT, the DirectAccess client
sends the DNS query to a locally-configured DNS server (an Internet-based DNS server). The Internet
DNS server cannot resolve the name.
2.
3.
Because the network location server was not found, the DirectAccess client applies the Public or
Private profile to the attached network.
4.
The Connection Security tunnel rules for DirectAccess, scoped for the Public and Private profiles,
remain.
The DirectAccess client has the NRPT rules and Connection Security rules to access intranet resources
across the Internet through the DirectAccess server.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query addressed to the IPv6 address of the intranet DNS server and hands it off to the TCP/IP stack
for sending.
Nova 4, LLC
Configuring and Securing Remote Access
6-67
2.
Before sending the packet, the TCP/IP stack checks to see whether there are Windows Firewall
outgoing rules or Connection Security rules for the packet.
3.
Because the destination IPv6 address in the DNS name query matches a Connection Security rule
corresponding to the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client
authenticates itself with its installed computer certificate and its NTLM credentials.
4.
The DirectAccess client sends the DNS name query through the infrastructure tunnel to the
DirectAccess server.
5.
The DirectAccess server forwards the DNS name query to the intranet DNS server, which responds.
The DNS name query response is sent back to the DirectAccess server and back through the
infrastructure tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the infrastructure tunnel.
The application or process attempting to communicate constructs a message or payload and hands it
off to the TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to see whether there are Windows Firewall
outgoing rules or Connection Security rules for the packet.
3.
Because the destination IPv6 address matches the Connection Security rule corresponding to the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4.
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5.
The DirectAccess server forwards the packet to the intranet resources, which responds. The response
is sent back to the DirectAccess server and back through the intranet tunnel to the DirectAccess
client.
Subsequent intranet access traffic, which does not match an intranet destination in the infrastructure
tunnel Connection Security rule, goes through the intranet tunnel.
The DNS Client service passes the DNS name for the Internet resource through the NRPT. There are
no matches. The DNS Client service constructs the DNS name query addressed to the IP address of an
interface-configured Internet DNS server and hands it off to the TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to see whether there are Windows Firewall
outgoing rules or Connection Security rules for the packet.
3.
Because the destination IP address in the DNS name query does not match the Connection Security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4.
The Internet DNS server responds with the IP address of the Internet resource.
Nova 4, LLC
6-68
5.
The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to see whether there are Windows Firewall outgoing rules
or Connection Security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the Connection Security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Subsequent Internet resource traffic, which does not match a destination in either the infrastructure
intranet tunnel Connection Security rules, is sent and received normally.
Nova 4, LLC
Configuring and Securing Remote Access
6-69
Key Points
The following information describes how a DirectAccess client determines its network location.
Intranet Detection
When a DirectAccess client experiences a significant network change event, such as a change in link status
or a new IP address, the DirectAccess client assumes that it is not on the intranet and uses DirectAccess
rules in the NRPT to determine the location to send DNS name queries. Then, the DirectAccess client
attempts to resolve the fully qualified domain name (FQDN) in the URL for the network location server.
Because the NRPT has active rules for DirectAccess, the FQDN should either match an exemption rule or
no rule in the NRPT so that the DirectAccess client uses interface-configured DNS servers. If a DirectAccess
client is not on the intranet, it will not be able to successfully resolve the FQDN of the network location
server, and the name resolution will fail.
If the FQDN resolution is successful, the DirectAccess client attempts to connect to the network location
server. When the DirectAccess client successfully accesses the HTTPS-based URL of the network location
server, it determines that it is on the intranet. The DirectAccess client then removes the DirectAccess NRPT
rules from the active table and uses interface-configured DNS servers to resolve all names. If the
Nova 4, LLC
6-70
DirectAccess client cannot access the network location server or its FQDN resolution is not successful, the
DirectAccess client assumes that it is on the Internet and establishes a DirectAccess connection.
To reduce the traffic on the corporate network, DirectAccess separates intranet traffic from Internet traffic.
Most VPNs send all traffic, including traffic that is destined for the Internet, through the VPN, which
reduces both intranet and Internet access speed. DirectAccess does not reduce the Internet access speed,
because communications to the Internet do not have to travel to the corporate network and back to the
Internet.
Nova 4, LLC
Configuring and Securing Remote Access
6-71
Configuring DirectAccess
Key Points
To configure DirectAccess, you need to complete the following tasks.
2.
Create a DNS host record for the Network Location Server for intranet DirectAccess clients.
3.
Create a DNS host record for the server that hosts the certificate revocation list in the intranet.
4.
On your public DNS server, create a DNS host record for the host that will provide access to the
certificate revocation list for Internet-based DirectAccess clients.
2.
3.
4.
Create the certificate template and configure security settings on the template so that Authenticated
Users can Enroll the certificate.
5.
Distribute the computer certificates. You can use Group Policy to do this by enabling autoenrollment.
Nova 4, LLC
6-72
1.
Verify that DirectAccess clients have the computer certificate required for DirectAccess authentication;
this should have been distributed with Group Policy.
2.
2.
3.
4.
5.
6.
Nova 4, LLC
Configuring and Securing Remote Access
6-73
Review Questions
1.
Your organization wishes to implement a cost-effective solution that interconnects two branch offices
with your head offices? How can you use VPNs in this scenario?
2.
The IT manager in your organization is concerned about opening too many firewall ports to facilitate
remote access from users working from home via a VPN. How could you meet the expectations of
your remote users while allaying your managers concerns?
3.
You have a VPN server with two configured network policies. The first has a condition that grants
access to members of the Contoso group, to which everyone in your organization belongs, but has a
constraint of day and time restrictions for office hours only. The second policy has a condition of
membership of the Domain Admins group and no constraints. Why are administrators being refused
connections out of office hours and what can you do about it?
4.
On a client computer, what steps must you perform to ensure that it can be assessed for health?
Description
DirectAccess
VPN Reconnect
Nova 4, LLC
6-74
Description
when users temporarily lose their Internet connections. This is
particular useful for users who implement wireless broadband
solutions.
Tools
Tool
Use for
Where to find it
Services.msc
Managing Windows
services
Gpedit.msc
Mmc.exe
Management Console
creation and management
Gpupdate.exe
Napclcfg.msc
Nova 4, LLC
Managing Active Directory Domain Services
Module 7
Managing Active Directory Domain Services
Contents:
Lesson 1: Overview of the Active Directory Infrastructure
7-3
7-17
7-26
7-36
7-45
7-50
7-63
7-68
7-1
Nova 4, LLC
7-2
Module Overview
Active Directory Domain Services (AD DS) and its related services form the foundation for enterprise
networks running Windows because they store information about the identities of users, computers, and
services; authenticate a user or computer; and provide a mechanism to access resources.
This module presents an overview of AD DS. You will review key concepts and directory services structure.
You will take a high-level look at the major components of AD DS and how they fit together. You will also
receive hands-on experience working with these components and their associated tools.
Objectives
After completing this module, you will be able to:
Manage groups.
Nova 4, LLC
Managing Active Directory Domain Services
7-3
Lesson 1
Your Active Directory infrastructure is what ties your entire Windows computing environment together. At
the core of this infrastructure is AD DS. It manages communication and authentication between users and
computers, stores information about who can access information stored on servers, and manages
information about network resources and application-specific data from directory-enabled applications.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
7-4
Key Points
Administrators can use AD DS to organize elements of a network, such as users, computers, and other
devices, into a hierarchical containment structure.
AD DS is not a physical entity in itself. It consists of several key components that work together to provide
Active Directory functionality to a Windows environment. The hierarchical containment structure includes
the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. All this
information is stored in the Active Directory database. A server that maintains a copy of this database for
the domain is called a domain controller.
Domain
Domains are the key building blocks of AD DS. They define boundaries within the Active Directory
infrastructure. A domain is a logical grouping of objects that share a common directory database and
domain namespace. This database contains information about users, groups, and computers that are part
of the domain, and information about shared resources such as printers and shared folders.
A domain namespace is typically defined by a domain name, such as Contoso.com. Any domain objects
such as user, groups or computers created within the Contoso domain reside in the Contoso.com
namespace. For example, the Fully Qualified Domain Name (FQDN) for a server named NYC-SVR1 in the
Contoso domain would be NYC-SVR1.Contoso.com.
Domain Controller
A domain controller is a designated server that holds a copy of the Active Directory database. A computer
running the Windows Server 2008 operating system can be made a domain controller by executing
dcpromo.exe. Dcpromo.exe begins the AD DS installation Wizard and collects the information necessary
to promote the Windows Server 2008 server to a domain controller. After a computer is configured as a
domain controller, it maintains a copy of the Active Directory database and replicates the information in
the database back and forth to the other domain controllers in the domain.
Nova 4, LLC
Managing Active Directory Domain Services
7-5
Note: A domain should have at least two domain controllers. When a domain has at least two
domain controllers, redundant copies of AD DS are available in case one of the domain controllers
becomes unavailable.
Organizational Unit
OUs are used within AD DS to organize collections of Active Directory objects such as users, groups,
computers, and even other OUs. OUs act like containers within AD DS, allowing you to organize your
Active Directory objects in a logical way that makes it easier to administer and manage those objects.
For example, you may choose to create an OU for each department of your organization and place the
computers, users, groups, and printers belonging to those departments into their respective OUs.
Tree
Although domains are important building blocks for implementing Active Directory structures, only
domain trees bind those blocks together. Domain trees are logical groupings of domains.
Within the directory, the tree structure represents a hierarchy of domain objects, showing parent-child
relationships between the objects. The first domain created in the tree structure, or the root domain,
resides at the top of a logical domain tree diagram, and it is the parent of all other domains for that
particular domain tree. Other domains that you create in the domain tree are child domains.
Domain trees are typically created to reflect your organization's structure. Domains in a tree share a
contiguous namespace. The domain name of a child domain is related to the name of the parent domain.
For example, the Marketing.Contoso.com domain is a child of the Contoso.com domain. They share the
common domain namespace of Contoso.com.
Forest
Domain forests are logical groups of one or more domains or domain trees that are separate and
independent. Forests are used to create boundaries in and between organizations to control security,
replication and configuration of the Active Directory environment. As such, domain trees that are
members of a forest do not share a contiguous namespace. For example, the domain tree with a parent
domain of Contoso.com can be joined in a domain forest with another domain or domain tree,
Adatum.com. In this forest, both domains retain their preexisting domain namespace.
Global Catalog
Information regarding an Active Directory forest is stored in a distributed data repository called the global
catalog. The global catalog is stored on designated domain controllers in the forest and contains a
searchable partial representation of every object in the forest. The global catalog servers distribute the
global catalog data by using multi-master replication, where all global catalog servers are equal partners
in the replication process.
Nova 4, LLC
7-6
Key Points
AD DS information is stored within the directory database. This database is divided into a number of
directory partitions that contain AD DS information. Each directory partition, also called a naming context,
contains objects of a particular scope and purpose. There are four AD DS partitions, as follows:
Domain. The Domain partition contains all the objects stored in a domain, including users, groups,
computers, and Group Policy containers (GPCs).
Configuration. The Configuration partition contains objects that represent the logical structure of
the forest, including domains, as well as the physical topology, including sites, subnets, and services.
Schema. The Schema partition defines the object classes and their attributes for the entire directory.
Application. The Application partition is an optional partition that stores information about
applications in Active Directory.
Each domain controller maintains a copy, or replica, of several partitions. The Configuration is replicated
to every domain controller in the forest, as is the Schema. The Domain partition for a domain is replicated
to all domain controllers within a domain but not to domain controllers in other domains, so each domain
controller has at least three replicas: the Domain partition for its domain, Configuration, and Schema.
Nova 4, LLC
Managing Active Directory Domain Services
7-7
Key Points
Replication is the transfer of changes between domain controllers. When you add a user or change a
users password, for example, the change you make is committed to the directory by one domain
controller. That change must be communicated to all other domain controllers in the domain.
Replication is designed so that, in the end, each replica of a partition on a domain controller is consistent
with the replicas of that partition hosted on other domain controllers. Not all domain controllers will have
exactly the same information in their replicas at any one moment in time because changes are constantly
being made to the directory. However, Active Directory replication ensures that all changes to a partition
are transferred to all replicas of the partition. Active Directory replication balances accuracy (or integrity)
and consistency (called convergence) with performance (keeping replication traffic to a reasonable level).
This balancing act is described as loose coupling.
The following are the key characteristics of Active Directory replication:
Multimaster replication. Any domain controller can initiate and commit a change to Active
Directory.
Pull replication. A domain controller requests, or "pulls," changes from other domain controllers. As
you learn more about replication, it may become easy to forget this, because a DC notifies its
replication partners that it has changes to the directory, or a DC can poll its partners to see if they
have changes to the directory. But the changes themselves are, in the end, requested or "pulled" by
the target DC.
Store-and-forward replication. A domain controller can pull changes from one partner, and then
make those changes available to another partner. For example, domain controller B can pull changes
initiated by domain controller A. Then, domain controller C can pull the changes from domain
controller B.
Partitioning of the data store. Domain controllers in a domain host only the domain naming
context for their domain, which helps keep replication to a minimum, particularly in multidomain
Nova 4, LLC
7-8
forests. Other data, including application directory partitions and the partial attribute set (global
catalog), are not replicated to every domain controller in the forest, by default.
Attribute-level replication. When an attribute of an object is modified, only that attribute, and
minimal metadata that describes that attribute, is replicated. The entire object is not replicated,
except when the object is created.
Distinct control of intrasite replication (within a single site) and intersite replication (between
sites). Replication can be distinctly controlled in both these situations.
Collision detection and management. It is possible, although rare, that an attribute will have been
modified on two different domain controllers during a single replication window. In such an event,
the two changes will have to be reconciled. Active Directory has resolution algorithms that satisfy
almost every such situation.
Nova 4, LLC
Managing Active Directory Domain Services
7-9
Key Points
Active Directory sites are used to represent the physical structure of your network. AD DS uses information
about your networks physical structure, or topology, when performing certain processes.
When administrators describe their network infrastructure, they often mention how many sites comprise
their enterprise. To most administrators, a site is a physical location, such as an office or a city. Sites are
connected by links, or network links, that might be as basic as dial-up connections or as sophisticated as
fiber links. Together, the physical locations and links make up the network infrastructure.
AD DS represents the network infrastructure with objects called sites and site links, and although the
words are similar, these objects are not identical to the sites and links described by administrators.
You need to understand the properties and roles of sites in Active Directory to understand the subtle
distinction between Active Directory sites and network sites. Active Directory sites are objects stored in the
directory created by an administrator. An Active Directory site consists of one or more network subnets.
These sites are used to achieve two service management tasks:
Replication Traffic
AD DS assumes there are two types of networks within your enterprise, highly connected and less highly
connected. Conceptually, a change made to AD DS should replicate immediately to other domain
controllers within the highly connected network in which the change was made. However, you might not
want the change to replicate immediately over a slower, more expensive, or less reliable link to another
site. Instead, you might want to manage replication over less highly connected segments of your
enterprise to optimize performance, reduce costs, or manage bandwidth.
Nova 4, LLC
7-10
An Active Directory site represents a highly connected portion of your enterprise. When you define a site,
Active Directory replication within the site happens almost instantly. Replication between sites can be
scheduled and managed.
Service Localization
In a typical Active Directory environment, you have at least two domain controllers. In this configuration,
there are multiple domain controllers providing the same services of authentication and directory access.
If you have more than one network site, and if you place a domain controller in each, you want to
encourage clients to authenticate against the domain controller in their site. This is an example of service
localization.
Active Directory sites help localize services, including those provided by domain controllers. During logon,
Windows clients are automatically directed to a domain controller in their site. If a domain controller is
not available in their site, they are directed to a domain controller in another site, which will be able to
authenticate the client efficiently.
Nova 4, LLC
Managing Active Directory Domain Services
7-11
Key Points
Within an Active Directory infrastructure, it is possible to have different versions of the Windows Server
operating system acting as domain controllers. Previous versions of Windows Server do not support some
of the new Active Directory components or data storage methods available in Windows Server 2008 and
Windows Server 2008 R2.
A domain functional level and forest functional level are two separate settings that determine the specific
functional aspects of AD DS that are enabled on domain controllers within the domain or forest.
For example, Windows Server 2008 R2 provides a new feature, the Active Directory Recycle Bin, which
allows for nondestructive deletions of Active Directory objects. However, if any of the domain controllers
in your forest are not running Windows Server 2008 R2, the Active Directory Recycle Bin functionality is
not recognized by any domain controller running a previous version of Windows Server. In this case, the
domain functional level is set to a level compatible with your existing domain controllers, and the Active
Directory Recycle Bin functionality is not available anywhere in the domain.
Nova 4, LLC
7-12
Nova 4, LLC
Managing Active Directory Domain Services
7-13
Key Points
In an Active Directory domain, all domain controllers are equivalent. They are all capable of writing to the
Active Directory database and replicating changes to other domain controllers. However, in AD DSs
multimaster replication topology, certain operations must be performed by only one system. In an Active
Directory domain, operation masters are domain controllers that perform a specific function within the
domain.
Nova 4, LLC
7-14
Nova 4, LLC
Managing Active Directory Domain Services
7-15
Do not place the Infrastructure Master domain-level role on a global catalog server.
Leave the two forest-level roles on a domain controller in the forest root domain.
In the forest root domain, transfer the three domain-level roles from the first domain controller that
you installed in the forest root domain to an additional domain controller that has a highperformance level.
Adjust the workload of the PDC emulator, if necessary by offloading non-AD DS roles to other servers.
Nova 4, LLC
7-16
Key Points
In this demonstration, you will see how to:
Demonstration Steps
1.
2.
3.
4.
Nova 4, LLC
Managing Active Directory Domain Services
7-17
Lesson 2
Most administrators first experience AD DS by opening Active Directory Users and Computers and
creating user, computer, or group objects within the OUs of a domain. While Active Directory Users and
Computers is a comprehensive Tool, Windows Server 2008 contains several new tools that can make
administering a Windows Server simpler and more efficient task. This lesson will introduce you to the tools
available to administer AD DS.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
7-18
Key Points
Most Active Directory administration is performed by using the following snap-ins and consoles:
Active Directory Users and Computers. This snap-in manages most common day-to-day resources,
including users, groups, computers, printers, and shared folders. This is likely to be the most heavily
used snap-in for an Active Directory administrator.
Active Directory Sites and Services. This manages replication, network topology, and related services.
Active Directory Domains and Trusts. This configures and maintains trust relationships and the domain
and forest functional level.
Active Directory Schema. This schema examines and modifies the definition of Active Directory
attributes and object classes. It is the "blueprint" for Active Directory. It is rarely viewed and even
more rarely changed. Therefore, the Active Directory Schema snap-in is not installed by default.
Nova 4, LLC
Managing Active Directory Domain Services
7-19
Key Points
Note: The content in this topic applies only to Windows Server 2008 R2.
Windows Server 2008 R2 provides another option for managing AD DS objects. The Active Directory
Administrative Center provides a graphical user interface (GUI) built on Windows PowerShell. This
enhanced interface allows you to perform Active Directory object management by using task-oriented
navigation. Tasks that can be performed by using the Active Directory Administrative Center include:
Connecting to and managing multiple domains within a single instance of the Active Directory
Administrative Center.
Installation Requirements
The Active Directory Administrative Center can only be installed on computers running Windows Server
2008 R2 or Windows 7. You can install the Active Directory Administrative Center by any one of the
following methods:
Install the Remote Server Administration Tools (RSAT) on a Windows Serer 2008 R2 server or Windows
7.
Nova 4, LLC
7-20
Note: The Active Directory Administrative Center relies on the Active Directory Web Services (ADWS)
service which must be installed on at least one domain controller in the domain. The service also
requires port 9389 to be open on the domain controller where ADWS is running.
Nova 4, LLC
Managing Active Directory Domain Services
7-21
Key Points
Active Directory Users and Computers and the Active Directory Administrative Center can both be used to
perform administrative tasks.
In this demonstration, you will see how to:
Demonstration Steps:
Active Directory Users and Computers
Viewing Objects
The Active Directory Users and Computers snap-in displays the objects in the container (domain,
organizational unit, or container) selected in the console tree.
Nova 4, LLC
7-22
Creating Objects
To create an object in Active Directory Users and Computers, right-click a domain, or a container (such
as Users or Computers), or an organizational unit, point to New, and then click the type of object you
want to create.
When you create an object, you are prompted to configure a few of the most basic properties of the
object, including the properties that are required for that type of object.
Navigation
The Active Directory Administrative Center provides a navigation pane that can be set as a List View and a
Tree View. The List View displays three main nodes: an Overview node, a domain node, and a Global
Search node. The Tree View changes the domain node to provide a view of the entire domain structure.
Nova 4, LLC
Managing Active Directory Domain Services
7-23
the account, and configure the user to change the password at the next logon. Global Search provides
the ability to search for objects based upon a domain scope or a Global Catalog scope.
Depending on the object selected, you can perform many related tasks. For example, if a user object is
selected, you can perform tasks such as Reset the password, Add to a group, Disable the account, Move
the account, Delete the account, locate the account, or open the Properties of the account.
Nova 4, LLC
7-24
Key Points
In the previous versions of Windows Server, administrators used a variety of command-line tools and
Microsoft Management Console (MMC) snap-ins to connect to their Active Directory domains to monitor
and manage their domains. The Active Directory module in Windows Server 2008 R2 now provides a
centralized experience for administering your directory service.
The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows
PowerShell module (named Active Directory) that consolidates a group of cmdlets used to manage your
Active Directory domains in a self-contained package.
The following table lists the various tasks that can be performed by using the Active Directory for
Windows PowerShell module:
Management Category
Task
User Management
Creating a user
Modifying an attribute for multiple users
Setting profile attributes
Renaming a user
Finding and unlocking user accounts
Enabling or disabling user accounts
Computer Management
Group Management
Creating a group
Adding and removing members of a group
Nova 4, LLC
Managing Active Directory Domain Services
Management Category
Task
Viewing the members of a group
Changing the group scope or type
Organizational Unit
Management
Password Policy
Management
Searching and
modifying objects
Managed Service
Account Management
Creating or deleting an OU
Listing objects in an OU
Assigning or removing a manager of an OU
Moving the objects in an OU
Cmdlet Examples
Set-ADDomainMode sets the domain functional level for an Active Directory domain.
Installation
You can install the Active Directory module by using any of the following methods:
By default, on a Windows Server 2008 R2 server, when you install the AD DS or Active Directory
Lightweight Directory Services (AD LDS) server roles
By default, when you make a Windows Server 2008 R2 server a domain controller by running
Dcpromo.exe
As part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2
server
7-25
Nova 4, LLC
7-26
Note: While the Active Directory module for Windows Powershell must run from a Windows Server
2008 R2 or Windows 7 computer, the actual PowerShell cmdlets can be run against servers that run
Windows Server 2003 or Windows Server 2008, provided you have installed the Active Directory
Gateway Service on those servers. Active Directory Gateway Service can be downloaded from the
following web page:
Nova 4, LLC
Managing Active Directory Domain Services
7-27
Lesson 3
In AD DS for Windows Server 2008 and Windows Server 2008 R2, all users who require access to network
resources must be configured with a user account. With this user account, users can be authenticated to
the AD DS domain and granted access to network resources. As the AD DS administrator, you will need to
know how to create and configure user accounts.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
7-28
Key Points
A user account is an object that contains all of the information that defines a user on a local Windows
Server 2008 machine or in an Active Directory domain. A user account includes the user name and
password as well as group memberships. A user account also contains many other settings, which can be
configured based on your organizational requirements.
Usage
With a user account, you can perform the following tasks:
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
Nova 4, LLC
Managing Active Directory Domain Services
7-29
AD DS User Accounts
Question: List at least one advantage of creating local accounts. List at least one advantage of creating
domain accounts.
Nova 4, LLC
7-30
Key Points
User accounts are typically protected and authorized by a password. User accounts have options that
dictate how passwords are managed. You can help protect your server environment by customizing
password policy settings, including requiring users to change their password regularly, specifying a
minimum length for passwords, and requiring passwords to meet certain complexity requirements.
the following table describes domains password policy settings that are controlled by a number of GPO
settings related to accounts and passwords.
Policy
What it does
Best practice
Enforce password
history
Nova 4, LLC
Managing Active Directory Domain Services
7-31
Policy
What it does
Best practice
Maximum password
age
Minimum password
age
Minimum password
length
Store passwords by
using reversible
encryption
Stores the password by using encryption Do not use this setting unless you
that can be reversed in order for certain use a program that requires it,
applications to verify the password.
enabling this setting decreases the
security of stored passwords.
In addition, another group of GPO settings governing account lockout policies are available to control
what actions are taken by the operating system if a user repeatedly fails to enter a valid password when
logging on to the system. These are known as Account Lockout Policy settings. The following table
describes various Account Lockout policies:
Policy
What it does
Best practice
Account lockout
threshold
Account lockout
Nova 4, LLC
7-32
Policy
What it does
Best practice
duration
Reset account
lockout counter
after
Note: To access Account Policy settings, click Start, click Run, and type secpol.msc in the Open
dialog box. This must be performed on a domain controller to access domain Account Policy settings.
Following these steps on a computer that is not configured as a domain controller will open the local
security policy for that computer.
Question: What would be the effect on a users account if the user enters the password incorrectly five
times between 10:00 A.M. and 10:25 A.M. with the following settings applied to the account?
Nova 4, LLC
Managing Active Directory Domain Services
7-33
Key Points
User account attributes contain the functional details of a user account, and they control how the user
interacts with the environment. User account attributes include organizational information about the user
such as job title, department, or company; environment-related information like account profile and
logon script location; and access and privilege-related information like group membership, remote
control and dial-in access information. User account attributes can be accessed within Active Directory
Users and Computers by double-clicking a user account object or right-clicking the object and clicking
Properties.
The following lists the most commonly used user account sections:
General. The General tab contains personal information about the user, such as the name,
description, office location, and other contact information.
Account. The Account tab contains the user account information such as logon name, logon hours,
password, and account expiration information.
Profile. The Profile tab contains information regarding the user accounts profile location, logon
script, and home folder.
Member Of. The Member Of tab contains a list of the groups to which the user account belongs.
Dial-in. The Dial-in tab allows you to set information related to dial-in network access.
Nova 4, LLC
7-34
Key Points
In this demonstration, you will see how to:
Create and configure an AD DS user account by using Active Directory Users and Computers.
Demonstration Steps:
Create and configure an AD DS user account by using Active Directory Users and Computers
1.
2.
Create a new user account for David Jones and move the account to Marketing OU.
3.
2.
3.
On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module
for Windows PowerShell.
2.
To create a new user, type the following (Note: By default, the user will be created in the Users
container, if no other option is specified):
Nova 4, LLC
Managing Active Directory Domain Services
3.
7-35
4.
Nova 4, LLC
7-36
Key Points
A user account template is a user account that has commonly used settings and properties already
configured. You can use user account templates to simplify the process of creating domain user accounts,
as in the following bullets:
To perform this procedure, you must be a member of the Account Operators group, Domain Admins
group, or the Enterprise Admins group in Active Directory, or you must have been delegated the
appropriate authority.
To prevent a particular user from logging on for security reasons, you can disable user accounts
rather than deleting user accounts.
By creating disabled user accounts with common group memberships, you can use disabled user
accounts as account templates to simplify and secure user account creation.
Information such as logon hours and groups are retained when a new user is created from a
template, but the Description and Office attributes are not replicated.
Additional attributes can be viewed and modified in the Active Directory Schema MMC snap-in.
Nova 4, LLC
Managing Active Directory Domain Services
7-37
Lesson 4
In AD DS, computers are security principals just like users and groups. This means that computers must
have accounts and passwords. To be fully authenticated by AD DS, a user must have a valid user account,
and the user must also log on to the domain from a computer that has a valid computer account. All
computers must have computer accounts created in AD DS to be an active, fully functional member of the
domain.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
7-38
Key Points
There are three key points to consider when joining a computer to an Active Directory domain:
A computer object is created in AD DS. This object can be created ahead of time, or if no matching
account has been created in AD DS, the account will be created automatically by the domain join
process.
You must have appropriate permissions in the domain to create computer objects in AD DS.
Only members of the local Administrators group can change a computers domain or workgroup
membership.
Nova 4, LLC
Managing Active Directory Domain Services
7-39
domain. When the computer joins the domain, the computer is associated with the pre-created
account. There is no technical difference between a computer object in a client's OU and a computer
object in a server's or domain controller's OU. But, separate OUs are typically created to provide
unique scopes of management so that you can delegate management of client objects to one team
and management of server objects to another.
You Must Have Appropriate Permissions in the Domain to Create Computer Objects
in AD DS
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have
permission to create computer objects in any new OU. However, tightly restrict membership in the first
three groups.
You should delegate the permission to create computer objects to appropriate administrators or support
personnel. The permission required to create a computer object is Create Computer Objects. This
permission, assigned to a group for an OU, allows members of the group to create computer objects in
that OU. For example, you might allow your desktop support team to create computer objects in the
clients OU and allow your file server administrators to create computer objects in the file servers OU.
Only Members of the Local Administrators Group Can Change a Computers Domain
or Workgroup Membership
When the domain join process is initiated, the user initiating the join must be a member of the
Administrators group on the computer that is being joined to the domain to modify the computers
domain or workgroup membership.
Nova 4, LLC
7-40
Key Points
Offline domain join is a new process that can be used by computers running Windows7 or Windows
Server2008 R2 to join a domain without contacting a domain controller. This makes it possible to join
computers to a domain in locations where there is no connectivity to a domain controller.
A domain join establishes a trust relationship between a Windows computer and Active Directory domain.
This operation requires state changes to both AD DS and the computer that is joining the domain. In the
past, a computer had to be able to establish network connectivity with a domain controller for the
domain before initiating the join process. Offline domain join provides the following advantages over the
previous requirements:
The Active Directory state changes are completed without any network traffic to the computer or
domain controller.
Each set of changes (computer and domain controller) can be completed at a different time.
Nova 4, LLC
Managing Active Directory Domain Services
7-41
or Windows Server 2008 R2. The computer that you want to join to the domain must also be running
Windows 7 or Windows Server 2008 R2.
Note: It is important to note that the computer being provisioned and the computer from where
Djoin.exe is being executed do not have to be the same computer. In most cases, offline domain join
is done from a server or an administrative workstation prior to computers being ready to join the
domain.
By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2.
However, you can specify an optional /downlevel parameter if you want to target a domain controller that
is running a version of Windows Server that is earlier than Windows Server 2008 R2.
