6419B ENU StudentHandbook Vol1 PDF

Nova 4, LLC
O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6419B
Configuring, Managing, and Maintaining

Windows Server 2008-based Servers
Volume 1
Sep 7 2011 9:58PM

Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
ii
Configuring, Managing, and Maintaining Windows Server 2008-based Servers
Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
2011 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.
Product Number: 6419B

Part Number: X17-53274
Released: 04/2011
Sep 7 2011 9:58PM

Nova 4, LLC
Sep 7 2011 9:58PM

iii
Nova 4, LLC
iv
Sep 7 2011 9:58PM

Nova 4, LLC
Sep 7 2011 9:58PM

Nova 4, LLC
vi
Sep 7 2011 9:58PM

Nova 4, LLC
Sep 7 2011 9:58PM

vii
Nova 4, LLC
viii
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Andrew J. WarrenContent Developer

Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many of
which have been spent in writing and teaching. He has been involved as the subject matter expert (SME)
for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. He
also has been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in the United
Kingdom, he runs his own IT training and education consultancy.
Conan KezemaContent Developer

Conan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems architect, and author who
specializes in Microsoft technologies. As an associate of S.R.Technical Services, Conan has been a subject
matter expert, instructional designer, and author on numerous Microsoft courseware development
projects.
Gary DunlopContent Developer

Gary Dunlop is a Microsoft Trainer and consultant in Winnipeg, Canada since 1997. He has authored or
co-authored several MOC courses. He specializes in Windows Server and Client systems. He is currently a
Senior Systems Engineer for Broadview Networks.
Jason KellingtonContent Developer

Jason Kellington is a trainer, consultant and author who specializes in several Microsoft products. He has a
broad range of experience in the IT industry as an administrator, developer, educator and technical writer.
Jason is an MCT, MCITP and MCSE and has been involved in a number of Microsoft Learning courseware
development projects.
William StanekTechnical Reviewer

William R. Stanek (http://www.williamstanek.com/) is a leading technology expert, a pretty-darn-good
instructional trainer, and the award-winning author of over 100 books. Current or forthcoming books
include Active Directory Administrators Pocket Consultant, Group Policy Administrators Pocket
Consultant, SQL Server 2008 Administrators Pocket Consultant 2nd Edition, Windows 7: The Definitive
Guide, and Windows Server 2008 Inside Out. Follow William on Twitter at
http://www.twitter.com/WilliamStanek.
Sep 7 2011 9:58PM

Nova 4, LLC
Contents
Module 1: Overview of the Windows Server 2008 Management Environment
Lesson 1: Understanding the Windows Server 2008 Environment
1-3
Lesson 2: Overview of Windows Server 2008 Server Roles and Features
1-11
Lesson 3: Windows Server 2008 Administration Tools
1-20
Lesson 4: Managing Windows Server 2008 Server Core
1-28
Lab: Managing Server Roles in a Windows Server 2008 Environment
1-35
Module 2: Managing Windows Server 2008 Infrastructure Roles

Lesson 1: Understanding IPv6 Addressing
2-3
Lesson 2: Overview of the DNS Server Role
2-18
Lesson 3: Configuring DNS Zones
2-29
Lab A: Installing and Configuring the DNS Server Role
2-41
Lesson 4: Overview of the DHCP Server Role
2-46
Lesson 5: Configuring DHCP Scopes and Options
2-53
Lab B: Installing and Configuring the DHCP Server Role
2-65
Module 3: Configuring Access to File Services

Lesson 1: Overview of Access Control
3-3
Lesson 2: Managing NTFS File and Folder Permissions
3-13
Lesson 3: Managing Permissions for Shared Resources
3-23
Lesson 4: Determining Effective Permissions
3-36
Lab: Managing Access to File Services
3-43
Module 4: Configuring and Managing Distributed File System

Lesson 1: Distributed File System Overview
4-3
Lesson 2: Configuring DFS Namespaces
4-14
Lesson 3: Configuring DFS Replication
4-20
Lab: Installing and Configuring Distributed File System
4-28
Module 5: Managing File Resources Using File Server Resource Manager

Lesson 1: Overview of File Server Resource Manager
5-3
Lesson 2: Configuring Quota Management
5-11
Lab A: Installing FSRM and Implementing Quota Management
5-19
Lesson 3: Implementing File Screening
5-22
Lesson 4: Managing Storage Reports
5-28
Lab B: Configuring File Screening and Storage Reports
5-33
Sep 7 2011 9:58PM

ix
Nova 4, LLC
x
Lesson 5: Implementing Classification Management and

File Management Tasks
5-36
Lab C: Configuring Classification and File Management Tasks
5-49
Module 6: Configuring and Securing Remote Access

Lesson 1: Configuring a Virtual Private Network Connection
6-3
Lesson 2: Overview of Network Policies
6-16
Lab A: Implementing a Virtual Private Network
6-26
Lesson 3: Integrating Network Access Protection with VPNs
6-31
Lesson 4: Configuring VPN Enforcement Using NAP
6-39
Lab B: Implementing NAP into a VPN Remote Access Solution
6-48
Lesson 5: Overview of DirectAccess
6-56
Module 7: Managing Active Directory Domain Services

Lesson 1: Overview of the Active Directory Infrastructure
7-4
Lesson 2: Working with Active Directory Administration Tools
7-17
Lesson 3: Managing User Accounts
7-26
Lesson 4: Managing Computer Accounts
7-36
Lab A: Creating and Managing User and Computer Accounts
7-45
Lesson 5: Managing Groups
7-50
Lesson 6: Using Queries to Locate Objects in AD DS
7-63
Lab B: Managing Groups and Locating Objects in AD DS
7-68
Module 8: Configuring Active Directory Object Administration and Domain Trust

Lesson 1: Configuring Active Directory Object Administration
8-3
Lab A: Configuring Active Directory Delegation
8-15
Lesson 2: Configuring Active Directory Trusts
8-20
Lab B: Administering Trust Relationships
8-29
Module 9: Creating and Managing Group Policy Objects

Lesson 1: Overview of Group Policy
9-3
Lesson 2: Configuring the Scope of Group Policy Objects
9-14
Lab A: Creating and Configuring GPOs
9-22
Lesson 3: Managing Group Policy Objects
9-26
Lab B: Creating and Configuring GPOs
9-35
Lesson 4: Evaluating and Troubleshooting Group Policy Processing
9-39
Lab C: Troubleshooting Group Policy
9-53
Module 10: Using Group Policy to Configure User and Computer Settings
Lesson 1: Using Group Policy to Configure Folder Redirection and Scripts
10-3
Sep 7 2011 9:58PM

Nova 4, LLC
Lab A: Using Group Policy to Configure Scripts and Folder Redirection
10-14
Lesson 2: Using Administrative Templates to Manage Users and

Computers