To perform an offline domain join, you must have the rights that are necessary to join workstations to the
domain. Members of the Domain Admins group have these rights by default. If you are not a member of
the Domain Admins group, a member of the Domain Admins group must complete one of the following
actions to enable you to join workstations to the domain.
On a Windows Server 2008 R2 or Windows 7 machine that is connected to the Contoso domain,
execute the following command from an administrative command prompt.:
2.
3.
On the NYC-CL1 client computer, execute the following command from an administrative command
prompt in the same folder where blob.txt is stored:
After this command, the offline domain join process is complete. The computer name configuration for
NYC-CL1 will show that is a member of the Contoso domain. The next time when NYC-CL1 contacts a
domain controller from the Contoso domain, the domain join process will be complete, and NYC-CL1 will
become a fully functioning member of the domain.
Nova 4, LLC
7-42
Key Points
While the Active Directory Administrative snap-ins and the Active Directory Administrative Center provide
convenient, easy-to-use tools for managing Active Directory infrastructure, there are certain tasks for
which a point and click GUI is too cumbersome or tedious.
Windows Server 2008 provides a number of tools that you can use to create or modify multiple computer
accounts automatically in AD DS. Some of these tools require that you use a text file containing
information about the computer accounts that you want to create. You also can create Windows
PowerShell scripts to add objects or make changes to Active Directory objects.
DSAdd.exe
The DSAdd command is used to create objects in AD DS. To create computer objects, simply type:
dsaddcomputerComputerDN
where ComputerDN is the distinguished name (DN) of the computer, such as CN=NYC-CL2, OU=NYC,
OU=Client Computers, DC=contoso, DC=com.
The DSAdd Computer command can take the following optional options after the DN option:
-samidComputerName
-desc Description
-loc Location
NetDom.exe
The NetDom command can also perform a variety of domain account and security tasks from the
command prompt, including creating a computer account by typing the following command:
Nova 4, LLC
Managing Active Directory Domain Services
7-43
This command creates the computer account for ComputerName in the domain indicated by the
/domainoption by using the credentials specified by /UserD and /PasswordD. The /ou option causes the
object to be created in the OU specified by the organizational unit distinguished name (OUDN)
distinguished name following the option. If no OUDN is supplied, the computer account is created in the
default computer container.
The basic syntax of the LDIFDE command is similar to that of the CSVDE command:
ldifde [-i] [-f "Filename"] [-k]
Windows PowerShell
As previously discussed in this lesson, the new Active Directory module for Windows PowerShell provides
a large number of cmdlets used for administering Active Directory.
The Add-Computer cmdlet and the New-ADComputer cmdlets are the two most commonly used
cmdlets for new computers to the domain.
Add-Computer
The Add-Computer cmdlets is used to join a computer to a domain. The following command will join the
local computer to the Contoso.com domain and place the computer in the Production OU.
Add-Computer -DomainOrWorkgroupNameContoso -OUPathOU=Production,DC=Contoso,DC=COM
New-ADComputer
The New-ADComputer cmdlets simply creates a computer account in the domain just like you would if
you were prestaging computer accounts. The following command will add the computer account named
NYC-CL1 to the Marketing OU in the Contoso.com domain.
New-ADComputer -SamAccountName NYC-CL1 Path OU=Marketing,DC=Contoso,DC=COM
Note: Remember, the Active Directory module for Windows PowerShell is available on Windows
Server 2008 R2 and Windows 7 computers.
Nova 4, LLC
7-44
Key Points
After a computer account is created in AD DS, there are several management tasks that may need to be
performed on the computer account during its membership in the domain.
The Location property can be used to document the computers physical location in your network.
The Managed By property lists the individual responsible for the computer. This information can be
useful when you have a data center with servers for different departments, and you need to perform
maintenance on the server. You can call or send an email message to the person who is responsible
for the server before you perform maintenance on the server.
Nova 4, LLC
Managing Active Directory Domain Services
7-45
As a result, deletion of computer accounts is typically a regular or scheduled maintenance task performed
within a domain.
Nova 4, LLC
7-46
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.
Lab Scenario
Contoso, Ltd. is expanding its operations and creating a new Finance department. You have been asked to
create the appropriate objects in AD DS, so the Finance department can begin operation as scheduled
next month.
Nova 4, LLC
Managing Active Directory Domain Services
7-47
Password: Pa$$w0rd
Department: Finance
After the accounts are properly set up, you have been asked to test them to ensure that the users can log
on and then disable the accounts until Eva and Mark begin their jobs next month.
The main tasks are as follows:
1.
2.
3.
4.
5.
On NYC-DC1, from Administrative Tools, open Active Directory Module for Windows
PowerShell.
2.
Create a new Finance OU in the root of the Contoso domain by using the NewADOrganizationalUnit cmdlet.
3.
2.
Value
First name
Finance
Last name
Template
Full name
Finance Template
Finance Template
Password
Pa$$w0rd
Nova 4, LLC
7-48
Property
Value
Account is disabled
Selected
Department
Finance
2.
3.
Create an account for Eva Corets by copying the Finance template and using the following account
properties.
Property
Value
First name
Eva
Last name
Corets
Full name
Eva Corets
Eva
Password
Pa$$w0rd
Account is disabled
Not Selected
Create an account for Mark Steele by copying the Finance template and using the following account
properties.
Property
Value
First name
Mark
Last name
Steele
Full name
Mark Steele
Mark
Password
Pa$$w0rd
Account is disabled
Not Selected
2.
3.
4.
5.
Nova 4, LLC
Managing Active Directory Domain Services
7-49
2.
3.
In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and
then double-click Finance OU in the middle pane.
4.
Nova 4, LLC
7-50
2.
2.
3.
4.
5.
6.
2.
In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and
then double-click the Computers container in the middle pane.
3.
4.
Nova 4, LLC
Managing Active Directory Domain Services
7-51
Lesson 5
Managing Groups
Groups allow you to collect items and manage them as a single entity. The implementation of group
management in Active Directory is designed to support large, distributed environments, so it includes
different types of groups to allow for grouping Active Directory objects. In this lesson, you will learn the
purpose that each of these groups plays, and you will learn to leverage the capabilities of these groups in
structuring your Active Directory objects.
Objectives
After completing this lesson, you will be able to:
Describe how role groups and rule groups can solve manageability and scalability issues.
Nova 4, LLC
7-52
Importance of Groups
Key Points
Groups play an important role in the organization of objects within your Active Directory environment
and the assignment of permissions and privileges to those objects.
Nova 4, LLC
Managing Active Directory Domain Services
7-53
In our example, a group named ProductionDept could be created and assigned Allow Read permission on
the Production folder. All of the users from the Production department are placed in this group. Then, you
will have a single point of management for the users. You can add new users to the group, and they will
gain access to the shared folder. When you delete an account, it is automatically deleted from the group.
This method also avoids orphaned SIDs on the folders ACL, because deleted users are automatically
removed from groups.
Nova 4, LLC
7-54
Key Points
Role-based management is an important concept to understand if you want to effectively and efficiently
manage your groups.
Nova 4, LLC
Managing Active Directory Domain Services
7-55
Groups that define roles. These groups, referred to as role groups, contain users, computers, and other
role groups based on common business characteristics, such as location, job type, etc.
Groups that define management rules. These groups, referred to as rule groups, define how an
enterprise resource is being managed.
This approach to managing the enterprise with groups is called role-based management. You define roles
of users based on business characteristicsfor example, department or division affiliation such as
Production, Marketing, and Executives, and you define management rulesfor example, the rule that
manages which roles and individuals can access the three folders.
You can achieve both management tasks by using groups in a directory. Roles are represented by groups
that contain users, computers, and other roles. Roles can include other roles, such as a Managers role
might include the Production Managers, Finance Managers, and Research Managers roles. Management
rules, such as the rule that defines and manages Read access to the three folders, are represented by
groups as well. Rule groups contain roles and, occasionally, individual users or computers such as the
Production consultant and eight other users in the example.
The key takeaway is that there are two types of groups: one that defines the role and the other that
defines how a resource is managed.
Nova 4, LLC
7-56
Key Points
Groups in Windows Server 2008 have two unique properties. Group type defines what a group can be
used for and group scope defines how the group interacts with other objects in the domain.
Group Type
A Windows Server 2008 groups type setting defines what the group can be used for within the domain.
Security groups are used to assign permissions on resources within the domain. Security groups can
be attached to the DACL of an object in the domain such as a shared folder and given specific access
permissions for the resource.
Distribution groups are used exclusively with email applications like Microsoft Exchange to send
email messages to collections of users. Distributions groups cannot be attached to a DACL. Therefore,
they cannot be used to control access to resources.
Note: Security groups can also be used with email applications to group users in the same way that
distribution groups can.
Group Scope
Group scope impacts each of these characteristics of a group: what it can contain, what it can belong to,
and where it can be used.
There are three group scopes available:
Domain Local
Global
Universal
The characteristics that define each scope fall into these categories:
Nova 4, LLC
Managing Active Directory Domain Services
Replication. Where is the group defined and to what systems is the group replicated?
Membership. What types of security principals can the group contain as members? Can the group
include security principals from trusted domains?
Availability. Where can the group be used? Is the group available to add to another group? Is the
group available to add to an ACL?
7-57
Nova 4, LLC
7-58
Key Points
A global group is a security or distribution group that can contain users, groups, and computers that are
from the same domain as the global group. You can use global security groups to assign user rights,
delegate authority to AD DS objects or assign permissions to resources in any domain in the forest or any
other trusting domain in another forest.
Use groups with global scope to manage directory objects that require daily maintenance, such as user
and computer accounts. Because groups with global scope are not replicated outside their own domain,
you can change accounts in a group having global scope frequently without generating replication traffic
to the global catalog.
The domain functional level must be Windows 2000 native, Windows Server 2003, or Windows Server
2008 to create global groups.
Nova 4, LLC
Managing Active Directory Domain Services
7-59
Key Points
A universal group is a security or distribution group that can contain users, groups, and computers from
any domain in its forest. You can use universal security groups to assign user rights and permissions to
resources in any domain in the forest.
Changes to the universal groups are registered in the Global Catalog. Therefore, you should not change
the membership of a group with universal scope frequently. Any changes to the membership of this type
of group are replicated to every global catalog server in the forest.
At the Windows 2000 native domain functional level and later, universal groups are available for both
distribution and security groups.
Nova 4, LLC
7-60
Key Points
A domain local group is a security or distribution group that can contain user accounts from the local
domain, any domain in the forest, or any trusted domain. Domain local groups also can contain universal
or global groups from any domain in the forest or any trusted domain and domain local groups from the
local domain.
The domain functional level must be Windows 2000 native or later to create domain local groups.
Use a domain local group to assign permissions to resources that are located in the same domain as
the domain local group. You can put all global groups that have to share the same resources into the
appropriate domain local group.
Note: Domain local groups have no link to the local group on Windows computers. Local groups are
groups that are created on the local computer and are stored in the local SAM database and have no
direct connection to AD DS.
Question: How could you provide members of a Sales department who travel frequently between
domains in a multi-city company with access to printers on various domains that are managed by domain
local groups?
Nova 4, LLC
Managing Active Directory Domain Services
7-61
Key Points
Discuss these scenarios with the classroom, led by your instructor.
Scenario 1: A. Datum Corporation has human resources users spread throughout the domain in several
different geographic locations, but they require access to the same resources.
Scenario 2: Tailspin Toys has two domains, one for the United States and one for Europe. You want to
create a group that enables the centralized help desk to manage resources in both domains.
Scenario 3: A. Datum has users in Sales that are geographically dispersed. They have requested a single
unified group that will allow for all Sales users to access resources. Membership of the Sales group
frequently changes.
Scenario 4: Trey Research has a single domain. They want to create groups for the users in Sales, IT, and
Research departments, so they can easily send email messages to these groups instead of individual users.
Nova 4, LLC
7-62
Key Points
When you use nesting, you add a group as a member of another group. You can use nesting to combine
group management. Nesting increases the member accounts that are affected by a single action and
reduces replication traffic caused by the replication of changes in group membership.
Accounts
Global
Domain Local
Permissions
In this method, accounts are placed inside of global groups for grouping based on organization roles,
such as job function, department, or location (role groups).
These global groups are then placed inside of domain local groups, defined by the type of access being
given and the object that permission is being configured for (rule groups). These domain local groups are
then assigned the appropriate permissions on the appropriate resources.
The AGUDLP method follows the same guidelines, but is used when universal groups are used to contain
AD DS objects from multiple domains or assign permissions to objects across multiple domains. When
using AGUDLP, global groups are nested within universal groups to provide for cross-domain usage.
Nova 4, LLC
Managing Active Directory Domain Services
7-63
Question: A. Datum has HR users spread throughout the domain in several different geographic
locations, but requires access to the same resources. How can nested groups be used to simplify
management?
Question: Tailspin Toys has two domains, the United States and Europe. You want to create a group for
the centralized Help Desk to manage resources in both domains and reduce the replication traffic
between the domains.
Question: At A. Datum, you have to assign permissions to a folder on a member server for a project
between Sales, Marketing, and Finance. All users are geographically dispersed. How would you use
nesting groups in this scenario?
Question: Trey Research wants to give the HR department permissions to a file share. The user GSmith
needs to be added to the HR group. How would you use AGDLP in the scenario?
Nova 4, LLC
7-64
Lesson 6
Some large organizations have thousands of user accounts in an AD DS domain. Even if these accounts
are grouped into different OUs, it can still take some time to find a specific user in the domain. Windows
Server 2008 provides several features that allow you to quickly and effectively locate domain objects.
Objectives
After completing this lesson, you will be able to:
Describe how to use DSQuery and PowerShell to find objects in Active Directory.
Nova 4, LLC
Managing Active Directory Domain Services
7-65
Key Points
There are several options available in the Windows Server 2008 administration tools that can increase the
efficiency of looking for user accounts in domains with many users.
Sorting
To sort the order of objects in Active Directory Users and Computers, perform the following steps:
1.
2.
View the user accounts in their container in Active Directory Users and Computers.
Click any of the column headings to sort the order of the objects (either ascending or descending).
You can also add more columns to the display and then sort the display based on the additional column.
Searching
The Active Directory Users and Computers management tool has a Saved Queries folder in which you can
create, edit, save, and organize saved queries. Saved queries use predefined Lightweight Directory Access
Protocol (LDAP) strings to search only the specified domain partition, allowing you to focus searches to a
single container object. You can also create a customized saved query that contains an LDAP search filter.
Queries are specific to the domain controller on which they were created. After you successfully create
your customized set of queries, you can copy the .msc file to other Windows Server 2008 domain
controllers that are in the same domain and reuse the same set of saved queries. Queries can also be
shared throughout the domain by exporting them to XML files and then importing those files to other
domain controllers.
Command -line
If you need to include AD DS searching as part of a script or need to locate an AD DS object on a
ServerCore installation of Windows Server 2008, dsquery is a command-line tool that can be used to
Nova 4, LLC
7-66
locate AD DS objects. For example, dsquery user would be entered to look for a user, whereas dsquery
computer, dsquery group, and dsqueryou would query for their respective object types.
The following command searches for users whose names begin with Dan, but only in the Marketing OU:
dsquery user "ou=Marketing,dc=Contoso,dc=com" -name "Dan*"
Windows PowerShell
The Active Directory module for Windows Powershell includes options for locating AD DS objects.
The Get-ADObject cmdlet is the most commonly used cmdlet for locating AD DS resources. It allows for
robust and powerful searching throughout the Active Directory environment.
The following example demonstrates how to search for all the computer objects in the Contoso.com
domain:
Get-ADObject -Filter 'ObjectClass -eq "computer"' -SearchBase 'DC=Contoso,DC=com' Properties Name,sAMAccountName | FT Name,sAMAccountName
The Get-ADDomainController: can also be used to locate AD DS objects, it searches for domain
controllers based on criteria provided.
Nova 4, LLC
Managing Active Directory Domain Services
Key Points
In this demonstration, you will see how to:
Use saved queries in Active Directory Users and Computers to locate AD DS objects.
Demonstration Steps:
Use sorting in Active Directory Users and Computers to locate AD DS objects
1.
2.
3.
Add the First Name column to the view and place it second on the list.
4.
2.
Define the query to include users whose Name field starts with the letter c.
3.
7-67
Nova 4, LLC
7-68
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
4.
Get-ADObject -Filter 'ObjectClass -eq "computer"' -SearchBase 'DC=Contoso,DC=com' Properties Name,sAMAccountName | FT Name,sAMAccountName
Nova 4, LLC
Managing Active Directory Domain Services
7-69
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.
Lab Scenario
The Finance department requires access to several folders containing financial documents on several
different servers within the Contoso.com domain.
You have been asked to create a group structure that will do the following:
1.
2.
Allow the Finance group to obtain change access to several folders on company servers. You should
be able easily add to this group other users or groups from the organization. You do not have to
configure the actual access; just create the group that will be assigned access.
Nova 4, LLC
7-70
Also, you have been asked to confirm the following properties of the new AD DS objects created for the
Finance department:
1. The Finance OU should contain:
NYC-CL5 (computer)
NYC-CL6 (computer)
Finance (group)
2.
3.
Eva Corets and Mark Steele should be members of the Finance Group.
Nova 4, LLC
Managing Active Directory Domain Services
7-71
2.
3.
Answer the questions below to determine how the group structure should be created.
Question: What type of group would you create to group the Finance users together?
Question: How can you create a group structure that allows the Finance department members
change permissions and also allows other users and groups from the organization to easily be
assigned these permissions as well?
On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for
Windows PowerShell.
2.
3.
4.
Click Start, click Administrative Tools, and then click Active Directory Administrative Center.
2.
In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and
then double-click the Finance OU in the middle pane.
3.
Click Eva Corets, press and hold the Ctrl key, and then click Mark Steele. Release the Ctrl key, rightclick Mark Steele, and then click Add to group.
4.
In the Enter the object name to select field, type Finance, and then click Check Names.
5.
In the Multiple Names Found window, click Finance, and then click OK.
6.
7.
8.
On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and
Computers.
9.
In the Active Directory Users and Computers window, click the Finance OU in the left pane, rightclick the Finance_Folders_Change group in the right pane, and then click Properties.
Nova 4, LLC
7-72
10. In the Finance_Folders_Change Properties window, click the Members tab, and then click the Add
button.
11. In the Enter the object name to select field, type Finance, and then click Check Names.
12. In the Multiple Names Found window, click Finance, and then click OK.
13. In the Select Users, Contacts, Computers, Service Accounts or Groups window, click OK.
14. In the Finance_Folders_Change Properties window, click OK.
15. Close the Active Directory Users and Computers window.
Results: In this exercise, you implemented role-based management using groups.
Nova 4, LLC
Managing Active Directory Domain Services
Finance
Finance_Folders_Change
Eva Corets and Mark Steele should be members of the Finance group.
2.
3.
2.
3.
4.
Expand Saved Queries, and then click the Finance Groups query to confirm the result.
2.
At the command prompt, type the following command, and then press ENTER.
3.
View the results and confirm that Eva Corets and Mark Steele are listed.
On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for
Windows PowerShell.
2.
At the command prompt, type the following command and then press ENTER.
Get-ADGroupMember Finance
3.
View the results and confirm that Eva Corets and Mark Steele are listed.
Results: In this exercise, you located objects in Active Directory.
7-73
Nova 4, LLC
7-74
Nova 4, LLC
Managing Active Directory Domain Services
7-75
Review Questions
1.
You have two locations connected to each other by a very limited bandwidth network connection.
You have domain controllers in both locations and youre finding that traffic generated between the
two domain controllers is causing performance issues on you network connection. What AD DS
component that we discussed in this module could be used to alleviate the problem?
2.
What tool does Active Directory Administration Center use in the background to carry out its
commands?
3.
What are the advantages of using role-based groups and rule-based groups in the same domain
environment?
Description
There are new domain and forest functional levels for Windows
Server 2008 R2 that introduce new features to the AD DS
infrastructure.
Nova 4, LLC
7-76
Tools
Tool
Use for
Where to find it
Active Directory
Users and
Computers
Managing AD DS
objects
Active Directory
Administrative
Center
Managing AD DS
objects
Active Directory
Module for
Windows
PowerShell
Managing AD DS
objects using Windows
PowerShell cmdlets
Djoin.exe
Performing an offline
domain join for
Windows 7 or Windows
Server 2008 R2
computers.
DSAdd.exe
Add AD DS objects
DSQuery.exe
Locate AD DS objects
Netdom.exe
Perform a variety of
tasks on AD DS objects
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
Module 8
Configuring Active Directory Object Administration and
Domain Trust
Contents:
8-3
8-15
8-20
8-29
8-1
Nova 4, LLC
8-2
Module Overview
Many organizations have a number of administrators that manage various levels of the Active Directory
Domain Services (AD DS) infrastructure. For example, in addition to typical Enterprise and Domain
administrators, your organization may have organizational unit (OU) administrators, security group
administrators, or users that have rights to perform specific tasks, such as resetting passwords. To ensure a
secure and efficient administrative model, it is important to understand how to effectively delegate
permissions and rights within the AD DS structure.
A single Active Directory domain may be adequate for many organizations. However, larger organizations
typically incorporate multiple domains, or collaborate between multiple Active Directory forests.
This module describes how to configure permissions and delegate administration for Active Directory
objects. This module also describes how to configure and manage Active Directory trusts.
Objectives
After completing this module, you will be able to:
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
Lesson 1
To effectively manage AD DS, you may need to delegate administrative tasks to specific individuals. By
delegating control, you enable these users to perform specific Active Directory management tasks,
without granting them more permissions than they need.
This lesson describes how permissions are applied to AD DS objects. This lesson also describes how to
delegate permissions to users responsible for managing specific objects within the AD DS structure.
Objectives
After completing this lesson, you will be able to:
Delegate AD DS permissions.
8-3
Nova 4, LLC
8-4
Key Points
In Module 3: Configuring Access to File Services, you were introduced to how NTFS file system and shared
folder permissions provide access control to secure network resources.
Every container and object within AD DS also has a set of access control information used to control
which administrators or users can manage the object. For example, you use permissions to assign
privileges for managing an organizational unit or a hierarchy of organizational units, and the objects
contained within those organizational units.
To modify permissions for AD DS objects, you use either the Active Directory Users and Computers
console, or ADSI Edit. To use the Active Directory Users and Computers console, ensure that you have
enabled the Advanced Features option found on the View menu.
Note: ADSI Edit should only be used for specific and unique permission modification requirements.
Most permission settings should be performed by using Active Directory Users and Computers.
Full control.
Read.
Write.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-5
However, if you need to grant a finer level of permissions, use advanced permissions or special
permissions. Use special permissions to set permissions on a particular class of object or individual
attributes of an object class. For example, you could grant a user Full Control over the group object class
in a container, just grant the user the ability to modify group memberships in a container, or just grant
the user the permissions needed to change a single attribute, such as the phone number, on all user
accounts.
When you configure permissions on an AD DS object, consider the following.
Action
Description
Configure allow or
deny permissions.
Selecting the Allow permission enables the security principal to perform the
specific action.
Selecting the Deny permission prohibits the security principal from
performing a specific action.
Denied permissions take precedence over any permission that you otherwise
allow to user accounts and groups. You should use Deny permissions only
when it is necessary to remove a permission that a user is granted by being a
particular groups member. For example, it might be necessary to prevent a
user named Don from viewing the properties of a user object. However, Don
is a member of the Marketing group, which has permissions to view the
properties of the user object. You can prevent Don from viewing the
properties of the user object by explicitly denying Read permission to him.
When permission to
perform an operation
is not allowed, it is
implicitly denied.
For example, if the Marketing group is granted Read permission for an OU,
and no other security principal is listed in the discretionary access control list
(DACL) for that object, users who are not members of the Marketing group
are implicitly denied access. The operating system does not allow users who
are not members of the Marketing group to read the properties of the OU
object.
By default, permission
inheritance is enabled
for AD DS objects.
Moving an AD DS
object may change
permissions.
Nova 4, LLC
8-6
Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit
Allow permission entry. Explicit permissions take precedence over inherited permissions, even
inherited Deny permissions.
Question: What are the risks with using special permissions to assign AD DS permissions?
Question: What permissions would a user have on an object if you granted them full control permission,
and denied the user write access?
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-7
Key Points
Accessible from an object's advanced properties settings, the Effective Permissions tool helps you to
determine the permissions applied to an Active Directory object. This tool calculates the permissions that
are applied to the specified user or group, and takes into account the permissions that are in effect from
group memberships and any permission inherited from parent objects.
Effective permissions for Active Directory objects have the following characteristics:
Cumulative permissions are the combination of Active Directory permissions that are applied to both
the user and group accounts.
Deny permissions override the same level of inherited permissions. Explicitly assigned permissions
take priority.
An explicit Allow permission set on an object class or attribute will override an inherited Deny
permission.
Object owners can always change permissions. The owner controls how permissions are set on the
object, and to whom permissions are granted. The person who creates an Active Directory object is its
owner. The Administrators group owns objects that are created during Active Directory installation or
by any member of the built-in Administrators group. The owner can always change permissions for an
object, even when the owner is denied all access to the object.
Note: The current owner can grant Take Ownership permission to another user, which enables that
user to take ownership of that object at any time. The user must actually take ownership to complete
the ownership transfer.
To retrieve information about effective permissions in AD DS, use the Effective Permissions tool. If the
specified user or group is a domain object, you must have permission to read the objects membership
information on the domain.
Nova 4, LLC
8-8
Special identities are not used when calculating the effective permissions. This means that if you assign
permissions to any special identities, they will not be included in the effective permissions list.
More Information: Special identities are used to assign permissions for specific situations for both
Active Directory permissions and for network resources. For example, the Everyone identity includes
all authenticated, dial-up, network, and interactive users and is used to provide permissions to
resources. Other common special identities include Authenticated Users, Interactive, and the
Creator Owner identity. For more information on special identities refer to
http://technet.microsoft.com/en-us/magazine/dd637754.aspx.
Question: When retrieving effective permissions, accurate retrieval of information requires permission to
read the membership information. If the specified user or group is a domain object, what type of
permissions does a Domain Administrator need to have to read the object's group information on the
domain? What about a Local administrator?
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-9
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
Open the Properties dialog box for an AD DS object and then click the Security tab.
4.
5.
6.
To modify permission inheritance, modify the check box next to Include inheritable permissions
from this objects parent.
7.
To determine effective permissions for a user or group, click the Effective Permissions tab and then
select the user or group name.
Nova 4, LLC
8-10
Key Points
Delegation of control is the ability to assign the management responsibility of Active Directory objects to
another user or group without the need to add the user or group to the Domain Admins group.
Delegated administration helps to ease the administrative burden of managing your network by
distributing routine administrative tasks. With delegated administration, you can assign basic
administrative tasks to regular users or groups. For example, you could give OU administrators the right to
add or remove user or computer objects, or an administrative assistant the right to reset passwords.
By delegating administration, you give groups in your organization more control of their local network
resources. You also help secure your network from accidental or malicious damage by limiting the
membership of the standard administrator groups.
Grant permissions to create or modify all objects in a specific organizational unit or in the domain.
Grant permissions to create or modify some types of objects in a specific organizational unit or at the
domain level.
Grant permissions to create or modify a specific object in a specific organizational unit or at the
domain level.
Grant permissions to modify specific attributes of an object, (such as granting the permission to reset
passwords on a user account,) in a specific organizational unit or at the domain level.
The Delegation of Control Wizard allows you to delegate administrative tasks to users or groups within a
specific administrative scope. This tool is driven by a customizable text file and ships with a base set of
common administrative tasks. You can modify the tasks available for delegation by editing Delegwiz.inf,
a file stored in the C:\Windows\System32 folder on the domain controller. The Delegation of Control
Wizard also allows you to delegate a custom task.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Right-click the domain or an organizational unit, and then click Delegate Control.
3.
8-11
Nova 4, LLC
8-12
Key Points
Microsoft Windows Server 2008 R2 introduces a new type of account called the managed service
account. The following section describes this new type of account.
Note: The content in this section only applies to Windows Server 2008 R2.
Automatic password management. A managed service account automatically maintains its own
password, including password changes.
Simplified Service Principal Name (SPN) management. SPN management can be automatically
managed if your domain is configured at the Windows Server 2008 R2 domain functional level.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-13
Run adprep/forestprep at the forest level and run adprep/domainprep at the domain level.
2.
Deploy a domain controller running Windows Server 2008 R2, Windows Server 2008 with the Active
Directory Management Gateway Service, or Windows Server 2003 with the Active Directory
Management Gateway Service.
Note: The Active Directory Management Gateway Service allows administrators with domain
controllers running Windows Server 2003 or Windows Server 2008 to use Windows PowerShell
cmdlets to manage managed service accounts.
After the domain and server prerequisites have been addressed, you can use the following process to
create a managed service account:
1.
On the domain controller, use the Active Directory module for Windows PowerShell to create a new
managed service account in Active Directory. The following command can be used as an example of
the base command.
2.
Install the managed service account on the server that contains the service or application. The
following command is run on the local server.
3.
Windows PowerShell provides a number of cmdlets that can be used to administer managed service
accounts. Management tasks include:
Nova 4, LLC
8-14
Key Points
In this demonstration, you will see how to
Create and associate a managed service account
Install a managed service account.
Demonstration Steps:
1.
2.
3.
Use Windows PowerShell to associate the managed service account to a specific server.
4.
Use Windows PowerShell to install the managed service account on a specific server.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-15
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-SVR1. Do not log on to this virtual machine until instructed to
do so.
Nova 4, LLC
8-16
Lab Scenario
You are a network administrator for Contoso, Ltd. Each department in Contoso, Ltd. has its own
Organizational Unit in the AD DS infrastructure. You need to delegate Organizational Unit administrative
tasks to the managers of each department.
You have also been asked to implement a managed service account for an application that will be
installed on NYC-SVR1. For this project, you must complete the following tasks:
Delegate the Marketing Managers security group the right to manage user accounts in the Marketing
Organizational Unit.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-17
2.
3.
2.
2.
Verify the effective permissions for Don Roessler on the Marketing OU.
2.
Open Active Directory Users and Computers and verify that Don can create new user accounts.
3.
Nova 4, LLC
8-18
2.
Task 1: Use Windows PowerShell to create and associate a managed service account.
1.
On NYC-DC1, open the Active Directory Module for Windows PowerShell console.
2.
At the prompt, type the following command, and then press ENTER.
3.
At the prompt type the following command and then press ENTER:
4.
At the prompt type the following command and then press ENTER:
5.
6.
2.
3.
Click Start, point to Administrative Tools, and then click Active Directory Module for Windows
PowerShell. The Administrator: Active Directory Module for Windows PowerShell console
opens.
4.
At the prompt type the following command and then press ENTER:
5.
6.
In the Services console, right-click Disk Defragmenter, and then click Properties.
Note: The Disk Defragmenter service is just used as an example for this lab. In a production
environment, you would use the actual service that should be assigned the managed service account.
7.
In the Disk Defragmenter Properties dialog box, click the Log On tab.
8.
On the Log On tab, click This account, and then type Contoso\App1_SVR1$.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
9.
Clear the password for both the Password and Confirm password boxes. Click OK.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
8-19
Nova 4, LLC
8-20
Lesson 2
Many organizations might only deploy a single AD DS domain. However, larger organizations, or
organizations that need to enable access to resources in other organizations or business units, may deploy
several domains in the same Active Directory forest or a separate forest. For users to access resources
between the domains in the same forest, two-way transitive trusts are automatically established. To access
resources in a different forest, you need to configure explicit trusts between the forests. This lesson
describes how to configure and manage trusts in an Active Directory environment.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-21
Key Points
Trusts allow security principals to traverse their credentials from one domain or forest to another, and are
necessary to allow resource access between domains. Within a Forest, two-way transitive trusts are created
automatically between domains. Between Forests, you have to create an explicit trust relationship to share
resources. When you configure a trust, a user can be authenticated in their domain, and their security
credentials can then be used to access resources in a different domain.
All trusts have the following characteristics:
Trusts can be defined as transitive or non-transitive. A transitive trust is one in which the trust
relationship that is extended to one domain is automatically extended to all domains in the domain
tree that trusts that domain. For example, as illustrated above, if the Forest (root) domain and Domain
A have a transitive trust with each other, as do the Forest (root) and Domain B, then Domain A and
Domain B will also trust each other. If the trusts are non-transitive, then the trust is established only
between the two domains.
The trust direction defines where the user accounts and resources are located. The user accounts are
located in the trusted domain, while the resources are located in the trusting domain. The trust
direction flows from the trusted domain to the trusting domain. In Windows Server 2008, there are
three trust options: one-way incoming, one-way outgoing, and two-way trusts.
Trusts can also have different protocols that you use to establish the trust. The two protocol options
for configuring trusts are the Kerberos protocol version 5, and Microsoft Windows NT Local Area
Network (LAN) Manager (NTLM). In most cases, Windows Server 2008 will use Kerberos to establish
and maintain a trust.+
All trusts in Microsoft Windows 2000 Server, Microsoft Windows Server 2003, and Microsoft Windows
Server 2008 forests are transitive, two-way trusts. Therefore, both domains in a trust relationship are
trusted; however, one-way trusts can be configured. The diagram above illustrates a two-way trust
between Forests 1 and 2, and a one-way trust between domains E and A, (also called a shortcut trust) and
domains B and Q (called an external trust).
Nova 4, LLC
8-22
The following table outlines the types of trusts that can exist in an AD DS environment.
Trust Type
Description
Parent-child
Exists between parent and child domains in the same domain tree. This two-way
transitive trust allows security principals to be authenticated in any domain in the
forest. These trusts are created by default, and cannot be removed. Parent-child
trusts always use the Kerberos protocol.
Tree-root
Exists between all domain trees in the forest. This two-way transitive trust allows
security principals to be authenticated in any domain in the forest. These trusts are
created automatically, and cannot be removed. Tree-root trusts always use the
Kerberos protocol.
External
Can be created between domains that are not part of the same forest. These trusts
can be one-way or two-way, and are non-transitive. External trusts always use the
NTLM protocol.
Realm
Forest
Can be created between forests that are at the Windows Server 2003 forest
functional level, or higher. These trusts can be one-way or two-way, and can be
transitive or non-transitive. Forest trusts always use the Kerberos protocol.
Question: If you need to share resources between domains, but do not want to configure a trust, how will
you provide access to the shared resources?
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-23
Key Points
When you set up trusts between domains, either within the same forest, across forests, or with an external
realm, information about these trusts is stored in the System container in the originating AD DS domain. A
trusted domain object (TDO) stores information about the trust, including the direction of trust,
transitivity of trust, and type of trust.
Nova 4, LLC
8-24
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest to access resources in
another forest. When a user attempts to access a resource in a trusted forest, AD DS must first locate the
resource. After the resource is located, the user can be authenticated and allowed to access the resource.
How a Resource Is Accessed
The following is a description of how a client computer locates and accesses a resource in another forest
that has Windows Server 2008 servers:
1.
2.
3.
The domain controller in EMEA.WoodgroveBank.com sends a referral for its parent domain,
WoodgroveBank.com, to the users computer.
4.
The users computer contacts a domain controller in WoodgroveBank.com for a referral to a domain
controller in the forest root domain of the Contoso.com forest.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-25
5.
Using the referral that the domain controller in the WoodgroveBank.com domain returns, the users
computer contacts a domain controller in the Contoso.com forest for a service ticket to the requested
service.
6.
The resource is not located in the forest root domain of the Contoso.com forest, so the domain
controller contacts its global catalog to find the SPN. The global catalog finds a match for the SPN,
and then sends it to the domain controller.
7.
8.
The users computer contacts the Key Distribution Center (KDC) on the domain controller in
NA.contoso.com, and negotiates a ticket for the user to gain access to the resource in the
NA.contoso.com domain.
9.
The users computer sends the server service ticket to the computer on which the shared resource is
located, which reads the users security credentials, and then constructs an access token, which gives
the user access to the resource.
Question: Why would clients not be able to access resources in a domain outside the forest?
Nova 4, LLC
8-26
Key Points
In this demonstration, you will see how to configure a forest trust.
Demonstration Steps:
1.
2.
From the Properties dialog box of the domain, click the Trusts tab.
3.
Click New Trust to start the New Trust Wizard. Complete the required steps.
4.
Use the New Trust Wizard or Windows PowerShell to verify the trust relationship.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-27
Key Points
When you configure a trust relationship that enables your domain to trust another domain, you open up
the possibility for users in the trusted domain to gain access to resources in your domain. The following
sections examine components related to the security of a trusting domains resources.
Authenticated Users
A trust relationship itself does not grant access to any resources; however, it is likely that by creating a
trust relationship, users in the trusted domain will have immediate access to a number of your domains
resources. This is because many resources are secured with access control lists (ACLs) that give permissions
to the Authenticated Users group.
Selective Authentication
When you create an external trust or a forest trust, you can control the scope of authentication of trusted
security principals. There are two modes of authentication for an external or forest trust:
Nova 4, LLC
8-28
Selective authentication
Domain-wide authentication (for an external trust) or forest-wide authentication (for a forest trust)
If you choose domain-wide or forest-wide authentication, all trusted users can be authenticated for access
to services on all computers in the trusting domain. Trusted users can, therefore, be given permission to
access resources anywhere in the trusting domain. With this authentication mode, you must have
confidence in the security procedures of your enterprise and in the administrators who implement those
procedures, so that inappropriate access is not assigned to trusted users. Remember, for example, that
users from a trusted domain or forest are considered Authenticated Users in the trusting domain, so any
resource with permissions granted to Authenticated Users will be immediately accessible to trusted
domain users, if you choose domain-wide or forest-wide authentication.
If, however, you choose selective authentication, all users in the trusted domain are trusted identities;
however, they are allowed to authenticate only for services on computers that you have specified. For
example, imagine that you have an external trust with a partner organizations domain. You want to
ensure that only users from the marketing group in the partner organization can access shared folders on
only one of your many file servers. You can configure selective authentication for the trust relationship,
and then give the trusted users the right to authenticate only for that one file server.
To configure the authentication mode for a new outgoing trust, use the Outgoing Trust Authentication
Level page of the New Trust Wizard. Configure the authentication level for an existing trust, open the
properties of the trusting domain in Active Directory Domains and Trusts, select the trust relationship,
click Properties, and then click the Authentication tab.
After you have selected Selective Authentication for the trust, by default, no trusted users will be able to
access resources in the trusting domain, even if those users have been given permissions.
To gain access, the users must also be assigned the Allowed to authenticate permission on the
computer object in the domain.
To assign this permission:
1.
Open the Active Directory Users and Computers snap-in and make sure that Advanced Features
is selected in the View menu.
2.
Open the properties of the computer to which trusted users should be allowed to authenticatethat
is, the computer that trusted users will log on to or that contains resources to which trusted users
have been given permissions.
3.
On the Security tab, add the trusted users or a group that contains them, and select the Allow check
box for the Allowed to authenticate permission.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-29
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and3 for 6419B-VAN-DC1. Log on to VAN-DC1 as Adatum\Administrator, with the
password, Pa$$w0rd.
Lab Scenario
Contoso, Ltd. has initiated a strategic partnership with A. Datum Corporation. Users from the Contoso.com
domain will need to have access to file shares located at Adatum.com. You need to perform the following
tasks:
Configure Selective Authentication to only allow Adatum.com domain users to access NYC-SVR1.
Nova 4, LLC
8-30
2.
2.
2.
Results: After completing this exercise, you will have configured name resolution between the
Contoso.com domain and the Adatum.com domain.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-31
2.
2.
3.
Password: Pa$$w0rd
2.
Open the Properties pane for the Contoso.com domain and enable Selective Authentication for
the Adatum.com domain.
3.
4.
5.
Using the Advanced Features, configure NYC-SVR1 to allow the ADATUM\Domain Users group to
authenticate.
6.
Nova 4, LLC
8-32
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
8-33
Review Questions
1.
If a there is a trust within a forest, and the resource is not in the users domain, how will the domain
controller use the trust relationship to access the resource?
2.
The BranchOffice_Admins group has been granted full control of all user accounts in the
BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was
moved from the BranchOffice_OU to the HeadOffice_OU?
3.
Your organization has a Windows Server 2008 forest environment, but it has just acquired another
organization with a Windows 2000 forest environment that contains a single domain. Users in both
organizations must be able to access resources in each others forest. What type of trust will you create
between the forest root domains of each forest?
Nova 4, LLC
8-34
Nova 4, LLC
Creating and Managing Group Policy Objects
Module 9
Creating and Managing Group Policy Objects
Contents:
Lesson 1: Overview of Group Policy
9-3
9-14
9-22
9-26
9-35
9-39
9-53
9-1
Nova 4, LLC
9-2
Module Overview
Administrators face increasingly complex challenges in managing the information technology (IT)
infrastructure of their organizations. They must deliver and maintain customized desktop configurations,
ensure the security of a geographically and logistically dispersed collection of computers, and provide
administration and management for an increasingly complex and growing computing environment.
Group Policy and the Active Directory Domain Services (AD DS) infrastructure in Microsoft Windows
Server 2008 enable IT administrators to automate user and computer management in many areas,
simplifying administrative tasks, and reducing IT costs. With Group Policy and AD DS, administrators can
efficiently distribute software, implement security settings, and enforce IT policies consistently across a
given site, domain, or range of organizational units (OUs).
Objectives
After completing this module, you will be able to:
Manage GPOs.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-3
Lesson 1
This lesson shows you to how to use Group Policy to simplify managing your Active Directory
environment. You will learn how GPOs are structured and applied, and how to control the scope and
application of GPOs. In addition, you will gain experience with tools that aid in implementing Group
Policy in your environment
This lesson also discusses Group Policy features that are included with Windows Server 2008 and Windows
Server 2008 R2, and which help simplify computer and user management.
Objectives
After completing this lesson, you will be able to:
Describe configuration management and how Group Policy helps to automate the management of
users and computers.
Create a GPO.
Nova 4, LLC
9-4
Key Points
If you have only one computer in your environmentat home, for exampleand you need to make a
changemodify the desktop background, for examplethere are several ways to do that. Most people
would probably access Personalization in Control Panel and make the change by using the Windows
interface. That works well for one user, but becomes tedious if you want to make the change across
multiple usersfor example, if you want the same background for yourself and your family. You have to
make the change multiple times, and then, if you ever change your mind and want to change the
background yet again, you have to return to each user's profile and make the change. Implementing the
change and maintaining a consistent environment becomes even more difficult across multiple
computers.
In the end, configuration management is a centralized approach to applying one or more changes to one
or more users, computers or both. The key elements of configuration management are:
A centralized definition of a change, which we will also call a setting. The setting brings a user or a
computer to a desired state of configuration.
A definition of the user(s) or computer(s) to whom the change applies, which we will call the scope of
the change.
A mechanism that ensures that the setting is applied to users and computers within the scope. We
will call this process the application.
Group Policy is a framework within Windowswith components that reside in Active Directory, on
domain controllers, and on each Windows server and clientthat enables you to manage configuration in
an AD DS domain.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-5
Key Points
Group Policy management in an AD DS domain is implemented on the server side by two primary
components, Group Policy settings and GPOs.
Not Configured
Enabled
Disabled.
By default, GPO policy settings are set to Not Configured. This means that the GPO will not modify the
existing configuration of that particular setting for a user, computer, or both. If you enable a policy
setting, it makes that policy setting active. Likewise, if you disable a policy setting, the policy setting is
made inactive.
Note: Multi-valued Group Policy settings contain more configuration options than the typical Not
Configured, Enabled, and Disabled options. They are typically used to provide specific configuration
details to applications or operating system components.
Nova 4, LLC
9-6
The effect of the change depends on the policy setting. For example, if you enable the Prevent Access to
Registry Editing Tools policy setting, users will be unable to start the Regedit.exe Registry Editor. If you
disable the policy setting, you ensure that users can start the Registry Editor. Notice the double negative
in this policy setting: You disable a policy that prevents an action, so you allow the action.
Note: Many policy settings are complex, and the effect of enabling or disabling them might not be
immediately clear. Always test the effects of a policy setting and its interactions with other policy
settings before deploying a change in the production environment.
What It Does
Description
Software settings
Windows settings
Contain script settings and security settings for both user and computer, and
Internet Explorer maintenance for the user configuration.
Administrative
templates
Nova 4, LLC
Creating and Managing Group Policy Objects
9-7
The GPO Editor displays the individual Group Policy settings available in a GPO in an organized hierarchy
that begins with the division between computer settings and user settings, the Computer Configuration
node and the User Configuration node. Computer configuration settings are applied to computer objects
in AD DS and User configuration settings are applied to user objects within AD DS.
The GPO must be applied to a domain, site, or OU in the AD DS hierarchy for the settings within the
object to take effect.
Nova 4, LLC
9-8
Key Points
In the previous topic, we established that a group policy setting cannot be applied to a user or computer
unless that Group Policy setting is contained in a Group Policy object. In the same manner, a Group Policy
object (and the Group Policy settings contained within) has no effect on user and computer objects until it
is applied to a domain, site, or OU within AD DS.
Computer Configuration and User Configuration settings are processed and applied
separately by the client side extensions.Applying Computer Configuration
The Group Policy settings in a GPO that are contained in the Computer Configuration portion are applied
when the physical computer starts.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-9
Nova 4, LLC
9-10
Key Points
Different factors can change the normal Group Policy processing behavior, such the way that client
computers handle domain authentication, logging on by using a slow connection, accessing a domain
environment remotely, and the movement of user and computer objects within the AD DS structure. Also,
different types of operating systems handle Group Policy processing differently.
Cached Credentials
By default, Windows client operating systems will maintain a cache for the credentials of the last ten
domain accounts that were used to log on to the system. These cached credentials can cause the client
computer not to request an immediate refresh of Group Policy settings during the logon process. As a
result, some changes made to Group Policy settings may take two logons to be properly applied.
Software Installation
OFF
Nova 4, LLC
Creating and Managing Group Policy Objects
Setting
Scripts
OFF
Folder Redirection
OFF
OFF
Disk Quota
OFF
OFF
9-11
Certain remote access connections detected over dial-up or ISDN connections also present themselves as
slow connections and apply Group Policy settings accordingly
Moving Objects in AD DS
When a user or computer object is moved to a new location within the AD DS structure, like a different
OU, the client computer does not become aware of the changes until the computer and user
authentication process is completed after the move. As a result, Group Policy settings applied to the new
OU does not take effect until a restart/logon has taken place.
Nova 4, LLC
9-12
Key Points
You can use Group Policy templates to create and configure Group Policy settings, which are stored by
the GPOs. The GPOs in turn are stored in the System Volume (SYSVOL) container in AD DS. The SYSVOL
container acts as a central repository for the GPOs. In this way, one policy may be associated with multiple
Active Directory containers through linking. Conversely, multiple policies may link to one container.
Along with the GPO, Group Policy has two more major components:
Nova 4, LLC
Creating and Managing Group Policy Objects
9-13
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Create a new Group Policy Object named, Desktop, in the Group Policy container.
3.
In the computer configuration, prevent the last logon name from displaying, and prevent Windows
Installer from running.
4.
In the user configuration, remove the Search link from the Start menu, and hide the display settings
tab.
Nova 4, LLC
9-14
Lesson 2
There are several techniques in Group Policy that allow administrators to manipulate how Group Policy is
applied. You can control the default processing order of policy through enforcement, blocking
inheritance, security filtering, Windows Management Instrumentation (WMI) filters, or by using the
loopback processing feature. In this lesson, you will learn about these techniques.
Objectives
After completing this lesson, you will be able to:
Describe the Group Policy processing order (Local, Site, Domain, and OU).
Describe how to modify the scope of Group Policy by using Security and WMI filtering.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-15
Key Points
The GPOs that apply to a user, computer, or both do not all apply at once. GPOs are applied in a
particular order. This order means that settings that are processed first may be overwritten by conflicting
settings that are processed later.
Group Policy follows the following hierarchical processing order:
1.
Local group policies. Each computer running Windows 2000 or later has at least one local group
policy. The local policies are applied first.
2.
Site group policies. Policies linked to sites are processed second. If there are multiple site policies,
they are processed synchronously in the listed preference order.
3.
Domain group policies. Policies linked to domains are processed third. If there are multiple domain
policies, they are processed synchronously in the listed preference order.
4.
OU group policies. Policies linked to top-level OUs are processed fourth. If there are multiple toplevel OU policies, they are processed synchronously in the listed preference order.
5.
Child OU group policies. Policies linked to child OUs are processed fifth. If there are multiple child
OU policies, they are processed synchronously in the listed preference order. When there are multiple
levels of child OUs, policies for higher-level OUs are applied first and policies for the lower-level OUs
are applied next.
In Group Policy application, the general rule is that the last policy applied wins. For example, a policy that
restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the
OU level for the objects contained in that particular OU.
If you link several GPOs to an organizational unit, their processing occurs in the order that the
administrator specifies on the Linked Group Policy Objects tab for the organizational unit in the Group
Policy Management Console (GPMC).
Nova 4, LLC
9-16
Disabling GPOs
By default, processing is enabled for all GPO links. You can completely block the application of a GPO for
a given site, domain, or organizational unit by disabling that containers GPO link. Note that if the GPO is
linked to other containers, they will continue to process the GPO if their links are enabled.
You can also disable the user or computer configuration of a particular GPO independent of either the
user or computer. If one section of a policy is known to be empty, disabling the other side speeds up
policy processing. For example, if you have a policy that only delivers user desktop configuration, you
could disable the computer side of the policy.
Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group
Policy to all users in two different domains. What is the best way to accomplish this?
Nova 4, LLC
Creating and Managing Group Policy Objects
Key Points
In this demonstration, you will see how to:
Demonstration Steps
1.
2.
3.
4.
5.
6.
7.
9-17
Nova 4, LLC
9-18
Key Points
There may be occasions when the normal behavior of Group Policy is not desirable. For example, certain
users or groups may need to be exempt from restrictive Group Policy settings, or a GPO should be applied
only to computers with certain hardware or software characteristics. By default, all Group Policy settings
apply to the Authenticated Users group in a given container. However, you can modify that behavior
through various methods.
Block Inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents the
child level from automatically inheriting GPOs linked to higher sites, domains, or organizational units. By
default, children inherit all GPOs from the parent. You cannot block individual high-level policies. In other
words, you must block inheritance of all higher level policies, or none of them.
Read
Nova 4, LLC
Creating and Managing Group Policy Objects
9-19
By default, the Authenticated Users group has these permissions. By denying or granting the Apply Group
Policy permission, you can control which users, groups, or computers actually receive the GPO settings.
Loopback Processing
In some cases, users may need policies applied to them, based on the computers location in AD DS, and
not the users identity. You can use the Group Policy loopback feature in any situation where you want to
apply GPOs based solely on the computer object in AD DS. Loopback is discussed in more detail later in
this lesson.
Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU
has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would
you ensure that all users in the Finance department receive your desktop policy?
Nova 4, LLC
9-20
Key Points
In this demonstration, you will see how to:
Demonstration Steps
Use Security Group Filtering
1.
Create a GPO that removes the Help menu link from the Start menu and link it to the IT OU.
2.
3.
Use the GPMC to create a new WMI filter that targets only XP Professional clients. (See the following
syntax.)
2.
3.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-21
Key Points
User policy settings are normally derived entirely from the GPOs associated with the user account, based
on its AD DS location. However, loopback processing directs the system to apply an alternate set of user
settings for the computer to any user who logs on to a computer affected by this policy. Loopback
processing is intended for special-use computers where you must modify the user policy based on the
computer being used, such as the computers in public areas or classrooms. When you apply loopback, it
will affect all users, except local ones.
Both the user objects and the computer objects can potentially have different group policy settings
applied (depending upon where each object resides in AD). Loopback processing ensures that the
computer objects policy takes precedence over the user objects group policy settings.
Loopback processing operates by using the following two modes:
Merge mode applies the users normal Group Policy settings and then applies the settings based on
the computers location in AD DS. This results in both sets of policy settings being processed, but any
conflicting settings are determined by the list of GPOs for the computer, which was applied last.
Replace mode ignores the users normal Group Policy settings, and instead applies the user settings
associated with the policy that delivered the loopback settings.
For example, a public access computer in the lobby may have a user policy that locks down the desktop
completely, and allows access only to certain software. Loopback processing in replace mode would
ensure that whoever logged on to the computer would be subject to those restrictions.
Note: You can find the loopback setting by pointing to Computer Configuration, pointing to
Administrative Templates, pointing to System, and then pointing to Group Policy.
Nova 4, LLC
9-22
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.
Scenario
Contoso, Ltd. has decided to implement Group Policy to manage user desktops and to configure
computer security. The organization has already implemented an OU configuration that includes top-level
OUs by different departments. User accounts are in the same container as their workstation computer
accounts. Server computer accounts are spread throughout various OUs.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings
and may not always follow best practices.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-23
Domain users will not have access to the Run menu. The policy will apply to all users, except users in
the IT OU.
All domain computers will have a mandatory baseline security policy applied that does not display
the name of the last logged on user.
Computers running Windows 7 or Windows Vista will have additional settings applied to wait for the
network at startup.
Users in the IT OU will have the URL for Microsoft support added to their Favorites.
Nova 4, LLC
9-24
2.
3.
On NYC-DC1, open the Group Policy Management console, browse to the Group Policy Objects
container and then perform the following:
2.
3.
Edit the Windows 7 and Windows Vista Security GPO (Computer Configuration\Policies
\Administrative Templates\System\Logon\Always wait for the network at computer startup and
logon) to ensure that computers wait for the network at startup.
4.
Link the Windows 7 and Windows Vista Security GPO to the domain container
Nova 4, LLC
Creating and Managing Group Policy Objects
9-25
2.
3.
Create and apply a WMI filter for the Windows 7 and Windows Vista Security GPO.
2.
Block inheritance at the IT OU, to exempt the IT OU users from the Restrict Run Command GPO.
Task 3: Create and apply a WMI filter for the Windows Vista and Windows 7 Security
GPO.
1.
2.
Create a new WMI filter called Windows 7 or Windows Vista Operating Systems configured to find
only Windows 7 and Windows Vista operating systems.
Hint:
Select * from Win32OperatingSystem where Caption = Microsoft Windows 7 Enterprise OR
Caption = Microsoft Windows Vista Enterprise
Assign the WMI filter to the Windows 7 and Windows Vista Security GPO.
Result: At the end of this exercise, you will have configured the scope of GPO settings.
Nova 4, LLC
9-26
Lesson 3:
GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very
important for maintaining your Group Policy deployments in the event of error or disaster. It helps avoid
manually re-creating lost or damaged GPOs, and having to again go through the planning, testing, and
deployment phases. Part of your ongoing Group Policy operations plan should include regular backups of
all GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Creating and Managing Group Policy Objects
9-27
Key Points
Like critical data and Active Directory-related resources, you must back up GPOs to protect the integrity
of AD DS and GPOs. GPMC not only provides the basic backup and restore options, but also provides
additional control over GPOs for administrative purposes. Options for managing GPOs include the
following:
Backing Up GPOs
You can back up GPOs individually or as a whole with GPMC. You must provide only a backup location,
which can be any valid local or shared folder. You must have Read permission on the GPO to back it up.
Every time you perform a backup, a new backup version of the GPO is created, which provides a historical
record.
Scripting Backups
GPMC includes a number of built-in scripts to assist in automating many routine administration tasks. You
can find them in the Program Files\GPMC\Scripts folder, and can use the BackupAllGPOs.wsf script to
automate GPO backups.
Nova 4, LLC
9-28
Note: It is not possible to merge imported settings with the current target GPO settings; the imported
settings will overwrite all existing settings.
Copying GPOs
You can copy GPOs by using GPMC, both in the same domain and across domains. A copy operation
copies an existing, live GPO to the desired destination domain. A new GPO always gets created during this
process. The new GPO is named copy of OldGPOName. For example, if you copied a GPO named
Desktop, the new version would be named Copy of Desktop. After the file is copied and pasted into
the Group Policy Objects container, you can rename the policy. The destination domain can be any
trusted domain in which you have the rights to create new GPOs. When copying between domains,
security principals defined in the source may need to be migrated to target.
Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Migration Tables
When importing GPOs or copying them between domains, you can use migration tables to modify
references in the GPO that need to be adjusted for the new location. For example, you may need to
replace the UNC path for folder redirection with a UNC path that is appropriate for the new user group to
which the GPO will be applied. You can create migration tables ahead of time, or during the import or
cross-domain copy operation.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-29
Key Points
A Starter GPO is used as a template from which to create other GPOs within GPMC. Starter GPOs only
contain Administrative Template settings. You may use a Starter GPO to provide a starting point for new
GPOs created in your domain. The Starter GPO may already contain specific settings that are
recommended best practices for your environment. Starter GPOs can be exported to and imported from
cabinet (.cab) files to make distribution to other environments simple and efficient.
GPMC stores Starter GPOs in a folder named, StarterGPOs, which is located in SYSVOL.
Preconfigured Starter GPOs from Microsoft are available for Windows client operating systems. These
Starter GPOs contain Administrative Template settings that reflect Microsoft recommended best practices
for the configuration of the client environment.
Note: Windows Server 2008 R2 comes pre-loaded with client operating system GPOs for Windows XP
and Windows Vista. If you are using the initial release of Windows Server 2008, you will have to
download the Starter GPOs from the Microsoft website.
Nova 4, LLC
9-30
Key Points
Group Policy in Windows Server 2008 R2 provides support for Windows PowerShell. You can use the
Windows PowerShell Group Policy cmdlets to automate many of the same tasks for domain-based GPOs
that you perform in the user interface by using GPMC.
To help you complete these tasks, 25 Group Policy cmdlets are provided in Windows Server 2008 R2. Each
cmdlet is a simple, single-function command-line tool. By using combinations of cmdlets, you can
automate more complex tasks. You can also combine actions with scheduled tasks to ensure that specific
Group Policy management tasks occur when you want them to. For example, you can back up a GPO,
output the result to a file, and then append the file every time you perform a backup. This creates a report
for every scheduled backup.
Note: To use the Windows PowerShell Group Policy cmdlets, you must be running Windows Server
2008 R2 either on a domain controller or on a member server that has the GPMC installed, or Windows
7 with Remote Server Administration Tools (RSAT) installed. RSAT includes GPMC. You must also import
the Group Policy module before you use the cmdlets, at the beginning of every script that uses them,
and at the beginning of every Windows PowerShell session.
To import the Group Policy Module for Windows Powershell, run the following cmdlet from the Windows
PowerShell prompt.
Import-Module GroupPolicy verbose
The Group Policy Module for Windows PowerShell includes the following cmdlets.
Cmdlet Name
Description
Backup-GPO
Nova 4, LLC
Creating and Managing Group Policy Objects
9-31
Cmdlet Name
Description
Copy-GPO
Copies a GPO
Get-GPInheritance
Get-GPO
Get-GPOReport
Get-GPPermissions
Get-GPPrefRegistryValue
Get-GPRegistryValue
Get-GPResultantSetOfPolicy
Get-GPStarterGPO
Import-GPO
New-GPLink
New-GPO
New-GPStarterGPO
Remove-GPLink
Remove-GPO
Deletes a GPO
Remove-GPPrefRegistryValue
Remove-GPRegistryValue
Rename-GPO
Restore-GPO
Restores one GPO or all GPOs in a domain from one or more GPO
backup files
Set-GPInheritance
Set-GPLink
Set-GPPermissions
Set-GPPrefRegistryValue
Nova 4, LLC
9-32
Cmdlet Name
Description
Set-GPRegistryValue
Nova 4, LLC
Creating and Managing Group Policy Objects
9-33
Key Points
Delegation of GPO-related tasks allows the administrative workload to be distributed across the
enterprise. One group can be tasked with creating and editing GPOs, while another group performs
reporting and analysis duties. A third group might be in charge of creating WMI filters.
The following Group Policy tasks can be independently delegated:
Creating GPOs
Editing GPOs
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that
they have created.
Domain Admins
Enterprise Admins
Creator Owner
Local System
The Authenticated User group has Read and Apply Group Policy permissions.
Nova 4, LLC
9-34
Creating GPOs
By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new
GPOs. You can use two methods to grant a group or user this right:
Add the user or group to the Group Policy Creator Owners group.
Explicitly grant the group or user permission to create GPOs by using GPMC.
Editing GPOs
To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission
by using the GPMC.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-35
Lab Scenario
The enterprise administrator has created a GPO deployment plan. You have been asked to create GPOs so
that certain policies can be applied to all domain objects. Some policies are considered mandatory.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings
and may not always follow best practices.
Domain users will not have access to the Run menu. The policy will apply to all users, except users in
the IT OU.
All domain computers will have a mandatory baseline security policy applied that does not display
the name of the last logged on user.
Computers running Windows 7 or Windows Vista will have additional settings applied to wait for the
network at startup.
Users in the IT OU will have the URL for Microsoft support added to their Favorites.
Nova 4, LLC
9-36
Verify that a user in the domain has the Run command removed from the Start menu.
2.
3.
Task 1: Verify that a user in the domain has the Run command removed from the Start
menu.
1.
2.
Ensure that a link to the Run menu does not appear in the Accessories folder on the Start menu.
3.
2.
Ensure that a link to the Run menu appears in the Accessories folder on the Start menu.
3.
Start Internet Explorer, open the Favorites pane, and then ensure that the link to Tech Support
appears. If the Set Up Windows Internet Explorer 8 dialog box opens, click Ask me later.
4.
Restart NYC-CL1.
Task 3: Verify that the last logged on user name does not appear.
After NYC-CL1 is restarted, verify that the last logged on user name does not appear.
Note: To see this information, press CTRL-ALT-DEL to see the logon screen.
Result: After completing this exercise, you will have tested and verified a GPO application.
Nova 4, LLC
Creating and Managing Group Policy Objects
2.
3.
4.
Import a GPO.
2.
3.
Right-click the Restrict Run Command policy, and then click Backup.
4.
5.
Right-click the Group Policy Objects folder, and then click Back Up All.
2.
3.
Right-click the IT Favorites policy, and then click Delete. Click Yes, and then click OK when the
deletion succeeds.
2.
Right-click the Group Policy Objects folder, and then click Manage Backups.
3.
4.
Confirm that the IT Favorites policy appears in the Group Policy Objects folder.
Create a new GPO named, Import, in the Group Policy Objects folder.
2.
3.
4.
5.
6.
On the Source GPO screen, click Restrict Run Command, and then click Next.
Note: If more than one copy of the Restrict Run Command GPO appears, choose the newer one.
9-37
Nova 4, LLC
9-38
7.
8.
Click Import GPO, click the Settings tab, and then ensure that the Remove Run menu from Start
Menu setting is Enabled.
Result: After completing this exercise, you will have backed up, restored, and imported GPOs.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-39
Lesson 4
System administrators need to know how Group Policy settings affect computers and users in a managed
environment. This information is essential when planning Group Policy for a domain, and when
debugging existing GPOs. Obtaining the information can be a complex task when you consider the many
combinations of sites, domains, and organizational units that are possible, and the many types of Group
Policy settings that can exist. Further complicating the task are security-group filtering, and GPO
inheritance, blocking, and enforcement. The Group Policy Results (GPResult.exe) command-line tool and
GPMC provide reporting features to simplify these tasks.
Troubleshooting the unexpected or undesired application of GPOs can be an equally difficult task.
Windows Server 2008 provides several tools to assist in the troubleshooting of GPO application.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
9-40
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting
easier. Two main reporting tools are the GPResult.exe command-line tool, and the Group Policy Results
Wizard in GPMC. The Group Policy Results feature allows administrators to determine the resultant policy
set that was applied to a given computer or user or to the computer and user who logged on to that
computer. Although these tools are similar, each provides different information.
GPResult.exe
Intended for administrators, the GPResult.exe command-line tool verifies all policy settings in effect for a
specific user, computer or user and computer combination. Administrators can run GPResult on any
remote computer within their management scope.
Syntax
gpresult;[/s ;Computer [/u ;Domain\User ;/p ;Password]] ;[/user ;TargetUserName]
;[/scope {user|computer}] ;[/v] ;[/z]
Parameters
/s ; Computer ; : Specifies the name or IP address of a remote computer. (Do not use backslashes.) The
default is the local computer.
/u ; Domain \ User ; : Runs the command with the account permissions of the user that is specified by User
or Domain\User. The default is the permissions of the current logged-on user on the computer that issues
the command.
/p ; Password ; : Specifies the password of the user account that is specified in the /u parameter.
/user ; TargetUserName ; : Specifies the user name of the user whose Resultant Set of Policy (RSoP) data is
to be displayed.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-41
/scope { user | computer } : Displays either user or computer results. Valid values for the /scope parameter
are user or computer. If you omit the /scope parameter, gpresult displays both user and computer
settings.
/v ; : Specifies that the output display verbose policy information.
/z ; : Specifies that the output displays all available information about Group Policy. Because this
parameter produces more information than the /v parameter, you should redirect the output to a text file
when you use this parameter (for example, gpresult /z >policy.txt).
/? : Displays help at the command prompt.
GPResult Output
When you run the GPResult /r command from the command prompt, Windows displays three different
categories of information: operating system information, computer settings, and user settings.
By default, GPResult returns settings in effect on the computer on which GPResult is run. In the operating
system section, GPResult provides:
Version information.
GPResult has various switches available to refine the command for specific information. For example, it
can be run for a specific user, computer, or both. It can also be run in verbose mode to provide more
information.
Nova 4, LLC
9-42
If connecting to a remote computer, the remote procedure call (RPC) port (135) must be open on the
remote computer. You can accomplish this with a Group Policy setting that allows remote administration.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-43
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling Wizard in GPMC to model
environment changes before you actually make them. The Group Policy Modeling Wizard calculates the
simulated net effect of GPOs. Group Policy Modeling also simulates such things as security group
membership, WMI filter evaluation, and the effects of moving user or computer objects to a different OU
or site. You can also specify slow-link detection, loopback processing, or both when using the Group
Policy Modeling Wizard.
The Group Policy Modeling process actually runs on a domain controller in your Active Directory domain.
Because the wizard never queries the client computer, it cannot take local policies into account.
Nova 4, LLC
9-44
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Run GPResult.exe from the command prompt and output the results to an HTML file.
3.
Open GPMC.
4.
Run the Group Policy Reporting Wizard and view the results.
5.
Run the Group Policy Modeling Wizard and view the results.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-45
Key Points
The two main issues with Group Policy processing are.
There may be many reasons why policies are not applied or are applied incorrectly, including the
following:
AD DS replication issues may be preventing all domain controllers from receiving policies or policy
updates.
Nova 4, LLC
9-46
Nova 4, LLC
Creating and Managing Group Policy Objects
9-47
Key Points
Group Policy issues may be symptoms of unrelated issues, such as network connectivity, authentication
problems, domain controller availability, or Domain Name Service (DNS) configuration errors.
Troubleshooting Inheritance
The following four settings can be used to alter the default inheritance of GPO processing:
GPO enforcement
If none of the users or computers in an OU or entire subtree of OUs are receiving policies that were linked
to higher levels, it may be because of inheritance blocking.
GPMC interface provides a visual indicator of a blue exclamation mark when inheritance is blocked.
Nova 4, LLC
9-48
Group Policy results reporting (RSoP) lists the GPOs that are being applied, and the GPOs that are being
blocked.
You can run the Gpresult command from the target computer to assess whether any of these settings are
prohibiting the policies from applying.
If inheritance is blocked incorrectly, removing the setting returns Group Policy processing to normal.
Troubleshooting Filtering
Group Policy filtering determines which users and computers will receive the GPO settings. Group Policy
object (GPO) filtering is based on two factors:
Group Policy filtering may appear to look like inconsistent application of policies in an OU. If some users,
groups, or computers have filtering applied, they will not receive policies that other users in the same OU
receive.
The following steps can be taken to troubleshoot potential filtering-related issues.
To check filtering on a GPO, in GPMC, open the Group Policy Objects node, select the GPO you are
troubleshooting, and then, in the right pane, select the Scope tab. The Security Filtering and WMI
Filtering panels show the current filtering configuration.
To see the exact set of permissions for users, groups, and computers, select the Delegation tab, and
then click Advanced. Select the security group, user, or computer you want to review.
If the policy object should be applied to the security group, user, or computer, the minimum permissions
should be set to allow Read and Apply Group Policy.
Note: If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If there is a link
to a non-existent WMI filter, the GPO with that link will not be processed until the link is removed or the
filter is restored.
Troubleshooting Replication
In a domain that contains more than one domain controller, Group Policy information takes time to
propagate or replicate from one domain controller to another.
Replication issues are most noticeable in remote sites with slow connections where there is long
replication latency.
The GPOTool can check for consistency of policies across all domain controllers. Another tool is
Readmin, which can provide information about Group Policy synchronization status and general
replication.
After you determine that replication is the issue, you must determine if the problem is with the FRS or
AD DS replication.
A simple test for SYSVOL replication is to put a small test file into the SYSVOL directory, and see if it
replicates to other domain controllers.
Similarly, a simple way to test AD DS replication is to create a test object, such as an OU, and see if it
replicates to other domain controllers.
In many cases, just waiting for normal replication cycles to complete resolves the problem.
Nova 4, LLC
Creating and Managing Group Policy Objects
9-49
During Group Policy refresh, the client contacts an available domain controller. If any GPOs changed,
the domain controller provides a list of all the appropriate GPOs.
By default, GPOs are processed at the computer only if the version number of at least one GPO has
changed on the domain controller that the computer is accessing.
Group Policy reporting provides information about when the last Group Policy refresh occurred, on
the summary page. The report also tells you if the loopback setting is enabled.
Nova 4, LLC
9-50
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether you can trace a
problem to core Group Policy.
GPResult
Similar to Group Policy reporting, the GPResult tool is a command-line utility that displays slightly
different RSoP information about the user, computer, and Group Policy affecting them. GPResult lists
information that GPMC does not provide, including the domain controller that supplied the Group Policy
and the slow-link threshold.
Gpupdate
This tool refreshes local and AD DS-based Group Policy settings, including security settings. You can also
use it to force the client to pull policy settings from the domain controller.
Dcgpofix
This tool restores the default Group Policy objects to their original state after initial installation. You can
restore the Default Domain Policy, the Default Domain Controller, or both.
GPLogView
This utility is for use with Windows Vista and later versions, and is primarily used to export Group Policyrelated events from the system, and operational logs into text, HTML, or XML files. You can also run the
Nova 4, LLC
Creating and Managing Group Policy Objects
9-51
tool with the -m switch, and monitor real-time activities. You can download this utility from the Microsoft
download site.
Group Policy settings that are not processed or not applied as expected
Whether a given GPO is accessible, and if not, why access was denied
In addition to Userenv.log, the following CSEs provide their own verbose logs that you can enable by
modifying the registry:
Windows Vista introduces a change to the way that the Group Policy engine provides information. Group
Policy logging information is no longer kept in the Userenv.log file. Detailed logging now is kept in the
System event log, and the Group Policy operational log. The System event log can be accessed through
Event Viewers Applications and Services Logs section. You can use GPLogView to aggregate events from
the Group Policy operational logs into a single-view file that you can review later, or you can enable it to
run in monitor mode to see real-time event processing.
Nova 4, LLC
9-52
Key Points
In this demonstration, you will see how to:
Nova 4, LLC
Creating and Managing Group Policy Objects
9-53
Nova 4, LLC
9-54
Description of problem: No users should be able to access the Run command on the Start menu, but
all users in the IT OU currently have access to the Run command.
2.
3.
4.
5.
On NYC-DC1, in the Group Policy Management window, restore the TestA GPO from backup. The
TestA GPO is located at C:\Tools\GPOBackup.
In the Group Policy Management window, link the TestA GPO to the IT OU.
2.
Click Start, and then notice the presence of the Run command. It should not be present.
3.
On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.
2.
In the report summary, under User Configuration Summary, notice that the TestA GPO is being
applied.
3.
On the Settings tab, under User Configuration, notice that the Add the Run command to the
Start Menu setting is enabled.
2.
In the Group Policy Management Editor window, under User Configuration, Policies,
Administrative Templates, Start Menu and Taskbar, change Add the Run command to the Start
Menu to Disabled, and then click OK.
3.
Nova 4, LLC
Creating and Managing Group Policy Objects
4.
Click Start, and notice that the Run command is no longer present.
5.
Result: After completing this exercise, you will have resolved a Group Policy object issue.
9-55
Nova 4, LLC
9-56
Description of problem: Since the application of the GPO, Ed has access to the Run command on his
Start menu.
2.
3.
4.
5.
6.
7.
2.
On NYC-DC1, in the Group Policy Management window, restore the TestB GPO from backup. The
TestB GPO is located at C:\Tools\GPOBackup.
In the Group Policy Management window, link the TestB GPO to the Loopback OU. You may need
to refresh the Group Policy Management console to view the new OU.
In Active Directory Users and Computers, move the NYC-CL1 computer from the Computers
container to the Loopback OU.
Restart NYC-CL1.
2.
When the computer restarts, log on as Contoso\Ed, with the password, Pa$$w0rd.
3.
Click Start and notice that the Run command is present once again.
On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.
2.
In the summary report, under Computer Configuration, review the applied GPOs and notice that
the TestB GPO has been applied.
Nova 4, LLC
Creating and Managing Group Policy Objects
3.
9-57
On the Settings tab, under Computer Configuration, notice that loopback processing mode is
enabled.
Note: Group Policy applies to the user, computer, or both in a manner that depends on where both the
user and the computer objects are located in Active Directory. However, in some cases, users may need
policy applied to them based on the location of the computer object alone. You can use the Group
Policy loopback feature to apply GPOs that depend only on which computer the user logs on to.
In the Group Policy Management window, disable the link for the TestB GPO.
Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there
were other settings in the GPO that you did wish to have applied.
2.
Restart NYC-CL1.
3.
When the computer restarts, log on as CONTOSO\Ed, with the password, Pa$$w0rd.
4.
Click Start and notice that the Run command is no longer present.
Result: After completing this exercise, you will have resolved a Group Policy objects issue.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
9-58
Review Questions
1.
What methods exist that allow you to modify the application of Group Policy settings within AD DS?
Answer: You control policy processing through link order/precedence, by overriding inheritance, blocking
inheritance, enforcing link inheritance, security/WMI filtering, disabling/enabling user/computer
configuration processing, and/or modifying loopback processing.
2.
A user in one of your organizations branch locations is note receiving a software deployment
package that has been assigned to his computer in a GPO. Upon consulting GPMC, you discover that
the GPO is linked to the proper OU containing the users computer and that no filtering or
inheritance settings are affecting the GPO. What could be the problem?
Answer: Since the user is connecting from a branch location, the bandwidth available between the users
computer and the nearest domain controller may be detected as a slow link.
Description
Automate many of the same tasks for domain-based GPOs that you perform in
the user interface by using GPMC.
Tools
Tool
Group Policy
Management
Use for
Managing Group
Policy application
Where to find it
On the Administrative Tools menu.
Nova 4, LLC
9-59
Tool
Console
Use for
Where to find it
in an AD DS
domain.
Group Policy
module for
Windows
PowerShell
Automating
many of the same
tasks for domainbased GPOs that
you perform in
the user interface
by using GPMC.
GPResult.exe
Displaying RSoP
information
about the user,
computer, and
Group Policy
affecting them.
Gpupdate.exe
Refreshing local
and AD DS-based
Group Policy
settings.
Dcgpofix.exe
Restoring the
default Group
Policy objects to
their original
state after initial
installation.
GPLogView
Monitoring and
exporting Group
Policy-related
events from the
system, and
operational logs.
Nova 4, LLC
9-60
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
Module 10
Using Group Policy to Configure User and Computer
Settings
Contents:
10-3
10-14
10-17
10-24
10-27
10-37
10-39
10-46
10-1
Nova 4, LLC
10-2
Module Overview
In this module, you will learn how to configure a user environment by using Group Policy. Specifically, this
module provides the skills and knowledge that you need to use Group Policy to configure Folder
Redirection and to use scripts. You also will learn how Administrative Templates affect Microsoft Windows
7 and Windows Server 2008, and how to deploy software by using Group Policy. This module will also
describe how to use Group Policy preferences to enhance group policy settings.
After completing this module, you will be able to:
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-3
Lesson 1
Windows Server 2008 enables you to use Group Policy to deploy scripts to users and computers. You can
also redirect folders that the users profile includes, from the users local hard disks to a central server.
After completing this lesson, you will be able to:
Nova 4, LLC
10-4
Key Points
With Folder Redirection, you can easily manage and back up data. By redirecting folders, you can ensure
user access to data regardless of the computers to which the users log on. Folder redirection has the
following characteristics:
When you redirect folders, you change the folders storage location from the users computer local
hard disk to a shared folder on a network file server.
After you redirect a folder to a file server, it still appears to the user as if it is stored on the local hard
disk.
Offline Files technology can be used in conjunction with redirection to synchronize the data in the
redirected folder to the users local hard drive. This ensures that users have access to their data if a
network outage occurs or if the user is working offline.
Users that log on to multiple computers can access their data as long as they can access the network
share.
Offline folders allow users to access their data even if they are disconnected from the local area
network (LAN).
Roaming profile size can be greatly reduced by redirecting data from the profile.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-5
Key Points
In a Group Policy object (GPO), the following settings are available for folder redirection: None, Basic,
Advanced, and Follow the Documents folder:
Basic. Basic folder redirection is for users who must redirect their folders to a common area or users
who need their data to be private.
Advanced. Advanced redirection allows you to specify different network locations for different Active
Directory security groups.
Follow the Documents. Follow the Documents folder redirection is available only for the Pictures,
Music, and Videos folders. It makes the affected folder a subfolder of the Documents folder.
If you choose Basic or Advanced, you can choose from the following target folder locations:
Create a folder for each user under the root path. This option creates a folder in the form
\\server\share\User Account Name\Folder Name. Each user has a unique path for the redirected
folder to keep data private. By default, that user is granted exclusive rights to the folder, and in the
case of the Documents folder, the current contents of the folder is moved to the new location.
Redirect to the following location. This option uses an explicit path for the redirection location. It
causes multiple users to share the same path for the redirected folder. By default, that user is granted
exclusive rights to the folder, and in the case of the Documents folder, the current contents of the
folder is moved to the new location.
Redirect to the local user profile location. This option moves the location of the folder to the local
user profile under the Users folder.
Redirect to the users home directory. This option is available only for the Documents folder.
Nova 4, LLC
10-6
Note: After the initial creation and application of a GPO that delivers folder redirection settings, users
require two logons before redirection takes effect. This is because users will log on with cached
credentials.
Question: Users in the same department often log on to different computers. They need access to heir
Documents folder. They also need the data to be private. Which folder redirection setting should you
choose?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-7
Key Points
You need to manually create and permission a shared network folder to store the redirected folders.
However, folder redirection can also create the users redirected folders. Folder permissions are handled as
follows:
When you use this option, the correct subfolder permissions are set automatically.
If you manually create folders, you must know the correct permissions. These permissions are
illustrated on the slide.
Question: What steps should you take to protect the data while it is in transit between the client and the
server?
Nova 4, LLC
10-8
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
Create a shared folder
1. On NYC-DC1, click Start, click Computer, double-click the C:/ drive, and then create a folder named
C:\Redirect.
2. Share the folder with Everyone with Full Control permission.
Create a GPO to redirect the Documents folder
1. Open the Group Policy Management console and create and link a GPO named Folder Redirection
to the Contoso domain.
2. Edit the Folder Redirection GPO.
3. Configure the Documents folder properties to use the Basic-Redirect everyones folder to the
same location setting.
4. Ensure that the Target folder location is set to Create a folder for each user under the root path.
5. Make the Root Path \\NYC-DC1\Redirect.
6. Close all open windows on NYC-DC1.
Test the Folder Redirection
1. Log on to the NYC-CL1as Contoso\Administrator.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-9
Nova 4, LLC
10-10
Key Points
You can use Group Policy scripts to perform any number of tasks. There may be actions that you need to
perform every time a computer starts or shuts down, or when users log off or on. For example, you can
use scripts to:
Clean up desktops when users log off and shut down computers.
Scripts that are assigned to the computer run in the security context of the Local System account. Scripts
that are assigned to the user logging on run in the security context of that user.
Aspects of how scripts run are controlled by other group policy settings. For example, if multiple scripts
are assigned, you can control whether they run synchronous or asynchronous.
Scripts can be written in any scripting language that the Windows client can interpret, such as VBScript,
Jscript, or simple command or batch files.
Note: In Windows Server 2008 R2, the user interface (UI) in Group Policy Editor for Logon, Logoff,
Startup, and Shutdown scripts now has an extra tab for PowerShell scripts. You can simply add your
PowerShell script to this tab to deploy it. Windows Server 2008 R2 or Windows 7 can run PowerShell
scripts via Group Policy.
Scripts are stored in shared folders on the network. You need to ensure that the client has access to that
network location or scripts fail to run. Although any network location stores scripts, as a best practice, use
the Netlogon share because all users and computers that are authenticated to Active Directory Domain
Service (AD DS) have access to this location.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-11
For many of these settings, using Group Policy preferences is a better alternative to configuring them in
Microsoft Windows images or using logon scripts. Group Policy preferences are covered in more detail
later in this module.
Question: Which permissions are required on network shares so that clients can connect and run a script?
Nova 4, LLC
10-12
Key Points
In this demonstration, you will see how to:
Create and link a GPO to use the script and store the script in the Netlogon share.
Demonstration Steps:
Create a logon script to map a network drive.
1.
2.
Save the file as Map.bat. In the Save As dialog box, click the Save as type: drop-down arrow and
select All Files (*.*) as the type. Save the file to the default location of Documents.
3.
Create and link a GPO to use the script and store the script in the Netlogon share.
1.
Use the Group Policy Management console to create and link a new GPO named Drivemap to the
Contoso domain.
2.
3.
4.
2.
Click Start and click Computer and then verify that drive is mapped.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
3.
Question: What other method could you use to assign logon scripts to users?
10-13
Nova 4, LLC
10-14
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.
Lab Scenario
Contoso, Ltd. has decided to implement Group Policy to manage user desktops. The organization has
already implemented an organizational unit (OU) configuration that includes top-level OUs of different
departments. Contoso, Ltd. wants to use Group Policy to map network locations for users and redirect the
documents of specific users to ensure their data is secured and backed up.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-15
On NYC-DC1, use Notepad to create a batch file named Map.bat that maps drive T to the \\nycdc1\data share.
2.
Save the file to the default location. In the Save As dialog box, click the Save as type: drop-down
arrow and select All Files (*.*) as the type. Save the file to the default location of Documents.
3.
Browse to the saved location and copy the file to the clipboard.
Edit the Drivemap GPO to assign the Map.bat logon script to users.
2.
Nova 4, LLC
10-16
2.
Share the Redirect folder to the Research group and grant them Read/Write permission.
Create and link a new GPO named Redirect to the Research OU.
2.
Edit the Redirect GPO to redirect the Documents folder with the following settings:
Target folder location: Create a folder for each user under the root path.
2.
Examine the properties of the Documents folder. Note that the location of the folder is now the
Redirect network share in a subfolder named for the user.
3.
Results: In this exercise, you created and set permissions on a shared folder. You created and linked a
GPO to redirect the executives documents to the shared folder.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-17
Lesson 2
The Administrative Template files provide the majority of available policy settings, which are designed to
modify specific registry keys. This is known as registry-based policy. For many applications, the use of
registry-based policy that the Administrative Template files deliver is the simplest and the best way to
support centralized management of policy settings. In this lesson, you will learn how to configure
Administrative Templates.
After completing this lesson, you will be able to:
Nova 4, LLC
10-18
Key Points
Administrative Templates allow you to control the environment of the operating system and user
experience. There are two sets of Administrative Templates: one for users and one for computers. Using
the administrative template sections of the GPO, you can deploy hundreds of modifications to the
registry. Administrative Templates have the following characteristics:
They are organized into subfolders that deal with specific areas of the environment, such as Network,
System, and Windows Components.
The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in the registry, and
settings in the user section edit the HKEY_CURRENT_USER hive in the registry.
Some settings exist for both user and computer. For example, there is a setting to prevent Windows
Messenger from running in both the user and the computer templates. In case of conflicting settings,
the computer setting prevails.
Some settings are available only to certain versions of Windows operating systems, such as a number
of new settings can be applied only to the Windows 7 family of operating systems. Double-clicking
the settings will display the supported versions for that setting.
Question: Which settings are you currently configuring manually or through scripts that you could
configure by using Group Policy?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-19
Key Points
ADM Files
Traditionally, ADM files have been used to define the settings that the administrator can configure
through Group Policy. Each successive Windows operating system and service pack has included a newer
version of these files. ADM files use their own markup language. Therefore, it is difficult to customize ADM
files. The ADM templates are located in the %SystemRoot%\Inf folder.
A major drawback of ADM files is that they are copied into every GPO that is created, and consume about
3 megabytes (MB) of space. This can cause the Sysvol folder to become very large and increase replication
traffic.
ADMX Files
Windows Vista and Windows Server 2008 introduced a new format for displaying registry-based policy
settings. These settings are defined by using a standards-based XML file format known as ADMX files.
These new files replace ADM files. Group Policy tools on Windows Vista and later and Windows Server
2008 will continue to recognize the custom ADM files that you have in your existing environment, but will
ignore any ADM file that ADMX files have superseded. Unlike ADM files, ADMX files are not stored in
individual GPOs. The Group Policy Object Editor will automatically read and display settings from the local
ADMX file store. By default, ADMX files are stored in the Windows\PolicyDefinitions folder, but they can
be stored in a central location.
ADMX files are language neutral. The plain language descriptions of the settings are not part of the
ADMX files. They are stored in language-specific ADML files. This means that administrators who speak
different languages, such as English and Spanish, can look at the same GPO and see the policy
descriptions in their own language because they can each use their own language-specific ADML files.
ADML files are stored in a subfolder of the PolicyDefinitions folder. By default, only the ADML language
files for the language of the installed operating system are added.
Nova 4, LLC
10-20
Question: How could you tell if a GPO was created or edited by using ADM or ADMX files?
Question: Can you list one benefit of the ADMX format with Group Policy object?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-21
Key Points
For domain-based enterprises, administrators can create a central store location of ADMX files that is
accessible by anyone with permission to create or edit GPOs. The GPO Editor on Microsoft Windows 7 and
Windows Server 2008 automatically reads and displays Administrative Template policy settings from
ADMX files that the central store caches and ignores the ones stored locally. If the domain controller is
not available, the local store is used.
You must create the central store and then update it manually on a domain controller. The use of ADMX
files is dependent on the computers operating system where you are creating or editing the GPO.
Therefore, the domain controller can be a server with Microsoft Windows 2000, or later. The File
Replication Service (FRS) will not replicate the domain controller to that domains other controllers. Either
FRS or DFS-R is used to replicate the data, depending on server operating system and configuration.
To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the
following location:
\\FQDN\SYSVOL\FQDN\policies
For example, to create a central store for the Test.Microsoft.com domain, create a PolicyDefinitions folder
in the following location:
\\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies
A user must copy all files and subfolders of the PolicyDefinitions folder. The PolicyDefinitions folder on a
Windows 7based computer resides in the Windows folder. The PolicyDefinitions folder stores all .admx
files and .adml files for all languages that are enabled on the client computer.
Nova 4, LLC
10-22
Note: A user must log on to the DC with an account that is a member of the Domain Admins group.
To ensure the appropriate languages are available, the Win7 desktop used must have the appropriate
language packs.
Question: Can the central store exist on a Windows 2003 domain controller?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-23
Key Points
Spend a few minutes examining the administrative templates and consider how some of them could be
employed in your organization.
Be prepared to share information about your organizations current use of GPOs and logon scripts, such
as:
Which Group Policy settings will you find useful in your organization?
Nova 4, LLC
10-24
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The organization has already implemented an OU configuration that includes top-level OUs for different
departments. User accounts are in the same container as their workstation computer accounts. All users
are running the Windows 7 operating system. You need to configure several Group Policy settings to
control the user environment and make the desktop more secure.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
You will also modify the Default Domain Policy to allow remote administration through the firewall,
allowing you to run Group Policy Results queries against target computers in the domain.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
6.
On NYC-DC1, open Group Policy Management and create and link a new GPO named
ResearchDesktop to the Research OU.
Edit the ResearchDesktop GPO to Enable the Prevent access to registry editing tools setting.
Edit the ResearchDesktop GPO to enable the Remove Run menu from Start Menu setting.
Edit the ResearchDesktop GPO to enable the Removable disks: Deny write access setting.
Edit the ResearchDesktop GPO to enable the Prevent changing desktop background setting.
Edit the Default Domain Policy to Enable the Windows Firewall: Allow inbound remote
administration exception for the LocalSubnet.
2.
Ensure that the Run menu does not appear on the Accessories menu.
3.
4.
5.
10-25
Nova 4, LLC
10-26
Results: In this exercise, you created and linked a GPO to control the desktop environment.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-27
Lesson 3
Windows Server 2008 includes a feature called Software Installation and Maintenance that AD DS, Group
Policy, and the WindowsInstaller service use to install, maintain, and remove software from your
organizations computers.
After completing this lesson, you will be able to:
Describe how Group Policy Software Distribution addresses the Software Life Cycle.
Compare Group Policy software distribution with System Center Configuration Manager 2007 R2.
Nova 4, LLC
10-28
How Group Policy Software Distribution Addresses the Software Life Cycle
Key Points
The software life cycle consists of four phases: preparation, deployment, maintenance, and removal.
Group Policy can be used to manage all phases except the preparation. You can apply Group Policy
settings to users or computers in a site, domain, or organizational unit to automatically install, upgrade, or
remove software.
By applying Group Policy settings to software, you can manage the phases of software deployment
without deploying software on each computer individually.
Question: How do you currently deploy software in your organization?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-29
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008 uses the Windows Installer
service. This component automates the installation and removal of applications by applying a set of
centrally defined setup rules during the installation process. The Windows installer service installs the
Microsoft Installer (.MSI) package files. MSI files contain a database that stores all the instructions required
to install the application. Small applications may be entirely in the MSI files, whereas other larger
applications will have many associated source files that are referenced by the MSI. Many ISVs will provide
MSI files for their applications.
The Windows Installer service has the following characteristics:
This service runs with elevated privileges so that software can be installed by the Windows installer
service no matter which user is logged onto the system. Users only require read access to the software
distribution point.
Applications are resilient. If an application becomes corrupted, the installer will detect and reinstall or
repair the application.
Windows Installer cannot install .EXE files. To distribute a software package that installs with an .EXE
file, the .EXE file must be converted to an .MSI file by using a third-party utility.
Question: Do users need administrative rights to manually install applications that have MSI files?
Question: What are some disadvantages of deploying software through Group Policy?
Nova 4, LLC
10-30
Key Points
There are two deployment types available for delivering software to clients. Administrators can either
install software for users or computers in advance by assigning the software, or give users the option to
install the software when they require it by publishing the software in Active Directory Domain Services.
Both user and computer configuration sections of a GPO have a Software Settings section. Software is
added to a GPO by adding a new package to the Software Installation node and specifying whether to
assign or publish it.
You can also choose advanced deployment of a package. This option is used to apply a customization file
to a package for custom deployment. For example, if you used the Office Customization tool to create a
setup customization file to deploy Microsoft Office 2010.
Assigning Software
Assigned software has the following characteristics:
When you assign software to a user, the users Start menu advertises the software when the user logs
on. Installation does not begin until the user double-clicks the application's icon or a file that is
associated with the application.
Users do not share deployed applicationsan application you install for one user through Group
Policy will not be available to other users.
When you assign an application to a computer, the application is installed the next time the
computer starts. The application will be available to all users of the computer.
Publishing Software
Publishing software has the following characteristics:
The Control Panel's Programs applet advertises a published program to the user. Users can install the
application by using the Programs applet, or you can set it up, so the application is installed by
document activation.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
Applications that users do not have permission to install are not advertised to them.
10-31
Note: When configuring Group Policy to deploy applications, they must be mapped to UNC paths. If
you use local paths, the deployment will fail.
Question: What is the advantage of publishing an application over assigning it?
Nova 4, LLC
10-32
Key Points
In this demonstration, the instructor will show how to:
Demonstration Steps:
Create and populate an application distribution folder.
1.
On NYC-DC1, click Start, click Computer and then create a folder named C:\AppDeploy.
2.
3.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
2.
3.
Restart NYC-CL1 and log on as the administrator. A restart is required to install the assigned
application.
4.
5.
Open the Control Panel. From the Programs and Features page, ensure that the XML Notepad
2007 application is being advertised on the network.
Note: You require the 6419B-NYC-DC1 and 6419B-NYC-SVR1 virtual machines to complete this
demonstration. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd. Do
not log on to NYC-SVR1.
10-33
Nova 4, LLC
10-34
Key Points
Software vendors occasionally release software patches. These usually address minor issues, such as a bug
fix or feature enhancements that do not warrant a complete reinstallation of the application. Microsoft
releases software patches via .MSP files.
Major upgrades that provide new functionality require an upgrading of a software package to a newer
version. The Upgrades tab allows you to upgrade a package by using the GPO. Upgrades using Group
Policy has the following characteristics:
You may redeploy a package if the original Windows Installer file has been modified.
Upgrades will often remove the old version of an application and install a newer version, usually
maintaining application settings.
You can remove software packages if they were delivered originally by using Group Policy. This is
useful if an LOB application is being replaced with a different application. Removal can be mandatory
or optional.
Question: Your organization is upgrading to a newer version of a software package. Some users in the
organization require the old version. How would you deploy the upgrade?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-35
Key Points
One of the most time-consuming tasks in an information technology (IT) environment is software
deployment and maintenance. Automating software deployment is an important step towards lowering
the costs and making your IT department more efficient.
Group Policy is not the only way that software can be deployed. The following table compares Group
Policy software deployment with System Center Configuration Manager 2007 R3 software deployment
features.
System Center Configuration Manager 2007 R3 Software
Group Policy Software Deployment Deployment
Is available at no extra cost as part
of the operating system
Can create and distribute packages that can run any executable
Nova 4, LLC
10-36
Question: Are students using SCCM or any other third-party software distribution application?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-37
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6419B-NYC-SVR1, and in the actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on to 6419B-NYC-DC1 by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario.
Users in the IT department need to have the XML Notepad 2007 application available on the network if
they need to install it on their computers. It has been decided to use Group Policy Software Installation to
publish the application so that it is available to install on any computers that an IT user logs on. You will
create and populate a software distribution share. Then, you will create and configure a GPO to publish
the software.
Nova 4, LLC
10-38
Task 1: Create and populate a shared folder to act as a software distribution point
1.
2.
3.
Task 3: Configure the GPO to publish the XML Notepad 2007 application
2.
Access the Programs applet in Control Panel and install the XML Notepad 2007 from the network.
3.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-39
Lesson 4
Common settings that affect the user and computer environment could not be delivered through Group
Policy, such as mapped drives. These settings were usually delivered through logon scripts or imaging
solutions. Windows Server 2008 includes the new Group Policy preferences built-in to the Group Policy
Management Console (GPMC). Additionally, administrators can configure preferences by installing the
Remote Server Administration Tools (RSAT) on a computer running Windows 7. This allows many common
settings to be delivered through Group Policy.
Note: Specific support for download and install of Group Policy preferences are as follows: Windows
Vista RTM or later, Windows XP with Service Pack 2 or later, Windows Server 2003 with Service Pack 1
or later.
After completing this lesson, you will be able to:
Nova 4, LLC
10-40
Key Points
Group Policy preference extensions are more than twenty Group Policy extensions that expand the range
of configurable settings within a GPO. A number of settings that had to be applied by scripts in the past
can now be applied via preferences, such as drive mappings.
Group Policy preferences are natively supported on Windows Server 2008 and later and on Windows Vista
SP2 and later. Group Policy preferences client-side extensions for Windows Server 2003 and Windows
Vista SP1 and earlier can be downloaded and installed to provide support for preferences on those
systems.
Configuring Group Policy preferences does not require any special tools or software installation. They are
natively part of GPOs in Windows Server 2008 and are applied in the same manner as group policy
settings by default. Preferences have two distinct sections, Windows Settings and Control Panel Settings.
When you configure a new preference, you need to perform the following four basic actions:
Replace. Delete and re-create a preference setting for the user or computer. The result is that Group
Policy preferences replace all existing settings and files associated with the preference item.
Question: Your organization currently has a number of Windows 2000 workstations in the organization.
You wish to use Group Policy preferences to map printers for all users. What steps must you take to
support the Windows 2000 clients?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-41
Key Points
Preferences are similar to policies in that they apply configurations to the user or computer, but there are
several differences in the way they are configured and applied. There are many differences between
Group Policy settings and Group Policy preferences. One of these differences is that preferences are not
enforced. However, preferences can be auto reapplied. The following is a list of differences between
Group Policy settings and Preferences:
Group Policy settings disable the user interface for settings managed by the policy; preferences do
not.
Group Policy settings are applied at regular intervals. Preferences may be applied once only or at
intervals.
The end user can change any preference setting that is applied through Group Policy, but policy
settings prevent users from changing them.
In some cases, the same setting can be configured through a policy setting as well as a preference
item. If conflicting preference and group policy settings are configured and applied to the same
object, the value of the policy setting always applies.
Group Policy preferences overwrite original settings; Group Policy settings do not.
Nova 4, LLC
10-42
Key Points
Windows settings allow you to control operating systembased settings. This is a valuable tool for
performing common tasks, such as mapping network drives and placing shortcuts on desktops, without
having to resort to scripts.
Windows Settings control the following user and computer settings:
Create, update, replace and delete environmental variables, just as with other preferences.
Create, update, replace, and delete a shortcut to a file system object, such as a folder or a URL.
Create, update, replace, and delete mapped network drives (user only).
Question: How can you configure Group Policy preferences from a Windows 7 system?
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-43
Key Points
Control Panel settings allow access to configure many of the Control Panel applets without a technician.
This is especially useful for performing tasks that are often difficult for users, such as configuring data
source names and creating VPN connections.
Control Panel settings control the following user and computer settings:
Create, replace, update, or delete Open Database Connectivity (ODBC) data sources names.
Create, replace, update, or delete Open with extensions for file types.
Create, modify, or delete networking with virtual private networking (VPN) or dial-up connections.
Modify power options and create, replace, update, or delete power schemes.
Question: You need to configure a service to automatically start at computer startup. You do not want
local users to be able to change this behavior. How should you proceed?
Nova 4, LLC
10-44
Key Points
After you create a Group Policy Preference, you must configure its properties. Different preferences will
require different input information. For example, shortcut preferences require target paths, whereas
environment variables require variable types and values. Preferences also provide a number of features in
the common properties to assist in deployment.
Stop processing items in this extension if an error occurs. If an error occurs while processing a
preference, no other preferences in this GPO will process.
Run in logged-on users security context. Preferences can run as the System account or the
logged-on user. This setting forces the logged-on user context.
Remove this item when it is no longer applied. Unlike policy settings, preferences are not removed
when the GPO that delivered it is removed. This setting will change that behavior.
Apply once and do not reapply. Normally, preferences are refreshed at the same interval as Group
Policy settings. This setting changes that behavior to apply the setting only once on logon or startup.
Item-level targeting. One of the most powerful features of preferences is item-level targeting. It
allows you to easily specify criteria to determine exactly which users or computers will receive a
preference. Criteria includes:
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
Computer name
IP address range
Operating system
Security group
User
Question: You have mapped a drive by using preferences, but the user reports that though the drive
appears, the user cannot access the drive. What might be the issue?
10-45
Nova 4, LLC
10-46
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
Password: Pa$$w0rd
Domain: Contoso
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-47
2.
You will use preferences to map a drive for the IT group to the IT documents folder.
3.
4.
Edit the Default Domain policy to configure the following User preferences:
Reconnect at logon.
Edit the Default Domain Policy to configure the following user preferences:
On the Common tab, clear the Run in logged-on users security context check box.
Log on to NYC-CL1 as Ryan with a password of Pa$$w0rd. Ensure that the Notepad shortcut
appears on the desktop.
2.
3.
Log on as Dylan with a password of Pa$$w0rd. Ensure that the Notepad shortcut appears on the
desktop.
4.
Nova 4, LLC
10-48
Results: In this exercise, you used Group Policy preferences to map a drive to selected users and
create a desktop shortcut for all users.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
10-49
Review Questions
1.
2.
Why do some Group Policy settings take two logons before going into effect?
3.
Troubleshooting Tip
Nova 4, LLC
10-50
2.
The IT support technicians regularly visit user desktops to troubleshoot issues. They require that their
documents and troubleshooting tools always be available to install. Folder redirection can make their
documents and troubleshooting installation files available from any location.
All users in the organization are having Microsoft Office 2010 installed. There are approximately 1000
users who will receive the application at the same time. What would be the best way to deploy this
application? This application should be deployed by using SCCM or a third-party tool. It is too large
to deploy by using Group Policy to many users at the same time.
Use folder redirection to decrease the size of user profiles and store user data on the network.
Use folder redirection to ensure that critical data will be backed up.
Nova 4, LLC
Implementing Security Settings Using Group Policy
Module 11
Implementing Security Settings Using Group Policy
Contents:
11-3
11-14
11-21
11-26
11-36
11-1
Nova 4, LLC
11-2
Module Overview
Failure to have adequate security policies can lead to many risks for an organization. A well designed
security policy helps to protect an organizations investment in business information and internal
resources such as hardware and software. Having a security policy in itself is not enough, however. You
must implement the policy for it to be effective. Group Policy has a number of security-related
components that can assist you in implementing security policies in your environment.
Objectives
After completing this module, you will be able to:
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-3
Lesson 1
Group Policy provides settings you can use to implement and manage security in your organization.
Group Policy contains settings to control a large scope of the Windows environment, including security.
Aspects like password and account requirements, auditing behavior are configurable by using Group
Policy settings. In addition, there are several built-in components of Group Policy that can help you to
establish a consistent and secure environment.
Objectives
After completing this lesson, you will be able to:
Describe the security settings that can be configured by using Group Policy.
Describe the account policies that can be configured by using Group Policy.
Nova 4, LLC
11-4
Key Points
Security policies are rules that protect resources on computers and networks. Group Policy allows you to
configure many of these rules as Group Policy settings. For example, you can configure password policies
as part of Group Policy.
Group Policy has a large security section to configure security for both users and computers. This way, you
can apply security consistently across the organization in Active Directory Domain Services (AD DS) by
defining security settings in a Group Policy object that is associated with a site, domain, or OU.
Computer security areas that Windows XP, Windows Vista, Windows 7, Windows Server 2003 R2,
Windows Server 2008, and Windows Server 2008 R2 support are:
Security Area
Description
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Nova 4, LLC
Implementing Security Settings Using Group Policy
Security Area
Description
New computer security areas that Windows Vista, Windows 7, Windows Server 2008 and Windows
Server 2008 R2 support are:
Security Area
Description
New computer security areas that Windows 7 and Windows Server 2008 R2 support are:
Security Area
Description
11-5
Nova 4, LLC
11-6
Key Points
Account policies protect your organizations accounts and data by mitigating the threat of brute force
guessing of account passwords. In Windows operating systems, and many other operating systems, the
most common method for authenticating a users identity is to use a secret password. Securing your
network environment requires that all users utilize strong passwords. Password policy settings control the
complexity and lifetime of passwords. You can configure password policy settings through Group Policy.
Function
Requires passwords to:
Be at least six characters long.
Contain a combination of at least
three of the following characters:
uppercase letters, lowercase letters,
Best Practice
Enable this setting. These
complexity requirements can help
ensure a strong password. Strong
passwords are more difficult to
crack than those containing simple
Nova 4, LLC
Implementing Security Settings Using Group Policy
Policy
Function
11-7
Best Practice
Maximum password
age
Minimum password
age
Minimum password
length
Store passwords by
using reversible
encryption
Nova 4, LLC
11-8
Function
Best Practice
Account lockout
threshold
Account lockout
duration
Reset account
lockout counter
after
Kerberos Policy
This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimes
and enforcement. Kerberos policies do not exist in Local Computer Policy.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-9
Key Points
Every Windows 2000 Server or later computer has Local policies. In these objects, Group Policy settings
are stored on individual computers, regardless of whether they are part of an Active Directory
environment. The Local Group Policy Objects (LGPOs) are stored in a hidden folder named
%windir%\system32\Group Policy. This folder does not exist until you configure an LGPO.
Account Policies
Local Policies
IP Security policies
Nova 4, LLC
11-10
When there are conflicts, security settings that you define in AD DS always override any that you define
on the local computer.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-11
Key Points
The nine basic audit policies under Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Audit Policy allow you to configure security audit policy settings for broad sets of
behaviors, some of which generate many more audit events than others. An administrator has to review
all events that are generated, whether they are of interest or not.
In Windows Server 2008 R2 and Microsoft Windows 7, administrators can audit more specific aspects of
client behavior on the computer or network, thus making it easier to identify the behaviors that are of
greatest interest. For example, in Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Audit Policy, there is only one policy setting for logon events, Audit logon events.
In Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\System Audit Policies, you can instead choose from eight different policy settings in the
Logon/Logoff category. This provides you with more detailed control of what aspects of logon and logoff
you can track.
These security auditing enhancements can help your organization audit compliance with important
business-related and security-related rules by tracking precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
The correct system access control list (SACL) is applied to every file and folder or registry key on a
computer or file share as a verifiable safeguard against undetected access.
Nova 4, LLC
11-12
Key Points
Windows Server 2008 includes a new and enhanced version of Windows Firewall. The new Windows
Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration.
Provides a new Microsoft Management Consoles (MMC) snap-in that you can use to configure
advanced settings.
Integrates firewall filtering and Internet Protocol security (IPsec) protection settings.
Firewall Rules
Windows Firewall with Advanced Security allows you to create the following rules.
Rule
Description
Program
rule
This type of rule allows traffic for a particular program. You can identify the program by
program path and executable name.
Nova 4, LLC
Implementing Security Settings Using Group Policy
Port rule
11-13
This type of rule allows traffic on a particular TCP or User Datagram Protocol (UDP) port
number or range of port numbers.
Predefined Windows includes a number of Windows functions that you can enable, such as File and
rule
Printer Sharing, Remote Assistance, and Windows Collaboration. Creating a predefined rule
actually creates a group of rules that allows the specified Windows functionality to access
the network.
Custom
rule
A custom rule allows you to create a rule that you may not be able to create by using the
other types of rules.
Firewall rules can filter connections by user, computer, or groups in AD DS. For rules with these conditions,
you must secure the connection with IPsec by using a credential that carries the Active Directory account
information, such as Kerberos version 5 (v5).
Many pre-defined rules exist that allow normal network traffic to pass, such as Dynamic Host
Configuration Protocol (DHCP), Domain Name System (DNS) queries, and authentication requests. You
can modify or disable these rules as necessary.
The default behavior of the new Windows Firewall is to:
Windows Firewall comes preconfigured with a number of rules enabled to allow typical network traffic in
and out of a Windows Server computer.
Firewall Profiles
Windows Firewall with Advanced Security is a network-aware application. Network awareness enables
applications to sense changes to the network to which the computer is connected. The administrator can
create a profile for each network category, with each profile containing different firewall policies.
Windows Firewall supports three profiles by default.
Profile
Description
When a user connects to a network that is not part of the domain category, Windows asks the user to
identify the network as either Public or Private. The user must be a local administrator of the computer to
identify the network as Private. Each profile has its own state, Off or On, its own settings, and its own
logging.
Nova 4, LLC
11-14
Lesson 2
Prior to Windows 2008, a single set of account policies, contained in the Default Domain GPO, was used
to control password and account settings. In Windows Server 2008, using fine-grained password policies,
you can allow different password requirements and account lockout policies for different Active Directory
users or groups.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-15
Key Points
In previous versions of AD DS, you could apply only one password and account lockout policy to all users
in the domain. Fine-grained password policies allow you to have different password requirements and
account lockout policies for different Active Directory users or groups. This is desirable when you want
different sets of users to have different password requirements, but do not want separate domains. For
example, the Domain Admins group may need strict password requirements to which you do not want to
subject ordinary users. If you do not implement fine-grained passwords, then the normal default domain
account policies apply to all users.
Fine-grained password policies can be used to enhance the security of your domain environment and
typically act to complement the account policies in your Default Domain Policy GPO. Generally, the
Default Domain Policy GPO is used to control the majority of your accounts, and then fine-grained
password policies are applied to user accounts or groups that require or warrant a different account policy
than the rest of the domain.
Fine-grained password policies are not actual Group Policy settings. Rather, a fine-grained password
policy is contained in an object in Active Directory called a Password Settings Object (PSO). The PSO
contains all of the individual settings used to control AD DS user account behavior. A PSO is then linked to
one or more Active Directory users or groups, to whom the settings then apply, overriding the account
policy settings in the Default Domain Policy GPO.
Nova 4, LLC
11-16
Key Points
There are three major steps involved in implementing fine-grained passwords:
Creating a PSO
There are two tools you can use to create PSOs.
Tool
Description
ADSIedit
LDIFDE
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-17
A Password Settings Container (PSC) is created by default under the System container in the domain. You
can view it by using the Active Directory Users and Computers snap-in with advanced features enabled. It
stores the Password Settings objects (PSOs) for that domain.
A PSO has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos
settings). These settings include attributes for the following password settings:
These settings also include attributes for the following account lockout settings:
PSO link. This is a multivalued attribute that is linked to users and/or group objects.
Precedence. This is an integer value that is used to resolve conflicts if multiple PSOs are applied to a
user or group object.
These nine attributes are required attributes. This means that you must define a value for each one.
Settings from multiple PSOs cannot be merged.
Nova 4, LLC
11-18
A new attribute, msDS-PSOApplied, has been added to the user and group objects in Windows Server
2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDS-PSOApplied
attribute has a back-link, a user or group can have multiple PSOs applied to it.
You can link a PSO to other types of groups in addition to global security groups. However, only PSOs
that are linked to global security groups or user objects are considered. PSOs that are linked to
distribution groups or other types of security groups are ignored.
Integer8
Time-related values in a PSO are stored as an Integer8 data type. An Integer8 value is represented in
intervals of -100 nanoseconds.
While time-related values in PSO objects can be entered in a DD:HH:MM:SS format within the PSO
creation wizard, understanding the Integer8 format can help you convert Integer8 values you see in PSOs
to a more meaningful number.
You can use the following conversion guide table to obtain the corresponding I8 values:
Time unit
Multiplication factor
m minutes
-60*(10^7) = - 600000000
h hours
d days
-24*60*60*(10^7) = -864000000000
The following are examples of how to obtain appropriate I8 values for the time attributes.
To obtain the msDS-MaximumPasswordAge time attribute I8 value for two days,
multiply 2 by -864000000000. For example, use the following equation:
22*(-864000000000) = -1728000000000
To obtain the msDS-MinimumPasswordAge time attribute I8 value for 1 day,
multiply 1 by -864000000000. For example, use the following equation:
11*(-864000000000) = -864000000000
To obtain the msDS-LockoutObservationWindow time attribute I8 value for 30
minutes, multiply 30 by -600000000. For example, use the following equation:
330*(-600000000) = -18000000000
To obtain the msDS-LockoutDuration time attribute I8 value for 30 minutes,
multiply 30 by -600000000. For example, use the following equation:
30*(-600000000) = -18000000000
Note: Although PSO values are stored in Integer8 format, you can use the
easier and more logical DD:HH:MM:SS format for entering time values. For
example. 30 minutes would be represented as 00:00:30:00 while 4 days would
be represented as 04:00:00:00.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-19
Key Points
Several considerations need to be made when implementing a fine-grained password policy:
Fine-grained password policies cannot be applied to OUs; they can only be applied to user objects
and global security groups.
Users or groups can have multiple PSOs applied to them. The PSO that determines the users account
settings is the PSO with the lowest PSO Precedence integer value.
If you apply a Password Settings Object (PSO) directly to the user, it takes precedence over all group
assignments.
If no PSOs are linked to a user account, account policy settings contained in the Default Domain
Policy GPO apply.
By default, only members of the Domain Admins group can create a PSO or apply a PSO to a group
or user.
To implement fine-grained password policies, the domain functional level must be Windows Server
2008 or higher.
Nova 4, LLC
11-20
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
Connect to NYC-DC1.
3.
4.
5.
6.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-21
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.
Lab Scenario
Contoso, Ltd. has decided to implement Group Policy to configure security for users and computers in the
organization. The company recently upgraded all the workstations to Windows 7, and all the servers to
Windows Server 2008. The organization wants to utilize Group Policy to implement security settings for
the workstations, servers, and users.
Nova 4, LLC
11-22
Accounts will be locked out for 30 minutes after five invalid logon attempts.
You will also configure a local policy on the Windows 7 client that enables the local Administrator
account, and prohibits access to the Run menu for Non-Administrators.
Then, you will create a wireless network policy for Windows 7 that creates a profile for the Corp wireless
network. This profile will define 802.1x as the authentication method. This policy will also deny access to a
wireless network named, Research.
Finally, you will configure a policy to prevent the Windows Installer service from running on any domain
controller.
The main tasks in this exercise are:
1.
2.
3.
4.
Configure a GPO that prohibits the Windows Installer service on all domain controllers.
2.
In the Group Policy Management console pane, expand Forest: Contoso.com, expand Domains,
expand Contoso.com, and then click Group Policy Objects.
3.
In the details pane, right-click Default Domain Policy, and then click Edit.
4.
In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, and then expand Account Policies.
5.
Edit the Account Policy in the Default Domain Policy with the following values:
Password Policy:
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-23
2.
Create a new MMC, and then add the snap-in for the Group Policy Object Editor for the Local
Computer.
3.
Open Computer Configurations Windows Settings, open Security Settings, open Local Policies,
open Security Options, and then enable the Accounts: Administrator Account Status setting.
4.
Add the Group Policy Object Editor snap-in to the MMC again and then click Browse.
5.
Click the Users tab, select the Non-Administrators group, click OK, and then click Finish.
6.
7.
8.
Restart NYC-CL1.
2.
3.
In the New Wireless Network Policy dialog box, click Add, and then click Infrastructure.
4.
Create a new profile named, Corporate, and then, in the Network Name (SSID) field, type Corp.
5.
Click the Security tab, change the Authentication method to Open with 802.1X, and then click OK.
6.
7.
Type Research in the Network Name (SSID): field, set the Permission to Deny, and then click OK
twice.
8.
Close the Group Policy Management Editor, and then leave the GPMC open.
On NYC-DC1, in the GPMC, edit the following to disable the Windows Installer service: Default
Domain Controller Policy, Computer Configuration, Policies, Windows Settings, Security
Settings, and System Services.
2.
Close the Group Policy Management Editor and leave the GPMC open.
Result: After completing this exercise, you will have configured account and security policy settings.
Nova 4, LLC
11-24
Accounts will be locked out for 30 minutes after three invalid logon attempts.
You will create a fine-grained password policy to enforce these policies for the Domain Admins global
group.
The main tasks are as follows:
1.
2.
On NYC-DC1, in the Run menu, type adsiedit.msc, and then press ENTER.
2.
Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults.
3.
4.
In the Create Object dialog box, click msDS-PasswordSettings, and then click Next. Provide the
following values:
In ADSI Edit, select the CN=Password Settings Container and then in the details pane, double-click
CN=ITAdmin.
2.
In the CN=ITAdmin Properties window, scroll down and then double-click msDS-PSOAppliesTo.
3.
Nova 4, LLC
Implementing Security Settings Using Group Policy
4.
11-25
Nova 4, LLC
11-26
Lesson 3
In a large network environment, one of the challenges of network security is controlling the membership
of built-in groups in the directory and on workstations. Another concern is preventing access to
unauthorized software on workstations.
Objectives
After completing this lesson, you will be able to:
Describe AppLocker.
Configure AppLocker.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-27
Key Points
In some cases, you may want to control the membership of certain groups in a domain to prevent
addition of other user accounts to those groups, such as the local administrators group.
You can use the Restricted Groups policy to control group membership. Use the policy to specify what
members are placed in a group. If you define a Restricted Groups policy and refresh Group Policy, any
current member of a group that is not on the Restricted Groups policy members list is removed. This can
include default members such as domain administrators.
Although you can control domain groups by assigning Restricted Groups policies to domain controllers,
you should use this setting primarily to configure membership of critical groups such as Enterprise Admins
and Schema Admins. You can also use this setting to control the membership of built-in local groups on
workstations and member servers. For example, you can place the Helpdesk group into the local
Administrators group on all workstations.
You cannot specify local users in a domain GPO. Local users who currently are in the local group that the
policy controls will be removed. The only exception is that the local Administrators account will always be
in the local Administrators group.
Nova 4, LLC
11-28
Key Points
In this demonstration you will see how to:
Demonstration Steps
1.
2.
Navigate to Computer Configuration, click Policies, click Windows Settings, Security Settings,
and then click Restricted Groups.
3.
4.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-29
Key Points
A primary security concern for client computers is the current applications available on each computer. To
do their jobs, users need access to the applications that meet their specific needs. There is the possibility,
however, that unneeded or unwanted applications get installed on the client computers, whether
unintentionally or for malicious or non-business purposes.
Introduced in the Windows XP operating system and the Windows Server 2003 operating system, SRPs
allow an administrator to identify and specify which applications are permitted to run on client
computers. SRP settings are configured and deployed to clients by using Group Policy. An SRP set
comprises the following key components.
Rules
Rules govern how SRP responds to an application being run or installed. Rules are the key constructs
within an SRP, and a group of rules together determine how an SRP will respond to applications being
run. Rules can be based on one of the following criteria that apply to the primary executable file for the
application in question.
Path. The local or Universal Naming Convention (UNC) path of where the file is stored.
Security Levels
Each applied SRP is assigned a security level that governs the way the operating system reacts when the
application that is defined in the rule is run. The three available security levels are as follows.
Disallowed. The software identified in the rule will not run, regardless of the access rights of the user.
Basic User. Allows the software identified in the rule to run as a standard, non-administrative user.
Nova 4, LLC
11-30
Unrestricted. Allows the software identified in the rule to run unrestricted by SRP.
Disallowed. No applications will be allowed to run unless an SRP rule is created that allows each
specific application or set of applications to run.
Basic User. All applications will run under the context of a basic user, regardless of the permissions of
the user who is logged on, unless an SRP rule is created to modify this behavior for a specific
application or set of applications. Unrestricted. All applications will run as if SRP was not enabled,
unless specifically defined by an SRP rule.
Based on these three components, there are two primary ways to use SRPs:
If an administrator knows all the software that should be allowed to run on clients, the Default
Security Level can be set to Disallowed. All applications that should be allowed to run can be
identified in SRP rules that would apply either the Basic User or Unrestricted security level to each
individual application, depending on the security requirements.
If an administrator does not have a comprehensive list of the software that should be allowed to run
on clients, the Default Security Level can be set to Unrestricted or Basic User, depending on security
requirements. Any applications that should not be allowed to run can then be identified by using SRP
rules, which would use a security level setting of Disallowed.
Software Restriction Policy settings can be found in Group Policy at the following location: Computer
Configuration\Windows Settings\Security Settings\Software Restriction Policies.
Note: Software Restriction Policies are not enabled by default in Windows Server 2008 R2.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-31
Overview of AppLocker
Key Points
Application Control Policies represent the next evolution of control over the operations of applications
within your domain environment. Application Control Policies are controlled by AppLocker.
AppLocker (introduced in the Windows 7 operating system and Windows Server 2008 R2) provides a
number of enhancements, which improve upon the functionality previously provided by SRP. AppLocker
provides administrators with a variety of methods for quickly and concisely determining the identity of
applications that they may want to restrict or permit access to.
AppLocker is applied through Group Policy to computer objects within an organizational unit. In addition,
individual AppLocker rules can be applied to individual AD DS users or groups.
AppLocker also contains options for monitoring or auditing the application of rules, both as rules are
being enforced and in an audit-only scenario.
AppLocker can help organizations prevent unlicensed or malicious software from executing, and can
selectively restrict ActiveX controls from being installed. It can also reduce the total cost of ownership by
ensuring that workstations are standardized across their enterprise and that users are running only the
software and applications that are approved by the enterprise.
Specifically, the following scenarios provide examples of where AppLocker can be used to provide some
level of application management:
Your organization implements a policy to standardize the applications used within each business
group, so you need to determine the expected usage compared to the actual usage.
The security policy for application usage has changed, and you need to evaluate where and when
those deployed applications are being accessed.
Your organization's security policy dictates the use of only licensed software, so you need to
determine which applications are not licensed or prevent unauthorized users from running licensed
software.
Nova 4, LLC
11-32
An application is no longer supported by your organization, so you need to prevent it from being
used by everyone.
A new application or a new version of an application is deployed, and you need to allow certain
groups to use it.
Specific software tools are not allowed within the organization, or only specific users have access to
those tools.
A single user or small group of users needs to use a specific application that is denied for all others.
Some computers in your organization are shared by people who have different software usage needs.
Nova 4, LLC
Implementing Security Settings Using Group Policy
11-33
Key Points
When implementing SRPs in previous Windows versions, it was particularly difficult to create policies that
were secure and remained functional after software updates were applied. This was due to the lack of
granularity of certificate rules and the fragility of hash rules that became invalid when an application
binary was updated. To resolve this issue, AppLocker enables you to create a rule that combines a
certificate and a product name, file name, and file version. This simplifies your ability to specify that
anything signed by a particular vendor for a specific product name can run.
Certificate rules in SRP allow you to trust all software signed by a specific publisher; however, AppLocker
gives you greater flexibility. When creating publisher rules, you can trust the publisher, and also drill down
to the product level, the executable level, and even the version.
For example, with SRP, you can create a rule that affectively reads Trust all content signed by Microsoft.
With AppLocker, you further refine the rule to specify: Trust the Microsoft Office 2007 Suite if it is
signed by Microsoft and the version is greater than 12.0.0.0.
The AppLocker enhancements over the SRP feature can be summarized as follows:
The ability to define rules based on attributes derived from a files digital signature, including the
publisher, product name, file name, and file version. SRP supports certificate rules, but they are less
granular and more difficult to define.
A more intuitive enforcement model; only a file that is specified in an AppLocker rule is allowed to run.
A new, more accessible user interface that is accessed through a new Microsoft Management Console
(MMC) snap-in extension to the Group Policy Management Console snap-in.
An audit-only enforcement mode that allows administrators to determine which files will be prevented
from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs.
Nova 4, LLC
11-34
Feature
SRP
AppLocker
Rule scope
Rule conditions
provided
Rule types
provided
Default Rule
action
Implicit Deny
Yes
Wizard to create
multiple rules at
one time
No
Yes
Policy import or
export
No
Yes
Rule collection
No
Yes
Windows
PowerShell
support
No
Yes
Custom error
messages
No
Yes
Nova 4, LLC
Implementing Security Settings Using Group Policy
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
1.
2.
3.
4.
5.
Switch to NYC-CL1.
6.
11-35
Nova 4, LLC
11-36
Lab Scenario
The enterprise administrator created a design that includes modifications to further security areas.
Ensuring that IT staff members have access to the proper administrative rights on client computers is
critical and you have been asked to configure the domain environment to allow this.
In addition, you have been asked to ensure that a widely used application in the environment that has
been recently replaced by a new software suite is no longer used at Contoso, Ltd.
Nova 4, LLC
Implementing Security Settings Using Group Policy
2.
On NYC-DC1, open the GPMC, browse to the Group Policy Objects folder, and then edit the
Default Domain Policy.
2.
3.
4.
5.
Contoso\IT
Contoso\Domain Admins
Start the 6419B-NYC-CL1 VM. If the VM is already started, shut down and restart NYC-CL1.
2.
3.
Open the Edit local users and groups window using the Start Menu Search dialog.
4.
Confirm that the Administrators group contains both CONTOSO\Domain Admins and
CONTOSO\IT as members.
5.
Close the local users and groups window and log off NYC-CL1.
Results: After completing this exercise, you configured and tested restricted groups by using Group
Policy.
11-37
Nova 4, LLC
11-38
2.
3.
On NYC-DC1, in the Group Policy Management console, create a new GPO entitled, Wordpad
Restriction Policy.
2.
Application Control Policy: Under Executable Rules, create a new executable publisher rule for
C:\Program Files\Windows NT\Accessories\wordpad.exe that denies Everyone access to
run any version of wordpad.exe.
Apply the WordPad Restriction Policy GPO to the Contoso.com domain container.
Restart and then log on to NYC-CL1 as Contoso\Alan with the password, Pa$$w0rd.
2.
Refresh Group Policy by running gpupdate /force from the command prompt.
3.
Results: After completing this exercise, you will have restricted an application by using AppLocker.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
Nova 4, LLC
Implementing Security Settings Using Group Policy
3.
4.
11-39
Nova 4, LLC
11-40
Review Questions
1.
You want to place an application control policy on a new type of executable file. What must you do
before you can create a rule for this executable code?
2.
What setting must you configure to ensure that users are only allowed 3 invalid logon attempts?
3.
You want to provide consistent security settings for all client computers in the organization. The
computer accounts are scattered across multiple OUs. What is the best way to provide this?
Description
Application Control
Policies
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
Module 12
Providing Efficient Network Access for Remote Offices
Contents:
12-3
12-6
12-16
12-21
12-34
12-1
Nova 4, LLC
12-2
Module Overview
Remote offices have a unique set of challenges for network infrastructure. Many remote offices connect to
the head office over wide area network (WAN) links that are slow and subject to high latency. Slow
connectivity between the remote office and the enterprise network affects network logons and access to
files. To provide fast and secure logons at remote offices, you can place a read only domain controller
(RODC) at the remote office. You can use BranchCache to speed up access to data across the WAN and
reduce WAN utilization.
After this module, you will be able to:
Implement BranchCache
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
Lesson 1
Remote offices have unique management challenges. A remote office typically has slow connectivity to
the enterprise network and limited infrastructure for securing servers. Therefore, the challenge lies in
being able to provide efficient access to network resources for users in remote offices.
After this lesson, you will be able to:
Discuss the common challenges in providing efficient remote office access to network resources.
12-3
Nova 4, LLC
12-4
Key Points
Usually, a head office is a central communication hub for remote offices. Most remote office has a fewer
users than the head office. Each remote office also has slow connectivity to the head office.
For example, a chain of retail stores has a head office with many employees and fast internal network
connectivity. The branch offices are remotely located with very few employees in each location and slow
connectivity to the data in the head office.
Question: Why are network connections between remote offices and the head office slow and unreliable?
Question: How does slow and unreliable network connectivity affect the users in remote offices?
Question: How does management of computers systems in remote offices compare with the
management of computer systems in the head office?
Question: How does system security in remote offices compare with system security in the head office?
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-5
Key Points
You can meet the challenge of slow and less reliable connectivity of the remote offices by using the
following two features of Windows Server 2008:
BranchCache
BranchCache
Accessing the files in the head office can be very slow for users in the remote offices. BranchCache helps
speed up access to files by caching them on a local computer or on a server in the remote office. If a file
has not been modified in the head office and is accessed from the remote office, the cached copy of the
file in the remote office is opened rather than the copy of the file from the head office.
In addition to providing faster file access, BranchCache decreases the overall WAN utilization because only
new and modified files are copied over the WAN. This keeps the WAN free for other activities.
Nova 4, LLC
12-6
Lesson 2
An RODC helps meet the security and management challenges of remote offices. Therefore, you need to
understand the features of RODCs, how to deploy them, and how to configure them. Configuring an
RODC includes configuring password replication policies and performing local administration tasks on the
RODC.
After completing this lesson, you will be able to:
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-7
Key Points
An RODC has a read-only copy of an Active Directory domain, which contains all of the objects in the
domain, but not all of their attributes. System-critical attributes, such as authentication-related data, are
not replicated to an RODC because an RODC is considered not secure. You can prevent additional
attributes from being replicated to RODCs by marking the attribute as confidential.
You cannot make changes to the domain database on an RODC because the Active Directory database on
the RODC is read-only. All requests for changes are forwarded to a writable domain controller. Because no
changes are performed on the RODC, replication of Active Directory changes is one way from writable
domain controllers to the RODC.
Credential Caching
User and computer credentials are not replicated to an RODC by default. To use an RODC to enhance user
logon, you need to configure a Password Replication Policy (PRP) that defines which user credentials can
be cached. Limiting the credentials cached on the RODC reduces the security risks. If the RODC is stolen,
only passwords for the cached user and computer accounts need to be reset.
If user and computer credentials are not replicated to an RODC then a writable domain controller must be
contacted during the authentication process. Typically, the credentials for local users and computers are
cached on an RODC.
Nova 4, LLC
12-8
Permissions to administer a RODC are granted by placing a user account in the local Administrators group
on the RODC. This gives the administrator of a remote office permission to manage only that RODC,
which may also be configured to provide other services such a file shares and printing.
Read-Only DNS
Domain Name System (DNS) is a critical resource for a Windows network. If an RODC is configured as a
DNS server, DNS zones can be replicated through Active Directory Domain Services to the RODC. DNS on
the RODC is read-only. DNS update requests are referred to a writable copy of DNS.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-9
Key Points
To deploy an RODC, ensure that the following activities are performed:
Ensure that the forest functional level is Windows Server 2003 or laterall domain controllers must
be Windows Server 2003 or later, and each domain in the forest must be at the domain functional
level of Windows Server 2003 or later.
Run ADPrep /RODCPrep. This configures permissions on DNS application directory partitions to allow
them to be replicated to RODCs. This is required only if the Active Directory forest has been
upgraded.
Ensure that there is a writable Windows Server 2008 domain controller. An RODC replicates the
domain partition only from the Windows Server 2008 domain controllers. Therefore, each domain
with RODCs must have at least one Windows Server 2008 domain controller. The Schema and
Configuration partitions can be replicated from Windows Server 2003.
Consider replication patterns. Each remote office with an RODC should have direct connectivity to a
site with a Windows Server 2008 domain controller. This minimizes the replication traffic over the
WAN.
RODC Installation
Like a writable domain controller, an RODC can be installed by using an attended or an unattended
installation. If you perform an attended installation by using the graphical interface, you select the RODC
as one of the additional domain controller options.
You can also delegate the RODC installation to the administrator in the remote office by using a staged
installation. In a staged installation, you need to perform the following steps:
1.
Ensure that the server to be configured as the RODC is not a member of the domain.
2.
A domain administrator uses Active Directory Users and Computers to precreate the RODC account in
the Domain Controllers organizational unit. The wizard for performing this process prompts for the
Nova 4, LLC
12-10
necessary information, including the users or groups that are allowed to join the RODC to the
domain.
3.
The administrator in the remote office runs dcpromo /UseExistingAccount:Attach and follows the
wizard to join the domain as the precreated RODC account.
Note: You can also perform a staged installation by using dcpromo with command-line options or an
unattended installation file.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-11
Key Points
A Password Replication Policy (PRP) determines which user and computer credentials can be cached on a
specific RODC. If PRP allows an RODC to cache an accounts credentials, authentication and service ticket
activities of that account can be processed by the RODC. If an accounts credentials cannot be cached on
RODC, authentication and service ticket activities are referred by the RODC to a writable domain
controller.
The PRP for an RODC contains both an Allowed List and a Denied List. Each list can contain specific
accounts or groups. An account must be on the Allowed List for credentials to be cached. If a group is on
the Allowed List and a member of that group is on the Denied List, caching is not allowed for that
member.
There are two domain local groups that can be used to globally allow or deny caching to all RODCs in a
domain:
Allowed RODC Password Replication Group is added to the Allowed List of all RODCs. This group has
no members by default.
Denied RODC Password Replication Group is added to the Denied List of all RODCs. By default,
Domain Admins, Enterprise Admins, and Group Policy Creator Owners are the members of this group.
You can configure the Allowed List and Denied List for each RODC. The Allowed List contains only the
Allowed RODC Password Replication Group. The default membership of the Denied List includes
Administrators, Server Operators, and Account Operators.
In most cases, you want to add accounts separately to each RODC rather than globally allowing password
caching. This allows you to limit the number of credentials cached to only those accounts commonly at
that location. Domain administrative accounts should not be cached on RODCs in remote offices.
Computer accounts should be cached to speed up authentication of computer accounts during system
startup.
Nova 4, LLC
12-12
Key Points
The PRP for an RODC is configured in the properties of the RODC computer account. In this
demonstration, you will see how to configure the PRP for an RODC.
Demonstration Steps
1.
2.
3.
View the Password Replication Policy tab in the Properties of the RODC computer account.
4.
5.
6.
View the Membership tab of the Allowed RODC Password Replication Group.
7.
8.
View the Membership tab of the Denied RODC Password Replication Group.
9.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-13
Key Points
After a PRP has been configured for an RODC, it is useful to see what activity the RODC has been
performing for accounts. You can view a list of accounts with passwords stored on the RODC. If the RODC
security is compromised, you can use this list of accounts to determine which passwords should be reset.
You can also display a list of accounts that have been authenticated by using the RODC. This list has
accounts that do not have a password stored on the RODC, but authentication was initiated on the RODC.
You can use this list to determine which accounts are authenticating locally and identify which accounts
should have credentials cached.
Finally, you can prepopulate passwords for accounts in the cached credentials. This ensures that
authentication is performed locally the next time the account is used rather than being referred to a
writable domain controller and then cached.
In this demonstration, you will see how to:
Demonstration Steps
1.
2.
View the Password Replication Policy tab in the Properties of the RODC computer account.
3.
Click the Advanced button and view the Policy Usage tab.
4.
Use the list box to display Accounts whose passwords are stored on this Read-only Domain
Controller.
5.
Use the list box to display Accounts that have been authenticated to this Read-only Domain
Controller.
Nova 4, LLC
12-14
6.
Click Prepopulate Password and add Adam Carter. This will fails because the RODC is not active.
7.
Note: You require the 6419B-NYC-DC1 virtual machine to complete this demonstration. Log on to the
virtual machine as Contoso\Administrator, with the password, Pa$$w0rd.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-15
Key Points
The management of RODCs is separated from other domain controllers. Therefore, you can delegate
administration of RODCs to local administrators in remote offices without giving those administrators
access to writable domain controllers.
You can delegate administration of an RODC in the properties of the RODC computer account on the
Managed By tab. You should follow this method to delegate the administration of an RODC because it
can easily be centrally managed.
Only a single security principal can be specified on the Managed By tab of an RODC computer account.
Specify a group so that you can delegate management permissions to multiple users by making them
members of the group.
You can also delegate administration of an RODC by using ntdsutil or dsmgmt with the local roles option.
C:\>dsmgmt
Dsmgmt: local roles
local roles: add adam administrators
You should cache the password for delegated administrators to ensure that system maintenance can be
performed when a writable domain controller is unavailable.
Nova 4, LLC
12-16
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the actions pane, click Start.
3.
In the actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-17
2.
3.
2.
In the properties of Contoso.com, verify that the forest functional level is at least Windows Server
2003.
3.
On NYC-SVR1, open Server Manager and verify whether the computer is a member of a domain.
4.
Use the Change System Properties option to place NYC-SVR1 in a workgroup named TEMPORARY.
5.
Restart NYC-SVR1.
2.
3.
At the Domain Controllers OU, precreate a read-only domain controller account by using default
settings, except for the following:
4.
View the DC Type for the NYC-SVR1 computer account in the Domain Controllers OU.
2.
3.
Complete Active Directory Domain Services Installation Wizard by using default options except
those listed below:
Nova 4, LLC
12-18
4.
Results: In this exercise, you configured NYC-SVR1 as an RODC in the contoso.com domain.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-19
2.
3.
4.
5.
6.
7.
2.
In the Users container, view the membership of the Allowed RODC Password Replication Group
and verify that there are no current members.
3.
Add the DNSAdmins group to the Denied RODC Password Replication Group.
4.
5.
On the Password Replication Policy tab, verify that the Allowed RODC Password Replication
Group and Denied RODC Password Replication Group are listed.
Task 2: Create a group to manage password replication to the remote office RODC.
1.
On NYC-DC1, in Active Directory Users and Computers, in the Research OU, create a new group
named Remote Office Users.
2.
Add Alan, Alexander, Dylan, Max, and NYC-CL1 to the membership of Remote Office Users.
Task 3: Configure password replication policy for the remote office RODC
1.
On NYC-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then
open the properties of NYC-SVR1.
2.
On the Password Replication Policy tab, allow the Remote Office Users group to replicate
passwords to NYC-SVR1.
On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of NYC-SVR1.
2.
3.
On the Resultant Policy tab, add Alexander and confirm that Alexanders password can be cached.
Nova 4, LLC
12-20
Attempt to log on to NYC-SVR1 as Alexander. This logon will fail because Alexander does not have
permission to logon to the RODC, but authentication is performed.
2.
On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of NYC-SVR1.
3.
4.
On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only
Domain Controller option. Notice that Alexanders password has been cached.
On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click
NYC-SVR1 and click Properties.
2.
3.
On the Policy Usage tab, prepopulate the passwords for Alan and NYC-CL1.
4.
Read the list of cached passwords and confirm that Alan and NYC-CL1 have been added.
2.
3.
In Network and Sharing Center, open the properties of Local Area Connection 3, and add an
Alternate DNS server of 10.10.0.11 in the properties of TCP/IPv4.
4.
5.
Results: In this exercise, you configured and tested password replication for an RODC.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-21
Lesson 3
Implementing BranchCache
BranchCache is a new feature in Windows Server 2008 R2 and Windows 7 that reduces WAN link
utilization for remote offices. In some cases, it can also improve application performance for remote office
users that access data in the head office. Remote office client computers use a data cache in the remote
office to reduce traffic over a WAN link. If you configure client computers to use the Distributed Cache
mode, the cached content is distributed across client computers. If you configure client computers to use
the Hosted Cache mode, the cached content is maintained on a server computer on the remote office
network. You can customize BranchCache settings and perform additional configuration tasks after
configuring BranchCache. You can also monitor BranchCache events, work, and performance and query
BranchCache infrastructure to verify the configuration of servers and usage of cache.
After completing this lesson, you will be able to:
Describe BranchCache.
Configure BranchCache.
Nova 4, LLC
12-22
Overview of BranchCache
Key Points
One of the challenges that remote offices face is improving the performance of intranet resources that are
accessed from head offices or regional data centers. Typically, branch offices are connected by WANs,
which usually have slower data rates than the intranet. Reducing the network utilization on the WAN
connection provides more bandwidth for other applications and services.
The BranchCache feature in Windows Server 2008 R2 and Windows 7 reduces the network utilization on
WAN connections between branch offices and headquarters by locally caching frequently used files on
computers in the branch office. BranchCache improves the performance of applications that use one of
the following protocols:
HTTP or HTTPS. The protocols used by web browsers and other applications.
SMB, including signed SMB traffic. The protocol used for accessing shared folders.
BITS. Background Intelligent Transfer Service (BITS) is a Windows component that distributes content
from a server to clients by using only idle network bandwidth.
Note: BranchCache can only be utilized for SMB 2.
BranchCache retrieves data from a server when the client requests the data. Because BranchCache is a
passive cache, it will not increase the WAN utilization. BranchCache only caches the read requests and will
not interfere when a user saves a file.
BranchCache improves the responsiveness of common network applications that access intranet servers
across slow WAN links. Because BranchCache does not require any additional infrastructure, you can
improve the performance of remote networks by deploying Windows 7 to client computers and Windows
Server 2008 R2 to server computers, and by enabling the BranchCache feature.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-23
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end IP Security (IPSec). You can use BranchCache to reduce the network
bandwidth utilization and improve application performance even if the content is encrypted.
Nova 4, LLC
12-24
Key Points
You can configure BranchCache to use the Hosted Cache mode or the Distributed Cache mode.
Hosted Cache. The Hosted Cache mode operates by deploying a computer that is running Windows
Server 2008 R2 as a host in the branch office. Client computers are configured with the fully qualified
domain name (FQDN) of the host computer so that they can retrieve content from the Hosted Cache
when available. If the content is not available in the Hosted Cache, the content is retrieved from the
content server by using a WAN link and then provided to the Hosted Cache so that the subsequent
client requests can get it from there.
Distributed Cache. You can configure BranchCache in the Distributed Cache mode for small remote
offices. In this mode, local Windows 7 clients keep a copy of the content and make it available to
other authorized clients that request the same data. This eliminates the need to have a server in the
branch office. However, unlike the Hosted Cache mode, this configuration works across a single
subnet only. In addition, clients that hibernate or disconnect from the network will not be able to
provide content to other requesting clients.
When BranchCache is enabled on the client computer and the server computer, the client computer
performs the following process to retrieve data by using the HTTP, HTTPS, or SMB protocol:
1.
The client computer running Windows 7 connects to a content server computer running Windows
Server 2008 R2 in the head office and requests content similar to the way it would retrieve content
without using BranchCache.
2.
The content server computer in the head office authenticates the user and verifies that the user is
authorized to access the data.
3.
The content server computer in the head office returns identifiers or hashes of the requested content
to the client computer instead of sending the content itself. The content server computer sends that
data over the same connection that the content would have normally been sent.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
4.
12-25
If configured to use Distributed Cache, the client computer multicasts on the local network to
find other client computers that have already downloaded the content.
If configured to use Hosted Cache, the client computer searches for content availability on the
Hosted Cache.
5.
If the content is available in the remote office, either on one or more clients or on the Hosted Cache,
the client computer retrieves the data from within the remote office and ensures that the data is
updated and has not been tampered with or corrupted.
6.
If the content is not available in the remote office, the client computer retrieves the content directly
from the server computer at the data center. The client computer then either makes it available on
the local network to other requesting client computers or sends it to the Hosted Cache, where it is
made available to other client computers.
Question: Can you use BranchCache if both servers in the remote office are running Windows Server
2008 when you have deployed Windows 7 to all remote office client computers?
Nova 4, LLC
12-26
BranchCache Requirements
Key Points
BranchCache optimizes traffic flow between head office and remote offices, and only Windows Server
2008 R2 servers and Windows 7 clients can benefit from it. The earlier versions of Windows operating
systems will not benefit from this feature. You can cache only the content stored on Windows Server 2008
R2 file servers or web servers by using BranchCache.
You must install the BranchCache feature or the BranchCache for Network Files role service on the
Windows Server 2008 R2 server that is hosting the data.
You must configure clients either by using Group Policy or the netsh command.
If you want to use BranchCache for caching content from the web server, you must install the
BranchCache feature on the web server. Additional configurations are not needed. If you want to use
BranchCache to cache content from the file server, you must install the BranchCache for the Network Files
role service on the file server, configure hash publication for BranchCache, and create BranchCacheenabled file shares.
BranchCache is supported on Full Installation of Windows Server 2008 R2 and on Server Core.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-27
In the Hosted Cache mode, the client computers are configured with the FQDN of the host server to
retrieve content from the Hosted Cache. Therefore, the BranchCache host server must have a digital
certificate, which is used to encrypt communication with client computers. In the Hosted Cache mode,
content servers in the head office must run Windows Server 2008 R2. Hosted Cache in the branch must
run Windows Server 2008 R2 and the client in the branch must run Windows 7. You must configure a
firewall to allow incoming HTTP traffic from the Hosted Cache server. In both cache modes, BranchCache
uses the HTTP protocol for data transfer between client computers.
Question: You have a mixed computer environment that includes Windows Vista SP2 and Windows 7
client computers and Windows Server 2003 SP2, Windows Server 2008 SP2, and Windows Server 2008 R2
servers. Your computers are also located in multiple sites. Can you use the BranchCache feature in this
scenario?
Nova 4, LLC
12-28
Key Points
You can use BranchCache to cache web content, which is delivered by HTTP or HTTPS, and to cache
shared folder content, which is delivered by the SMB protocol. By default, BranchCache is not installed on
Windows Server 2008 R2.
The following table lists the servers that you can configure for BranchCache.
Server
Description
File server
The BranchCache for the Network Files role service of the File Services
server role needs to be installed before you can enable BranchCache for
any file shares. After you install the BranchCache for the Network Files role
service, use Group Policy to enable BranchCache on the server. Finally, you
need to configure each individual file share to enable BranchCache. You
also need to configure clients who will use the BranchCache feature.
For the Hosted Cache mode, you must add the BranchCache feature to the
Windows Server 2008 R2 server that you are configuring as a Hosted Cache
server.
To secure communication, client computers use transport layer security
(TLS) when communicating with the Hosted Cache server. To support
authentication, the Hosted Cache server must be provisioned with a
certificate that is trusted by clients and is suitable for server authentication.
By default, BranchCache allocates five percent of disk space on the active
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
Server
Description
partition for hosting cache data. However, you can change this value by
using Group Policy or the netsh command.
Question: How can you enable BranchCache support on a Windows Server 2008 R2 content server?
12-29
Nova 4, LLC
12-30
Key Points
You do not need to install the BranchCache feature in Windows 7 because BranchCache is already
included in Windows 7. However, BranchCache is disabled by default on client computers. To enable and
configure BranchCache, you need to perform the following steps:
1.
Enable BranchCache.
2.
3.
Enabling BranchCache
If you enable the Distributed Cache or Hosted Cache mode without enabling the overall BranchCache
feature, the BranchCache feature will still be disabled on the client computers. However, you can enable
the BranchCache feature on a client computer without enabling the Distributed Cache mode or the
Hosted Cache mode. In this configuration, the client computer uses only the local cache and does not
attempt to download from other BranchCache clients on the same subnet or from a Hosted Cache server.
Therefore, multiple users of a single computer can benefit from a shared local cache in this local caching
mode.
2.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
3.
12-31
Turn on BranchCache and set either the Distributed Cache or Hosted Cache mode.
To configure BranchCache settings by using the netsh command, perform the following steps:
1.
2.
In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should
configure the client firewall to allow the incoming rule, BranchCacheContent Retrieval (Uses HTTP).
Question: How can you configure a Windows 7 client computer to benefit from BranchCache?
Nova 4, LLC
12-32
Key Points
In this demonstration, you will see how to:
Demonstration Steps:
To configure a file share for BranchCache:
1.
Use ServerManager to install the BranchCache for network files roles service.
2.
3.
In the Properties of a file share, in the Offline Settings, select the Enable BranchCache check box.
4.
Note: If you use Group Policy Management to edit a GPO, the settings for BranchCache will be
prefaced with Policies.
Question: Clients in the remote office and file servers in the head office are configured for BranchCache.
Will the branch office client benefit from BranchCache when accessing file in the head office for the first
time?
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-33
BranchCache Monitoring
Key Points
After the initial configuration, you may want to verify that BranchCache is configured correctly and
functioning properly. You can use the netsh branchcache show status all command to display the
BranchCache service status. On client and Hosted Cache servers, additional information such as the
location of the local cache, the size of the local cache, and the status of the firewall rules for HTTP and
WS-Discovery protocols that BranchCache uses is shown.
You can also use the following tools to monitor BranchCache:
Event Viewer. You can monitor BranchCache events in Event Viewer. BranchCache has two types of
event logs, operational and audit. The operational log appears in the Event Viewer at Applications
and Services Logs\Microsoft\Windows\PeerDist\Operational, and you can view the audit log events in
the Security log.
Performance counters. You can monitor BranchCache work and performance by using the
BranchCache performance monitor counters. BranchCache performance monitor counters are useful
debugging tools for monitoring BranchCache effectiveness and health. You can also use BranchCache
performance monitor for determining the bandwidth savings in the Distributed Cache mode or in the
Hosted Cache mode. If you have System Center Operations Manager 2007 SP2 implemented in the
environment, you can use BranchCache Management Pack for System Center Operations Manager
2007.
Question: Which tool should you use for monitoring BranchCache performance and bandwidth savings?
Nova 4, LLC
12-34
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Password: Pa$$w0rd
Domain: Contoso
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-35
2.
3.
4.
5.
6.
7.
On NYC-DC1, use Server Manager to add the BranchCache for network files role service.
2.
3.
4.
Leave the Local Group Policy Editor console open for the next task.
2.
3.
4.
Nova 4, LLC
12-36
2.
In the Group Policy Management console, create a new GPO named BranchCache that is linked to
Contoso.com.
3.
4.
5.
To configure the clients to use BranchCache in distributed mode, enable the Set BranchCache
Distributed Cache mode setting.
6.
To force the client to use BranchCache for all file transfers, enable Configure BranchCache for
network files setting and set it for 0 milliseconds. This setting is required to simulate access from a
remote office and is not typically required.
7.
Leave the Group Policy Management Editor open for the next task.
2.
Create a new predefined inbound rule for BranchCacheContent Retrieval (Uses HTTP).
3.
Create a new predefined inbound rule for BranchCachePeer Discovery (Uses WSD).
Start 6419B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the
password of Pa$$w0rd.
2.
3.
To force updating of Group Policy objects, type the following code and then press ENTER.
gpupdate /force
4.
To verify that BranchCache is enabled and properly configured, type the following code and then
press ENTER.
5.
Restart NYC-CL1. After the computer restarts, log on as Contoso\Administrator with the password
of Pa$$w0rd.
6.
Open the Performance administrative tool and remove all existing counters from Performance
Monitor.
7.
8.
9.
Start 6419B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the
password of Pa$$w0rd
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-37
gpupdate /force
12. To verify that BranchCache is enabled and properly configured, type the following code and then
press ENTER.
netsh branchcache show status all
13. Restart NYC-CL2. After the computer restarts, log on as Contoso\Administrator with the password
of Pa$$w0rd.
14. Open the Performance administrative tool and remove all existing counters from Performance
Monitor.
15. Add all of the BranchCache counters to Performance Monitor.
16. Change Performance Monitor to Report view.
2.
3.
Review the performance statistics on Performance Monitor. Notice that the file is downloaded from
the server.
4.
To verify that there is now content in the cache, type the following code and press ENTER.
5.
6.
7.
Review the performance statistics on Performance Monitor. Notice that the file is downloaded from
cache.
8.
To view the BranchCache statistics, type the following code and then press ENTER.
Results: In this exercise, you configured BranchCache in the Distributed Cache mode and verified that it
is functional.
Nova 4, LLC
12-38
2.
3.
4.
5.
6.
7.
8.
2.
3.
4.
Modify the Set BranchCache Distributed Cache mode setting to Not Configuration.
5.
Enable the Set BranchCache Hosted Cache mode settings and configure NYC-SVR1.contoso.com as
the hosted cache.
6.
On NYC-CL1, open a command prompt, type the following code, and then press ENTER.
gpupdate /force
7.
To verify the configuration, type the following code, and then press ENTER.
8.
On NYC-CL2, open a command prompt, type the following code, and then press ENTER.
gpupdate /force
9.
To verify the configuration, type the following code, and then press ENTER.
Start 6419B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the
password of Pa$$w0rd.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
2.
12-39
On NYC-SVR1, open a blank Microsoft Management Console and add the Certificates snap-in for
the Computer Account.
2.
At the Personal node in the Certificates snap-in, request a new Computer certificate.
3.
In the Personal node of the Certificates snap-in, open the new certificate.
4.
On the Details tab, identify the Thumbprint and copy the value to the clipboard.
5.
6.
Type the following code and then press Enter. You can paste the certificatehashvalue from the
certificate, but you must remove the spaces.
7.
To verify the configuration, type the following code, and then press ENTER.
2.
3.
Move the computer account for NYC-SVR1 into the BranchCacheHost OU.
4.
5.
6.
7.
To enable NYC-SVR1 as a BranchCache Hosted Cache server, open a command prompt, type the
following code, and then press ENTER.
On NYC-SVR1, open the Performance administrative tool and remove all existing counters from
Performance Monitor.
2.
3.
Nova 4, LLC
12-40
3.
To clear the BranchCache performance statistics, stop and start the BranchCache service.
4.
5.
6.
Open the Performance administrative tool and remove all existing counters from Performance
Monitor.
7.
8.
2.
To clear the BranchCache data, at the command prompt, type the following code, and then press
ENTER.
3.
To clear the BranchCache performance statistics, stop and start the BranchCache service.
4.
5.
6.
Open the Performance administrative tool and remove all existing counters from Performance
Monitor.
7.
8.
2.
3.
Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval:
Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval:
Bytes Served).
4.
5.
6.
Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
7.
Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
3.
4.
12-41
Nova 4, LLC
12-42
Review Questions
1.
2.
3.
Why would you want to implement BranchCache in hosted cache mode rather than distributed cache
mode?
Your organization has just created a remote office with four users and no server. Users are
complaining that access to files in the head office is very slow. How can you speed up access to files
for users in the remote office?
2.
Your organization has just created a remote office with 15 users. This office has a local file server. The
users are complaining that their logon process is very slow. How can you speed up the authentication
process for users in the remote office?
3.
Your organization has just created a remote office with 15 users. This office has a local domain
controller that does not have a secure storage location. An application run in the remote office
modifies Active Directory Domain Services data. How can you ensure that the Active Directory
Domain Services data is secure?
Do not cache passwords for Domain Admins and other sensitive accounts on an RODC
Use the option to display accounts that have been authenticated to an RODC to identify potential
accounts that should be cached on the RODC.
Nova 4, LLC
Providing Efficient Network Access for Remote Offices
12-43
Review the list of accounts to show passwords are stored on an RODC and verify that sensitive
accounts are not being cached.
Use the Resultant Policy tab to verify that password for a particular user can be cached on a RODC.
A new feature in Windows Server 2008 R2 and Windows 7 that reduces WAN
link utilization for remote offices. In some cases, it can also improve
application performance for remote office users that access data in the head
office. It can be configured in Distributed Cache Mode or Hosted Cache
Mode.
Nova 4, LLC
12-44
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
Module 13
Monitoring and Maintaining Windows Server 2008
Contents:
13-3
13-9
13-18
13-26
13-33
13-1
Nova 4, LLC
13-2
Module Overview
When a system failure or an event that affects system performance occurs, you need to be able to repair
the problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the
modern network environment, the ability to determine the root cause quickly often depends on having an
effective performance monitoring methodology and toolset.
Performance-monitoring tools are used to identify components that require additional tuning and
troubleshooting. By identifying components that require additional tuning, you can improve the efficiency
of your servers.
Objectives
After completing this module, you will be able to:
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-3
Lesson 1
Monitoring your server environment provides many benefits. You will be able to identify potential issues
before they escalate and affect the users in your organization. You will be able to provide performance
and reliability reports by using historical statistics from your environment when requested. You will also be
able to assess the performance status of your environment at any given time, whether or not a specific
issue is occurring. These benefits come from a well-planned and tested monitoring environment. If your
monitoring environment is not properly planned and tested, the act of monitoring performance itself can
cause potential issues in your environment.
This lesson will introduce you to the details involved with planning monitoring tasks and how you can
ensure that your monitoring environment is accurate, stable, and effective.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
13-4
Key Points
Monitoring servers provides a number of benefits, and there are a number of different reasons you might
monitor a Windows server.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-5
Identifying Issues
Troubleshooting problems that arise in your server environment can be a tedious and potentially
frustrating task. Issues that affect your users need to be resolved as quickly as possible and with minimal
impact on the business needs of your organization.
Troubleshooting an issue based solely on symptoms provided by users or anecdotal evidence often leads
to misdiagnosed causes and wasted time and resources. Monitoring your server environment allows you
to take a more informed and proactive approach to troubleshooting. When you have an effective
monitoring solution implemented, you can identify issues within your infrastructure before they cause a
problem for your end users. You can also have more concrete evidence of reported issues and narrow
down the cause of problems, saving you investigative time.
Question: Can you list four troubleshooting procedures that would benefit from server monitoring.
Nova 4, LLC
13-6
Types of Monitoring
Key Points
You should select the most appropriate tool to suit the type of monitoring that is required.
There are different methods that you can use to collect performance data from servers in your
organization. You should use each of these methods to suit your requirements.
Historical Data
Reviewing collected or historical data can be useful for tracking trends over time, determining when to
relocate resources, and deciding when to invest in new hardware to meet the changing requirements of
your business.
Historical data may be in the form of Windows event logs or performance data collected over a period of
time and retained for reference.
You should use historical performance data to assist you when you plan future server requirements.
Historical data is also useful for establishing a baseline for your servers performance, which allows you to
make accurate assessments of server performance when performing real time monitoring.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-7
Tool
Description
Event Viewer
Task Manager
Resource Monitor
Performance Monitor
Reliability Monitor
Reliability Monitor provides a historical view of your servers reliabilityrelated information like event log errors and warnings.
Nova 4, LLC
13-8
Key Points
Planning for event monitoring means ensuring that your monitoring activities met you technical needs
and do not interfere with your organizations business requirements.
You should ensure that your systems are cost-effective for your organization. Your business may achieve
staff reductions through improved management that is realized by efficient event monitoring. You can
prevent service and system outages by ensuring that resources retain enough capacity to meet SLAs.
You should consider the cost that monitoring events incurs. The cost that is incurred to monitor systems is
an investment in ensuring that your systems continue to run effectively and efficiently. You can measure
costs by using several metrics, including:
By using automated systems, you can monitor servers proactively and possibly reduce the overall number
of staff required to perform monitoring.
By providing a monitoring environment for your server infrastructure to respond automatically to events,
you create an environment that allows you to be flexible and dynamic in your response to issues related
to your servers. Windows Server 2008 enables dynamic system responses through many of the included
tools to automatically respond to events with actions like sending e-mail messages, recording an event in
the event log, or running a custom command or management task.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-9
Lesson 2
Calculating performance baselines for your server environment allows you to more accurately interpret
real-time monitoring information. A baseline for your servers performance tells you what the
performance monitoring statistics look like under normal use. A baseline is established by monitoring
performance statistics over a period of time. When an issue or symptom occurs in real time, you can use
your baseline statistics to compare to you real time statistics and identify any anomalies.
This lesson discusses some of the key server components to measure. You will learn how to use analysis
and planning techniques from collected performance metrics to improve your server infrastructure.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
13-10
Key Points
Tuning and testing server performance is critical to the effective operation of your server environment.
Done correctly, tuning and testing performance can identify and remove potential hardware-related
issues, ensure your server is using its resources effectively and provide you with information you can use
to prevent performance related issues from affecting your servers performance.
Insufficient memory is a common cause of serious performance problems in computer systems. If you
suspect other problems, check memory counters to rule out a memory shortage. Poor response time on a
workstation is most likely to result from memory and processor problems; servers are more susceptible to
disk and network problems.
Before you start tuning, consider the following recommendations:
Make one change at a time. In some cases, a problem that appears to relate to a single component
might be the result of bottlenecks involving multiple components. For this reason, it is important to
resolve problems individually.
Making multiple changes simultaneously may make it impossible to assess the impact of each
individual change.
Repeat monitoring after every change. This is important for understanding the effect of the change
and to determine whether additional changes are required. Proceed methodically, making one
change to the identified resource at a time and then testing the effects of the changes on
performance. Because tuning changes can affect other resources, it is important to keep records of
the changes you make and to review after you make a change.
In addition to monitoring, review event logs, because some performance problems generate output
that you can display in Event Viewer.
To see whether network components are playing a part in performance problems, compare the
performance of programs that run over the network with locally run programs.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-11
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune servers to overcome initial limitations. The following table lists suggestions
for improving performance on various types of hardware.
Nova 4, LLC
13-12
Key Points
Analysis of your monitoring data can reveal problems such as excessive demand on certain hardware
resources resulting in bottlenecks.
Causes of Bottlenecks
Demand may become extreme enough to cause resource bottlenecks for the following reasons:
A program is monopolizing a particular resource; this might require substituting another program,
having a developer rewrite the program, adding or upgrading resources, or running the program
during periods of low demand.
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune servers to overcome initial limitations. The following table lists suggestions for
improving performance on various types of hardware.
Hardware
Suggestions
Processors
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
Hardware
13-13
Suggestions
application to only some of the processor cores frees the
remaining cores for other applications to use.
Disks
Memory
Networks
Nova 4, LLC
13-14
Key Points
You should familiarize yourself with basic performance measurement objects and counters used to
monitor the main hardware components.
There are a large number of measurement objects available within Performance Monitor that relate to all
aspects of the hardware, operating system, and installed applications on a server.
The following table lists some common performance metrics to measure:
Object
Descriptions
Cache
File system cache. The cache is an area of physical memory that is used
to store recently used data to permit access to the data without having
to read from the disk.
Memory
Objects
Paging File
Physical Disk
Hard disk or fixed drives as the computer sees them (hardware RAID
may not be visible to these counters).
Process
Processor
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
Object
13-15
Descriptions
instance of the object.
Server
System
Thread
Nova 4, LLC
13-16
Key Points
You should give careful consideration to the value of performance data to ensure that it reflects the real
server environment.
You should consider performance analysis alongside business or technology growth and upgrade plans. It
may be possible to reduce the number of servers in operation after you have measured performance and
assessed the required environment.
By analyzing performance trends, you can predict when existing capacity is likely to be exhausted. You
should review historical analysis with consideration to your business and use this to determine when
additional capacity is required. Some peaks are associated with one-time activities such as very large
orders. Other peaks occur on a regular basis, such as a monthly payroll, and these peaks may require
increased capacity to meet increasing numbers of employees.
Planning for future server capacity is a requirement for all organizations. Business planning often requires
additional server capacity to meet targets. By aligning your IT strategy with the strategy of the business,
you can support the business objectives.
You should plan the server capacity to maximize the use of available space, power, and cooling. In many
situations, the applications on a single physical server may not be consuming a significant amount of
server resources. The underutilization of these resources means that your server environment is not
operating as efficiently as it could. In this case, you should consider virtualizing your environment to
reduce the number of physical servers that are required. You can consolidate servers by implementing 64bit computing and utilizing Hyper-V in the Microsoft Windows Server 2008 environment.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-17
Key Points
Capacity planning focuses on assessing server workload, the number of users that a server can support,
and how to scale systems to support additional workload and users in the future.
New server applications and services affect the performance of your IT infrastructure. These services may
receive dedicated hardware although they often use the same local area network (LAN) and wireless area
network (WAN) infrastructure. Planning for future capacity should include all hardware components and
how new servers, services, and applications affect the existing infrastructure. Factors such as power,
cooling, and rack space are often overlooked during initial exercises to plan capacity expansion. You
should consider how your servers can scale up and out to support an increased workload.
Tasks such as upgrading to Windows Server 2008 and updating operating systems may affect your servers
and network. It is not unknown for an update to cause a problem with an application. Careful
performance monitoring before and after updates are applied can identify problems.
An expanding business requires you to provide support for more users. You should consider business
requirements when you purchase hardware. This consideration will ensure that you can meet future
business requirements through increasing the number of servers or by adding capacity to existing
hardware.
Capacity requirements include:
More servers.
Additional hardware.
Reducing users.
Nova 4, LLC
13-18
Lesson 3
Implementing performance monitoring is the first step to having an accurate assessment of your server
environment.
The second step is analyzing and interpreting performance monitoring information to derive useful
information that allows you to better manage and maintain the servers you are responsible for.
This lesson takes a closer look at performance counters used in performance monitoring to give you a
better understanding what they measure and what the statistics related to these counters can tell you
about your environment.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-19
Key Points
CPU counters measure the server's CPU-related performance information and hardware-related events.
Processor\% Processor Time. Processor\% Processor Time shows the percentage of elapsed time
that this thread used the processor to run instructions. An instruction is the basic unit of execution in
a processor, and a thread is the object that runs instructions. Code run to handle some hardware
interrupts and trap conditions is included in this count.
Nova 4, LLC
13-20
Key Points
The memory performance object consists of counters that describe the behavior of physical and virtual
memory on the computer. Physical memory is the amount of RAM on the computer. Virtual memory
consists of space in physical memory and on disk. Many of the memory counters monitor paging, which is
the movement of pages of code and data between disk and physical memory. Excessive paging is a
symptom of a memory shortage and can cause delays that interfere with all system processes.
Pages/sec. Pages/sec shows the rate, in incidents per second, at which pages were read from or
written to disk to resolve hard page faults. This counter is a primary indicator for the kinds of faults
that cause system-wide delays. It is the sum of Pages Input/sec and Pages Output/sec. It is counted in
numbers of pages, so it can be directly compared to other counts of pages such as Page Faults/sec. It
includes pages retrieved to satisfy faults in the file system cache (usually requested by applications)
and noncached mapped memory files.
Available Bytes. Available Bytes shows the amount of physical memory, in bytes, immediately
available for allocation to a process or for system use. It is equal to the sum of memory assigned to
the standby (cached), free, and zero page lists.
Committed Bytes. Committed Bytes shows the amount of committed virtual memory, in bytes.
Pool Nonpaged Bytes. Pool Nonpaged Bytes shows the size, in bytes, of the nonpaged pool. Pool
Nonpaged Bytes is calculated differently than Process\Pool Nonpaged Bytes, so it might not equal
Process(_Total )\Pool Nonpaged Bytes.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-21
Key Points
The LogicalDisk performance object consists of counters that monitor logical partitions of hard or fixed
disk drives. System Monitor identifies logical disks by their drive letter, such as "C:".
The PhysicalDisk performance object consists of counters that monitor hard or fixed disk drives. Disks are
used to store file, program, and paging data. They are read to retrieve these items, and are written to
record changes to them. The values of physical disk counters are sums of the values of the logical disks (or
partitions) into which they are divided.
% Disk Read Time, % Disk Time, % Disk Write Time, % Idle Time. These counters are of little
value when multiple physical drives are behind logical disks. Imagine a subsystem of 100 physical
drives presented to the operating system as five disks, each backed by a 20-disk RAID 0+1 array. Now
imagine that the administrator spans the five physical disks that have one logical disk, volume X. One
can assume that any serious system that needs that many physical disks has at least one outstanding
request to volume X at the same time. This makes the volume appear to be 100% busy and 0% idle,
when in fact the 100-disk array could be up to 99% idle.
Average Disk Bytes / { Read | Write | Transfer }. This counter collects average, minimum, and
maximum request sizes. If possible, individual or sub-workloads should be observed separately.
Multimodal distributions cannot be differentiated by using average values if the request types are
consistently interspersed.
Average Disk Queue Length, Average Disk { Read | Write } Queue Length. These counters collect
concurrency data, including burstiness and peak loads. Guidelines for queue lengths are given later in
this module. These counters represent the number of requests in flight below the driver that takes the
statistics. This means that the requests are not necessarily queued, but could actually be in service or
completed, and on the way back up the path.
Nova 4, LLC
13-22
Key Points
Most workloads require access to production networks to ensure communication with other applications
and services, and to communicate with users. Network requirements include elements such as
throughputthat is the total amount of traffic that passes a given point on a network connection per unit
of time.
Other network requirements include the presence of multiple network connections. Workloads might
require access to several different networks that must remain secure. Examples include connections for:
By monitoring the network performance counters, you can evaluate your network performance.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-23
Output queue length. This counter is the length of the output packet queue (in packets). If this is
longer than 2, delays occur. You should find the bottleneck and eliminate it if you can. Because NDIS
queues the requests, this length should always be 0.
Packets received errors. This counter is the number of incoming packets that contain errors that
prevent them from being deliverable to a higher-layer protocol. A zero value does not guarantee that
there are no receive errors. The value is polled from the network driver, and it can be inaccurate.
Nova 4, LLC
13-24
Key Points
Specific server roles install a range of performance objects and associated counters.
Windows Server 2008 uses server roles to improve server efficiency and security. By identifying the role
that a server performs, you can ensure that you measure the necessary counters to monitor performance.
By using server roles, you ensure that you install and activate only the required components on your
servers. Only the performance objects and counters that are relevant to the installed server role are
available to monitor.
You should note that you enable missing performance objects and counters by installing additional server
roles or adding features.
Additional performance objects that are installed with each server role can assist with server monitoring.
The following table identifies common server roles and the performance objects that can be monitored to
assess performance.
Server role
If you notice slow write or read operations, check the following disk
I/O counters under the Physical Disk category to see whether
many queued disk operations exist:
o Avg. Disk Queue Length
o Avg. Disk Read Queue Length
o Avg. Disk Write Queue Length
o If lsass.exe (Local Security Authority Subsystem) uses
lots of physical memory, check the following
Database counters under the Database category to
see how much memory is used to cache the database
for Active Directory Domain Services.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
Server role
13-25
File Server
Hyper-V (virtualization)
Nova 4, LLC
13-26
Lesson 4
Windows Server 2008 provides a range of tools to monitor the operating system and applications. You
can use these tools to tune your system for efficiency and troubleshoot problems. You should use these
tools and complement them where necessary with your own tools.
Objectives
After completing this lesson, you will be able to:
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-27
Performance Monitor
Key Points
Performance Monitor is a Microsoft Management Console (MMC) snap-in used to obtain system
performance information. You can use this tool to analyze the performance effect of applications and
services. You can use Performance Monitor for an overview of system performance or collect detailed
information for troubleshooting.
The Performance Monitor includes the following features:
Monitoring Tools
Reports
Monitoring Tools
The Monitoring Tools node contains the Performance Monitor graph view. It provides a visual display of
built-in Windows performance counters, either in real time or as a way to review historical data.
The Performance Monitor graph view includes the following features:
Performance Monitor uses performance counters to measure the system state or activity.
Performance Counters can be included in the operating system or can be present as part of installed
applications. Performance Monitor requests the current value of performance counters at specified time
intervals.
You can add performance counters to the Performance Monitor by dragging and dropping the counters
or by creating a custom data collector set.
Nova 4, LLC
13-28
Performance Monitor features multiple graph views that enable you to visually review performance log
data. You can create custom views in Performance Monitor that can be exported as Data Collector Sets for
use with performance and logging features.
Reports
Use the Reports node to view and create reports from a set of counters that you create by using Data
Collector Sets.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-29
Reliability Monitor
Key Points
The Reliability Monitor reviews the computers reliability and problem history. The Reliability Monitor can
be used to obtain several kinds of reports and charts that can help you identify the source of reliability
issues. Access the Reliability Monitor by clicking View System History on the Maintenance tab in the
Action Center.
The following topics explain the main features of the Reliability Monitor.
Software Installs
Software Uninstalls
Application Failures
Hardware Failures
Windows Failures
Miscellaneous Failures
Nova 4, LLC
13-30
Memory problems
Driver problems
Application failures
The Reliability Monitor is a useful tool that provides a timeline of system changes and reports the systems
reliability. You can use this timeline to determine whether a particular system change correlates with the
start of system instability.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-31
Resource Monitor
Key Points
The Resource Monitor interface in Windows Server 2008 R2 provides an in depth look at the real time
performance of your server.
You can use Resource Monitor to monitor the use and performance of CPU, disk, network, and memory
resources in real time. This allows for resource conflicts and bottlenecks to be identified and resolved.
By expanding the monitored elements, system administrators can identify which processes are using
which resources. In addition, Resource Monitor allows you to select a process or processes to track by
selecting their check boxes. When a process is selected, it remains selected in every pane of Resource
Monitor, providing the information you require regarding that process at the top of the screen, no matter
where you are in the interface.
Nova 4, LLC
13-32
Key Points
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue
might require you to examine a set of events stored in multiple logs on multiple computers. Event Viewer
provides the ability to collect copies of events from multiple remote computers, and store them locally. To
specify which events to collect, you create an event subscription. After a subscription is active and events
are being collected, you can view and manipulate these forwarded events as you would any other locally
stored events.
Using the event-collecting feature requires that you configure both the forwarding and the collecting
computers. The functionality depends on the Windows Remote Management (WinRM) and the Windows
Event Collector services (Wecsvc). Both of these services must be running on computers participating in
the forwarding and collecting process.
Creating a Subscription
Before you can create a subscription to collect events on a computer, you must configure the collecting
computer (collector), and each computer from which events will be collected (source).
After you configure the computers, you can create a subscription to specify which events to collect, by
selecting the Subscriptions folder, and then clicking the link on the Action menu.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-33
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and then, in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
NYC-SVR1 has just been deployed at the New York office of Contoso, Ltd. You have been asked to
establish a performance baseline for this server for comparison to real time performance stats and to
ensure the server is currently operating properly and efficiently.
Nova 4, LLC
13-34
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-35
Create a Data Collector Set to log the counters for the Processor, Memory, PhysicalDisk, and Network
Interface objects.
2.
Review the Data Collector Set Report to ensure that performance data has been captured.
Task 1: Create a Data Collector Set to log the counters for the Processor, Memory,
PhysicalDisk, and Network Interface objects.
1.
2.
Expand the Data Collector Sets node and create a new User Defined Data Collector Set named,
NYC-SVR1 Baseline.
3.
Add all counters for the Processer, Memory, PhysicalDisk, and Network Interface objects.
4.
Task 2: Review the Data Collector Set report to ensure that performance data has been
captured.
1.
2.
Expand the Reports node and view the most recent report run for the user-defined NYC-SVR1
Baseline object.
3.
Nova 4, LLC
13-36
2.
2.
View the graphs on the right of the screen to ensure none of them are near the top of the graph
window.
3.
Click each tab in the Resource Monitor window to view the real time performance data for the
associated component.
4.
2.
Check the Reliability Monitor for any Error events represented by a red X icon.
3.
2.
Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3.
4.
Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
13-37
Review Questions
1.
2.
Where would centralized event collection be valuable in obtaining event information from multiple
computers?
Description
Resource Monitor offers in-depth real-time performance monitoring
and a comprehensive view of your servers performance-related
configuration.
Tools
Tool
Use for
Where to find it
Event Viewer
Task Manager
Performance
Monitor
Nova 4, LLC
13-38
Tool
Use for
Where to find it
Resource Monitor
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
Module 14
Managing Window Server 2008 Backup and Recovery
Contents:
Lesson 1: Planning and Implementing File Backups on Windows
Server 2008
14-3
14-14
14-19
14-23
14-29
14-37
14-1
Nova 4, LLC
14-2
Module Overview
Disaster recovery planning is a critical part of managing any server infrastructure. This module examines
the necessary planning for backup and restore procedures, and startup issues to ensure that you protect
data and servers sufficiently against disasters. This module will also focus on the improvements in the
Windows Server Backup application included with the operating system.
Microsoft Windows Server 2008 R2 also has new options for restoring Active Directory Domain
Services (AD DS), such as the Active Directory Recycle Bin.
The ability to troubleshoot startup issues has been improved for Windows Server 2008. Common startup
issues can be automatically detected and repaired to get servers back online in a timely manner.
Restoring data is a riskier operation than backing up data because you can overwrite and lose existing
data through careless restore procedures. You should only permit trusted administrators to perform
restore operations; it is likely that the restore operators are a subset of the backup operators, but in some
organizations, the backup and restore teams are separated.
After completing this module, you will be able to:
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
Lesson 1
14-3
This lesson examines the planning elements that are required to create a successful, unobtrusive, and
secure backup process. You can apply these considerations when you are planning backup for various
types of data on your network. Typically, you will distribute backup tasks among various servers and
personnel in your environment.
After completing this lesson, you will be able to:
Describe decision points for selecting backup software and appointing backup operators.
Nova 4, LLC
14-4
Key Points
You need to use backup software to back up the data and servers on your network. When planning your
backup strategy, you must choose which backup software to use. You can choose the backup feature in
the Windows Server 2008 operating system or you can choose third-party backup software. Your choice
depends on your backup medium, how you intend to manage your backups across several servers, and
licensing costs, among other factors. For example, the Windows Server 2008 Backup feature has no
additional licensing costs, but it does not support tape backups. This may have a major influence on your
decision.
The Windows Server 2008 Backup feature also supports command-line use through the Wbadmin.exe
command. This is useful for scripting or performing specific backups such as system state data.
There are many improvements to the Windows Server Backup feature in Windows Server 2008 R2,
including more backup options and more control through the Windows Server Backup Microsoft
Management Console (MMC). These changes are discussed in the next topic.
You may also have special requirements, such as databases, that you must regularly back up. A database
backup may require special software or tools to perform the backup.
Question: What backup software or solutions do you currently use?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-5
Key Points
The Windows Server Backup feature provides a basic backup and recovery solution for computers running
the Windows Server 2008 operating system, but it has very limited options. For example, it can only back
up entire volumes. The Windows Server Backup feature of Windows Sever 2008 R2 has many new
enhancements, including enhanced wizards, to implement a flexible backup plan. The following table
outlines feature availability in the different versions.
Feature
Supported in
Windows Server 2008
Yes
Yes
Scheduling backups
Yes
Yes
Yes
Yes
Yes
No
Yes
Back up to volumes or
network shares
Yes
Yes
Yes
No
Nova 4, LLC
14-6
Feature
Supported in
Windows Server 2008
backup option
Question: What command-line utility can be used to back up System State in Windows Server 2008?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
Key Points
When you plan your backup strategy, you must plan the elements that are listed in the following table.
Plan Elements
Details
You must identify all data that requires backup so that you can restore your data
and systems in the event of a disaster.
You must identify the quantity of data, which in Windows Server 2008 includes
which volumes or files and folders to back up, so that you can choose an
appropriate storage medium and identify how long a backup or restore operation
requires.
Create a backup
schedule.
You must plan how frequently and at what times servers perform automated
backup tasks. Most organizations perform daily backups at the least.
Choose a backup
type.
Based on the frequency and the time that is taken to perform a backup and a
restore operation, you may also need to select a backup type.
Your backup software may enable you to choose from the following backup types:
Full or Normal
Incremental
Differential
Windows Server Backup performs full backups by default. You can enable
incremental backups by configuring performance settings in MMC. Windows
Server Backup does not support differential backups.
Choose the
backup medium.
Based on your backup software, the size of backups, and the time to restore data,
you should choose an appropriate backup medium.
Backup media include:
Tape (not available with Windows Server 2008 backup)
14-7
Nova 4, LLC
14-8
Plan Elements
Details
Hard disk (fixed or removable)
DVD
Shared folder
Tape is available in various formats, supporting various data rates and storage
capacities. If you back up to tape, you should ensure that the tape format that you
use is appropriate to the quantity of data that you are backing up.
The Windows Server 2008 Backup feature does not support backing up to tape.
Volumes and shared folders are the only supported storage media.
Consider the length of time that you require to retain backups to restore data. Will
you be able to restore data from one month ago, six months ago, 12 months ago,
or longer?
You must also consider the storage location of your backup media. Tapes are
susceptible to magnetic fields and heat, so they should be stored away from these
environmental factors. Backup media should be stored offsite in case of disaster
such as fire or flood.
Bare metal recovery. Bare metal recovery includes all volumes that are necessary for Windows
to run. You can use this backup type in conjunction with the Windows Recovery Environment to
recover from a hard disk failure, or if you need to recover the entire computer image to new
hardware.
System State. System State is the ability to use the GUI interface to create a system state backup
Individual files and folders. Individual files and folders enables you to back up selected files and
folders, instead of just full volumes
The ability to exclude selected files or file types. For example, you can exclude .tmp files.
More storage locations to choose from. You can store backups on remote shares or non-dedicated
volumes.
Question: You wish to use incremental backups as part of your backup strategy. How will you enable this?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-9
Key Points
How long must you keep data? Must you keep data for legal compliance, such as Sarbanes-Oxley, or for
business requirements, such as the ability to audit all projects during the previous five years?
Where should you archive data? Do users require access to archived data regularly, which may require
keeping the data on a server, or can the data be archived to a static medium such as optical or tape
storage? For static media archival, you must consider that media such as DVD or tape has a finite lifetime
for storing data.
What is the cost of data storage? Different storage mechanisms and media have different costs associated
with them. If you keep your data archive on your corporate storage area network (SAN), this has a
relatively high cost per gigabyte (GB). If you keep archived data on a server hard disk, it has a lower cost
per GB, and data that is stored on tape has a very low cost per GB. Contrary to this is the ease of access, so
you must balance the cost against the ease of access for the data. Typically, you move older data to
cheaper storage media.
What software tools can assist data retention? Your backup software or additional tools may have dataretention capabilities, or you could invest in software to assist data retention in your organization.
Consider tools such as Microsoft System Center Data Protection Manager, which can offer backup
capabilities and options to archive older data to media such as tape, instead of hard disk.
Question: What is your current data retention plan?
Nova 4, LLC
14-10
Key Points
A number of factors affect the formulation of an organizations backup policy. Most companies cannot
endure a major data loss. Some companies are effectively out of business if a critical system is down. The
time and cost of data or server replacement will be overriding factors. The following table lists the major
decision points to consider when working out a backup strategy.
Factor
Details
Service level
agreements
(SLAs)
Cost
When you plan your backup policy, you must consider the cost of your backup
solution. Costs for your backup solutions can include hardware, software, and media.
You should carefully consider cost with respect to backup and restore times, and the
required storage quantities. Larger storage capacities or faster storage media are
more expensive, but you may require these for specific data types in your
organization, such as database backups.
When you plan for increases in data storage, you should include any necessary
increase in backup costs that are required to maintain your backup schedule.
Bandwidth
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
Factor
14-11
Details
backup at another location. If you have branch offices, you can decide to perform all
regular file-based backups from your main office by replicating content to the main
office, and then performing the backup.
Personnel
You should also consider who can perform backup tasks. This includes physical tasks
such as loading or changing tape libraries, and system tasks such as performing
backups or changing backup schedules.
Nova 4, LLC
14-12
Key Points
In this demonstration, the instructor will:
Demonstration Steps:
Note: You require the 6419B-NYC-DC1 and 6419B-NYC-SVR1 virtual machines to complete this
demonstration. Log on to the virtual machine as Contoso\Administrator, with the password,
Pa$$w0rd.
On NYC-DC1, use Server Manager to install the Windows Server Backup Feature. Include the
command-line tools in the installation.
On NYC-DC1, run Windows Server Backup and schedule a backup of drive C: to the remote backup
folder on NYC-SVR1.
Run the Backup Once wizard to back up the C:\MarketingTemplates folder to the remote backup
folder on NYC-SVR1.
Use the restore wizard to restore the MarketingTemplates folder to the C: drive
1.
2.
In the Windows Server Backup MMC, run the Recovery Wizard with the following options:
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
3.
Navigate to C:\ and ensure that the files have been restored.
14-13
Nova 4, LLC
14-14
Lesson 2
A data loss and recovery event may be as small as a single file that affects a single user or as widespread
as a critical server failure that affects the whole organization. In either case, it is important to have a plan
in place so that IT personnel know how to deal with the event.
After completing this lesson, you will be able to:
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-15
Key Points
The impact of a data recovery event depends on the magnitude of the data loss. A total server failure may
affect thousands of users and cause business operations to come to a halt, whereas a user accidentally
deleting a file may only represent an inconvenience. The following considerations must be taken into
account when planning for data recovery:
Impact on Operations
Some data or servers could be lost for a short time with a minimal impact on operations. For example, a
server running redundant network services like AD DS or Domain Name System (DNS) could be lost as
long as there is a second server providing those services. Other servers, like Windows Server Update
Service (WSUS), could be lost for a period without any significant effect on operations. More critical
servers, such as Microsoft SQL or Microsoft Exchange may require more consideration, such as high
availability solutions.
Nova 4, LLC
14-16
Key Points
Windows Server Backup in Windows Server 2008 R2 provides the following recovery types:
Files and folders. Individual files or folders can be recovered as long as backup is on an external disk
or in a remote shared folder.
Applications and data. Applications and their data can be recovered if the application has a Volume
Shadow Copy Service writer and has registered with Windows Server Backup.
Volumes. Restoring a volume always restores all the contents of the volume. You cannot restore
individual files or folders.
Operating system. The operating system can be recovered through Windows Recovery Environment
(WinRE).
System state. System state creates a point-in-time backup that can be used to restore a server to a
previous working state.
Question: What type of recovery can you use to repair a corrupted certificate database on the certificate
server?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-17
Key Points
The Windows Server Backup Recovery Wizard several options for managing file and folder recovery. The
Windows Server Backup Recovery Wizard manages recovery destination, conflict resolution, and security
settings. The recovery options are as follows:
Recovery Destination
Original location. The original location restores the data to the location it was backed up originally.
Conflict Resolution
Restoring data from a backup will often conflict with existing versions of the data. Conflict resolution
provides a way to determine how those conflicts will be handled. When these conflicts occur you have the
following options:
Security Settings
Question: How are copies of recovered files distinguished from the existing version?
Nova 4, LLC
14-18
Key Points
You should review, improve, and update all of your policies and working practices to ensure that you
continue to meet the requirements of your business.
By increasing the frequency of backups, you can provide access to recent changes in documents for users.
Windows Server 2008 simplifies scheduling backup tasks by using Volume Shadow Copy Service VSS. This
improved backup enables users to restore files without resorting to assistance from the IT team.
Backup policies should be reviewed:
On a regular basis.
As technology changes.
As SLAs change.
Question: How often do you update the backup and restore policy in your organization?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-19
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Nova 4, LLC
14-20
You have agreed that no more than one day's critical data should be lost in the event of a disaster.
Critical data includes the Sales, Finance, and Projects data. Does the current backup plan meet this
requirement?
2.
Currently, you copy the Human Resources confidential data onto a removable hard disk that is
attached to a computer in the Human Resources office. This task is performed weekly by using a
script to preserve the encryption on the files. What are the consequences of this process and how
would you deal with them?
3.
You have also agreed that if a server fails, you should be able to restore that server, including all
installed roles, features, applications, and security identity, in six hours. Does the current backup plan
enable you to restore the servers in this way?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-21
Propose an appropriate backup frequency for the shares in the following table.
Backup
Frequency
Sales
Finance
Human Resources
Technical Library
Projects
2.
How would you fulfill the requirement to restore the servers and how frequently would you back up
the servers?
2.
Use the Backup Schedule Wizard to create a backup with the following configurations:
Use the Backup Once wizard to back up with the following configurations:
Results: After completing this exercise, you should have reviewed an existing backup plan and
proposed changes to that plan. You will also have configured backups to become familiar with the
Windows Server Backup feature.
Nova 4, LLC
14-22
2.
3.
You should be able to restore critical data, which includes the Sales, Finance, and Projects shares, as
quickly as possible in the event of a disaster. What factors affect how quickly you can restore data?
2.
Given that you have a limited budget to meet the SLA requirements, how can you maximize your
budget while providing backup for the entire network data for which you are responsible?
How will you ensure that the required data is stored for the minimum legal requirement period and
that the data is available for audit purposes when it is required?
On NYC-DC1, open Windows Explorer, navigate to C:\MarketingTemplates, and delete the contents
in the folder.
2.
Use the Recovery Wizard to recover the contents of the MarketingTemplates folder.
3.
Question: List at least one example of how administrators can create an effective backup policy.
Results: After completing this exercise, you should have reviewed an existing recovery plan and
proposed changes to that plan. You should also have tested data recovery.
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-23
Lesson 3
It is possible for a domain controller to fail, or for Active Directory to be damaged or corrupted,
intentionally or accidentally. In such an event, you must be prepared to restore the domain controller, the
directory, or objects within the directory. In this lesson, you will learn about the various methods and tools
to restore AD DS and domain controllers.
After completing this lesson you will be able to:
Describe how to recover objects by using the Active Directory Recycle Bin.
Nova 4, LLC
14-24
Key Points
AD DS is one of the most critical systems in any enterprise. Windows Server 2008 R2 provides new ways to
recover Active Directory. Prior to Windows Server 2008 R2, there were only three methods of recovering
Active Directory. You could perform a non-authoritative restore or an authoritative restore or a
tombstone reanimation.
Non-Authoritative Restore
A non-authoritative restore will restore the entire AD DS database from a system state, critical-volume, or
full server backup. A non-authoritative restore returns the domain controller to its state at the time of
backup. Normal replication will then update AD DS on the restored domain controller with any changes
that occurred since the backup was performed. The most common scenario for a non-authoritative
restore is to recover a domain controller after a full server failure or AD DS database corruption.
Authoritative Restore
If you need to recover specific objects from AD DS because of accidental deletion, you can perform an
authoritative restore. As in non-authoritative restore, AD DS is restored, but the items that need to be
recovered are marked as being authoritative. This prevents the tombstoned version of the item on other
domain controllers from overwriting the restored version. Authoritative restores have the following
characteristics:
You can restore specific items or collections of items from AD DS, such as a user or an entire
organization unit (OU).
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-25
Tombstone Reanimation
You can also recover deleted Active Directory objects through tombstone reanimation. When objects are
deleted, they are not physically removed from the AD DS database immediately. Objects are converted to
tombstones and marked for deletion after 180 days. Tombstones can be reanimated any time before that
period runs out. Reanimation is the mechanism for restoring a tombstoned object back into a normal
object. After reanimation, the object has the same objectGUID and objectSid attributes it originally had.
An advantage of tombstone reanimation is that it does not require the domain controller to be taken
offline. A disadvantage is that some attributes of the object are stripped when an object is deleted, such
as forward-linked or backward-linked attributes, and these attributes are not recovered with tombstone
reanimation.
Nova 4, LLC
14-26
Key Points
The Active Directory Database Mounting Tool (Dsamain.exe) allows administrators to view the contents of
a snapshot of AD DS. A snapshot captures the exact state of the directory service at the time of the
snapshot. Unlike a backup, a snapshot cannot be used to restore data.
By taking regular snapshots, you can compare data that was present in AD DS on specific dates and
determine which backup data needs to be restored. This tool only allows administrators to view data; it
cannot be used to restore data. You will need to use other tools to perform the actual restore.
You use the Ntdsutil Snapshot operation to take a point-in-time snapshot of AD DS. You can then use
Ntdsutil to mount the snapshot to a location. You then expose the data stored in the snapshot. Use the
database mounting tool (Dsamain.exe) to expose the snapshot as an LDAP server. Then, you can use any
existing LDAP tools, such as the built-in Ldp.exe, to view the data.
Note: You are not required to run the ntdsutil snapshot operation to use Dsamain.exe. You can
instead use a backup of AD DS or Active Directory Lightweight Directory Services (AD LDS) database
or another domain controller or AD LDS server. The ntdsutil snapshot operation simply provides a
convenient data input for Dsamain.exe.
Question: What permissions are required to take an AD DS snapshot?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-27
Key Points
Windows Server 2008 R2 introduces the Active Directory Recycle Bin. This tool allows you to restore
deleted Active Directory objects without restoring Active
Directory data from backups, restarting AD DS, or rebooting domain controllers. Objects in the Active
Directory Recycle Bin can be restored within the deleted object lifetime (180 days by default) with all linkvalued and non-link-valued attributes of the deleted objects preserved. Objects are restored in their
entirety to the same state that they were in immediately before deletion. For example, a security group
would be restored with its membership list, and its rights and permissions intact.
The Active Directory Recycle Bin has no graphical interface. PowerShell commands are used to manipulate
deleted objects.
The forest functional level must be set to Windows Server 2008 R2. All domain controllers must be
running Windows Server 2008 R2. You can use the LDP.exe utility or use the Set-ADForestMode
PowerShell cmdlet to raise the forest level. This step is irreversible.
Important: If you are performing a clean installation of a Windows Server 2008 R2 Active Directory
forest, you do not have to run Adprep; your Active Directory schema will automatically contain all the
necessary attributes for Active Directory Recycle Bin to function properly. If, however, you are
introducing a Windows Server 2008 R2 domain controller into your existing Windows Server 2003 or
Windows Server 2008 forest, and subsequently upgrading the rest of the domain controllers to
Windows Server 2008 R2, you must run Adprep. By running Adprep, you update your Active Directory
schema with the attributes that are necessary for Active Directory Recycle Bin to function properly.
Nova 4, LLC
14-28
The Active Directory Recycle Bin must be specifically enabled. You can use the LDP.exe utility or use
the Enable-ADOptionalFeature PowerShell cmdlet to enable the Active Directory Recycle Bin. This
step is irreversible.
Question: What permissions are required to enable Active Directory Recycle Bin?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-29
Lesson 4
Sometimes a problem can arise that will prevent Windows from starting properly. This lesson will discuss
the common causes of startup problems, review startup process that may be affected, and explore
different troubleshooting techniques that you can use depending on when the failure occurs.
After completing this lesson, you will be able to:
Nova 4, LLC
14-30
Key Points
Diagnosing and correcting hardware and software problems that affect the startup process requires
different tools and techniques than troubleshooting problems that occur after the system has started,
because the person troubleshooting the startup problem does not have access to the full suite of
Microsoft Windows Server 2008 troubleshooting tools. Resolving startup issues requires a clear
understanding of the startup process, the core operating system components, and the tools used to
isolate and resolve problems.
Startup failure can result from a variety of problems, such as user error, driver problems, application faults,
hardware failures, disk or file corruption, system misconfiguration, or virus activity. If the condition is
serious enough, you might need to reinstall Windows.
Question: Can you think of situations where you had to troubleshoot a Windows startup problem? If so,
how did you resolve it?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-31
Key Points
In earlier versions of Windows, a file called, boot.ini, contained information about the Windows operating
systems installed on the computer. In Windows Server 2008, the boot.ini file has been replaced with Boot
Configuration Data (BCD). This file is more versatile than boot.ini, and it can apply to computer platforms
that use means other than basic input/output system (BIOS) to start the computer. The Windows Boot
Manager uses information from the BCD to manage the operating system startup process.
The boot environment is loaded before the operating system, making the boot environment independent
of the operating system. A boot loader, in its most basic form, loads the initial files required to start an
operating system. In a default installation of Windows Server 2008 R2, there is one boot loader reference
stored in Windows Boot Manager called Windows Boot Loader, which launches the Windows Server 2008
R2 operating system. The Windows Boot Loader is stored in \Windows\System32\winload.exe and when
started by Windows Boot Manager, it begins the initial load process of the operating system. Windows
Boot Manager controls the boot process using the information in the boot configuration data (BCD) store.
The BCD can be edited with the BCDEdit.exe command-line utility. This utility is found in the
Windows\System32 directory. BCDEdit has parameters that allow you to add, modify, delete, export, and
import entries to the data store. Running the BCDEdit command without any parameters displays the
current Windows Boot Manager information and the current Windows Boot Loader information.
In some cases you may need to repair the boot sector and master boot record (MBR), or replace the
startup files entirely. This can be done in the Windows Recovery Environment (WinRE) by booting from
the Windows Server 2008 installation disc.
If these measures fail to correct the problem, it may be a hardware issue. For example, check the physical
memory by removing the memory sticks one by one in turn to see if one is corrupted.
Use this flow chart to see how to troubleshoot startup problems that occur before the Windows Server
2008 logo appears.
Nova 4, LLC
14-32
Question: Based on this flowchart, what would you say are the most common causes of Windows failing
to start before the Windows logo appears?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-33
Key Points
If your computer displays the graphical Windows Server 2008 logo before failing, use the process
illustrated in the flowchart below to identify and disable the failing software component to allow Windows
to start successfully. This type of problem is commonly caused by a device driver or potential corruption
of registry information. After Windows starts, you can further troubleshoot the problem with the
component, if necessary.
If the startup problem occurs immediately after updating or installing a startup application, try
troubleshooting the startup application.
When you are troubleshooting, the method for determining which services and processes to temporarily
disable varies from one computer to the next. The most reliable way to determine what you can disable is
to gather more information about the services and processes enabled on your computer.
Windows Server 2008 includes several tools and features to generate a variety of logs that can provide
you with valuable troubleshooting information:
Event Viewer
Sc.exe
System Information
MSConfig
Boot logs
If startup fails after Windows Server 2008 logo appears on screen, refer to the following flowchart:
Nova 4, LLC
14-34
Question: Based on the flowchart, what would you say are the most common causes of Windows failing
to start after the Windows logo appears?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-35
Key Points
If your computer fails immediately after a user logs on, use the process shown below to identify and
disable the failing startup application to enable successful logon. If the problem occurs immediately after
updating or installing an application, try uninstalling the application.
If a problem occurs after installing new software, you can temporarily disable or uninstall the application
to verify that the application is the source of the problem.
Problems with applications that run at startup can cause logon delays or even prevent you from
completing Windows startup in Normal mode. The following section provides techniques for temporarily
disabling startup applications.
Nova 4, LLC
14-36
Question: Based on the flowchart, what would you say are the most common causes of Windows failing
to start after logon?
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-37
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1 and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 - 4 for 6419B-NYC-DC2. Be sure to start 6419B-NYC-DC2 after DC1 has fully started.
Nova 4, LLC
14-38
2.
In the Active Directory Module for Windows PowerShell, run the following command.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature, CN=Optional Features,
CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=contoso,DC=com
Scope ForestOrConfigurationSet Target contoso.com
Results: After completing this exercise, you should have raised the forest functional level and enabled
Active Directory Recycle Bin.
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
Use Active Directory Users and Computers to delete the following users:
Dylan Miller
Allan Brewer
2.
3.
4.
5.
2.
Ensure that Dylan Millers user account has been restored to Active Directory.
2.
3.
Ensure that Alan Brewers user account has been restored to Active Directory.
Results: After completing this exercise, you should have used LDP.exe to view deleted objects, and
restored objects by using both LDP.exe and Windows PowerShell.
14-39
Nova 4, LLC
14-40
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
14-41
Review Questions
1.
2.
3.
What must the forest functional level be to use the Active Directory Recycle Bin?
Troubleshooting tip
When the system cannot even run the POST, the issue can be a corrupt
memory.
Nova 4, LLC
14-42
Your company has upgraded all servers to Windows Server 2008 R2 and is now investigating the use
of the Windows Server Backup feature. The company already has a large investment in robotic tape
libraries and tape media that they wish to use. What should you recommend?
2.
The domain controller at a branch office has suffered a hardware failure. What type of restore should
be performed
Verify that the restoration of all files has been successful by reviewing the associated log files.
At a minimum, back up two domain controllers in each domain, one of which should be an
operations master role holder.
Tools
Tool
Use for
Where to find it
Windows Server
Backup Console
Scheduling backups of the On the Administrative Tools menu, after you have
Windows Server 2008
installed the Backup feature
operating system data
Performing manual
backups of Windows
Server 2008 data
Wbadmin.exe
Database
Mounting Tool
Ntdsutil
Creating snapshots of AD
DS
Many other AD DS
management functions
Active Directory
Recycle Bin
Restoring deleted
Active Directory objects
Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential, and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
14-43
Nova 4, LLC
14-44
Nova 4, LLC
Implementing DirectAccess
Appendix A
Implementing DirectAccess
Contents:
A-4
A-6
A-9
A-11
A-13
A-1
Nova 4, LLC
A-2
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You are the server administrator at Contoso, Ltd. Your organization consists of a large mobile workforce
that carries laptops to stay connected. Your organization wants to provide a secure solution to protect
data transfer. To do this, you will use DirectAccess to enable persistent connectivity, central
administration, and management of remote computers.
Nova 4, LLC
Implementing DirectAccess
Configure the DirectAccess clients and test intranet and Internet access.
A-3
Nova 4, LLC
A-4
Switch to NYC-DC1.
2.
Click Start, point to Administrative Tools, and then click Active Directory Usersand Computers.
3.
In the Active Directory Users and Computers console tree, expand Contoso.com, right-click Users,
point to New, and then click Group.
4.
In the New Object - Group dialog box, under Group name, type DA_Clients.
5.
Under Group scope, select Global, under Group type, choose Security, and then click OK.
6.
7.
In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
8.
In the Select Users, Contacts, Computers, or Groups dialog box, click ObjectTypes, click
Computers, and then click OK.
9.
Under Enter the object names to select (examples), type NYC-CL1, and then click OK.
10. Verify that NYC-CL1 is displayed below Members, and then click OK.
11. Close the Active Directory Users and Computers console.
Click Start, click Administrative Tools, and then click Group Policy Management.
2.
3.
In the console tree, right-click Default Domain Policy, and then click Edit.
4.
In the console tree of the Group Policy Management Editor, open Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security.
5.
In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
6.
On the Rule Type page, click Custom, and then click Next.
7.
8.
On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
9.
In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
Nova 4, LLC
Implementing DirectAccess
19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
20. Click Next.
21. On the Scope page, click Next.
22. On the Action page, click Allow the connection, and then click Next.
23. On the Profile page, click Next.
24. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.
25. Close the Group Policy Management Editor and Group Policy Management consoles.
2.
3.
4.
In the Name box, type nls. In the IP address box, type 10.10.0.11. Click Add Host, click OK.
5.
In the New Host dialog box, type CRL in Name (uses parent domain name if blank). In the IP
address box, type 10.10.0.15, and then click Add Host.
6.
In the DNS dialog box informing you that the record was created, click OK.
7.
8.
Click Start, click All Programs, click Accessories, and then click Command Prompt.
2.
In the Command Prompt window, type the following command, and then press Enter.
3.
A-5
Nova 4, LLC
A-6
10.
11.
12.
13.
14.
15.
16.
17.
18.
On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.
In the details pane, right-click ContosoCA, and then click Properties.
In the ContosoCAProperties dialog box, click the Extensions tab.
On the Extensions tab, click Add. In the Location box, type http://crl.contoso.com/crld/.
In Variable, click <CAName>, and then click Insert.
In Variable, click <CRLNameSuffix>, and then click Insert.
In Variable, click <DeltaCRLAllowed>, and then click Insert.
In Location, type .crl at the end of the Location string, and then click OK.
Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP
extension of issued certificates, and then click Apply. Click No in the dialog box asking you to
restart Active Directory Certificate Services.
Click Add.
In Location, type \\nyc-Edge1\crldist$\.
In Variable, click <CaName>, and then click Insert.
In Variable, click <CRLNameSuffix>, and then click Insert.
In Variable, click <DeltaCRLAllowed>, and then click Insert.
In Location, type .crl at the end of the string, and then click OK.
Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.
Click Yes to restart Active Directory Certificate Services.
Close the Certification Authority console.
Switch to NYC-Edge1.
2.
3.
In the console tree of Server Manager, click Roles. In the details pane, click AddRoles, and then click
Next.
4.
On the Select Server Roles page, click Web Server (IIS), and then click Next three times.
5.
Click Install.
6.
Verify that all installations were successful, and then click Close.
7.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager
2.
In the console tree, browse to NYC-EDGE1\Sites\Default Web Site, right-click Default Web Site,
and then click Add Virtual Directory.
In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path, click the
ellipsis button.
In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
Type CRLDist, and then press Enter. Click OK in the Browse for Folder dialog box.
Click OK in the Add Virtual Directory dialog box.
In the middle pane of the console, double-click Directory Browsing, and in the details pane, click
Enable.
In the console tree, click the CRLD folder.
3.
4.
5.
6.
7.
8.
Nova 4, LLC
Implementing DirectAccess
A-7
9. In the middle pane of the console, double-click the Configuration Editor icon.
10. Click the down-arrow for the Section drop-down list, and then browse to
system.webServer\security\requestFiltering.
11. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value
from False to True.
12. In the details pane, click Apply.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Switch to NYC-DC1.
2.
Click Start, point to Administrative Tools, and then click Certification Authority.
3.
In the console tree, open ContosoCA, right-click RevokedCertificates, point to All Tasks, and then
click Publish.
4.
In the Publish CRL dialog box, click New CRL, and then click OK.
5.
6.
In the Windows Explorer window, you should see the ContosoCA and ContosoCA+ files.
7.
8.
Nova 4, LLC
A-8
2.
In the contents pane, right-click the Web Server template, and then click Properties.
3.
4.
In the Permissions for Authenticated Users window, click Enroll under Allow, and then click OK.
5.
Click Start, click Administrative Tools, and then click Group Policy Management.
In the console tree, expand Forest: Contoso.com, expand Domains, and then click Contoso.com.
In the details pane, right-click Default Domain Policy, and then click Edit.
In the console tree of the Group Policy Management Editor, open Computer
Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click
Automatic Certificate Request.
In Automatic Certificate Request Wizard, click Next.
On the Certificate Template page, click Computer, click Next, and then click Finish.
Close the Group Policy Management Editor and close the Group Policy Management console.
Nova 4, LLC
Implementing DirectAccess
A-9
Switch to NYC-SVR1.
2.
3.
4.
Click New folder, type Files, and then press ENTER. Leave the Local Disk window open.
5.
Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as
administrator.
6.
7.
Click File, click Save, double-click Computer, double-click Local Disk (C:), and then double-click the
Files folder.
8.
In File name, type example.txt, and then click Save. Close the Notepad window.
9.
In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific
people.
2.
In the console tree of Server Manager, click Roles. In the details pane, click AddRoles, and then click
Next.
3.
On the Select Server Roles page, click Web Server (IIS), and then click Next three times.
4.
Click Install.
5.
Verify that all installations were successful, and then click Close.
6.
7.
8.
Click Certificates, click Add, select Computer account, click Next, select Localcomputer, click
Finish, and then click OK.
9.
10. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
11. Click Next twice.
12. On the Request Certificates page, click Web Server, and then click More information is required
to enroll for this certificate.
13. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select
Common Name.
14. In Value, type nls.contoso.com, and then click Add.
15. Click OK, click Enroll, and then click Finish.
Nova 4, LLC
A-10
16. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.contoso.com was enrolled with Intended Purposes of Server Authentication.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager.
2.
In the console tree of Internet Information Services (IIS) Manager, open NYC-SVR1/Sites, and then
click Default Web site.
3.
4.
In the Add Site Bindings dialog box, click https, in SSL Certificate, click the certificate with the
name nls.contoso.com, click OK, and then click Close.
5.
Switch to NYC-CL1.
2.
3.
4.
Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
5.
6.
In the details pane, verify that a certificate with the name NYC-CL1.contoso.com is present with
Intended Purposes of Client Authentication and Server Authentication.
7.
Close the console window. When you are prompted to save settings, click No.
Nova 4, LLC
Implementing DirectAccess
A-11
Switch to NYC-Edge1.
2.
3.
4.
Click Certificates, click Add, click Computer account, click Next, select LocalComputer, click Finish,
and then click OK.
5.
6.
Right-click Certificates, point to All Tasks, and then click Request New Certificate.
7.
8.
On the Request Certificates page, click Web Server, and then click More information is required
to enroll for this certificate.
9.
On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select
Common Name.
10. In the Value box, type nyc-edge1.contoso.com, and then click Add.
11. Click OK, click Enroll, and then click Finish.
12. In the details pane of the Certificates snap-in, verify that a new certificate with the name nycedge1.contoso.com was enrolled with Intended Purposes of Server Authentication.
13. Right-click the certificate, and then click Properties.
14. In Friendly Name, type IP-HTTPS Certificate, and then click OK.
15. Close the console window. If you are prompted to save settings, click No.
Click Start, point to Administrative Tools, and then click Server Manager.
2.
3.
4.
5.
6.
7.
Open a command prompt and type GPUpdate /force. Close the command prompt.
2.
3.
In the console tree, click Setup. In the details pane, click Configure for step 1.
4.
5.
In the Select Group dialog box, type DA_Clients, click OK, and then click Finish.
6.
Nova 4, LLC
A-12
7.
On the Connectivity page, for Interface connected to the Internet, select the interface named
Public. For Interface connected to the internal network, select Local Area Connection, and then
click Next.
Note: If you receive a warning that the local area connection network adapter must be connected to
a domain network, close the Direct Access Management console. Open Server Manager, and click
Configure Network Connections. Disable Local Area Connection, and re-enable it. Restart the Direct
Access Management console.
8.
On the Certificate Components page, for Select the root certificate to which remote client
certificates must chain, click Browse. In the list of certificates, click the ContosoCA root certificate,
and then click OK.
9.
For Select the certificate that will be used to secure remote client connectivity over HTTPS,
click Browse. In the list of certificates, click the certificate named IP-HTTPS Certificate, click OK, and
then click Finish.
Nova 4, LLC
Implementing DirectAccess
A-13
Switch to INET1.
2.
3.
In the console tree, right-click contoso.com, and then click New Host (A or AAAA).
4.
5.
6.
Switch to NYC-SVR1.
2.
Click Start, click All Programs, click Accessories, and then click Command Prompt.
3.
At the command prompt, type the following command, and then press ENTER.
4.
At the command prompt, type the following command, and then press ENTER.
5.
At the command prompt, type the following command, and then press ENTER. Verify that the server
has been issued an ISATAP address that ends with 10.10.0.11.
ipconfig
6.
7.
Switch to NYC-DC1.
8.
Click Start, click All Programs, click Accessories, and then click Command Prompt.
9.
At the command prompt, type the following command, and then press ENTER.
10. At the command prompt, type the following command, and then press ENTER.
net start iphlpsvc
11. At the command prompt, type the following command, and then press ENTER. Verify that the server
has been issued an ISATAP address that ends with 10.10.0.10.
ipconfig
Switch to NYC-CL1.
2.
Restart NYC-CL1 and then log back on as Contoso\Administrator with the password of Pa$$w0rd.
This is to ensure that the NYC-CL1 computer connects to the domain as a member of the DA_Clients
security group.
Nova 4, LLC
A-14
3.
Click Start, click All Programs, click Accessories, and then click Command Prompt.
4.
At the command prompt, type the following command, and then press ENTER.
gpupdate
5.
At the command prompt, type the following command, and then press ENTER.
6.
At the command prompt, type the following command, and then press ENTER.
7.
At the command prompt, type the following command and then press ENTER. Verify that the server
has been issued an ISATAP address that ends with 10.10.0.51.
ipconfig
8.
At the command prompt, type the following command, and then press ENTER.
Gpresult -R
9.
Verify that one Direct Access Group Policy object is being applied to the client computer. If the policy
is not being applied, run the gpupdate command again. If the policy is still not being applied, restart
NYC-CL1. After the computer restarts, log on as Administrator, and run the Gpresult R command
again.
At the command prompt, type the following command, and then press ENTER.
Ipconfig /flushdns
2.
At the command prompt, type the following command, and then press ENTER.
ping 2002:836b:2:1::5efe:10.10.0.10
3.
At the command prompt, type the following command, and then press ENTER.
ping 2002:836b:2:1::5efe:10.10.0.11
4.
At the command prompt, type the following command, and then press ENTER.
ping NYC-DC1.contoso.com
5.
At the command prompt, type the following command, and then press ENTER.
ping NYC-SVR1.contoso.com
6.
ON NYC-CL1, click Start, click Control Panel and then click Network and Internet.
2.
3.
Nova 4, LLC
Implementing DirectAccess
A-15
4.
5.
In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
6.
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically. Click Obtain DNS server address automatically, and then click OK.
7.
8.
In the Set Network Location dialog box, click Public network, and then click Close.
9.
Switch to the command prompt, type IPCONFIG, and then press ENTER. The IP address should start
131.107.
At the command prompt, type the following command, and then press ENTER.
ping inet1.isp.example.com
2.
3.
In the Address bar, type http://inet1.isp.example.com/, and then press ENTER. You should see the
default IIS 7 Web page for INET1.
At the command prompt, type the following command, and then press ENTER.
ping NYC-SVR1
2.
In Internet Explorer, in the Address bar, type http://NYC-SVR1.contoso.com/, press ENTER, and
then press F5. You should see the default IIS 7 Web page for NYC-SVR1.
3.
4.
Click Start, type \\NYC-SVR1\files, and then press ENTER. You should see a folder window with the
contents of the Files shared folder.
5.
6.
Close the example.txt - Notepad window and the Files shared folder window.
At the command prompt, type the following command, and then press ENTER.
ipconfig
2.
From the display of the Ipconfig.exe tool, notice that an interface named Tunnel adapter 6TO4
Adapter has an IPv6 address that begins with 2002:836b:. This is a 6to4 address based on an IPv4
address that begins with 131.107. Notice that this tunnel interface has a default gateway of
2002:836b:2::836b:2, which corresponds to the 6to4 address of EDGE1 (131.107.0.2 in colonhexadecimal notation is 836b:2). NYC-CL1 uses 6to4 and this default gateway to tunnel IPv6 traffic to
EDGE1.
Results: In this exercise, you successfully implemented DirectAccess.
Nova 4, LLC
A-16
Nova 4, LLC
Notes
Nova 4, LLC
Notes
Nova 4, LLC
Notes
Nova 4, LLC
Notes
Nova 4, LLC
Notes
Nova 4, LLC
Notes
Nova 4, LLC
Notes
Nova 4, LLC
Notes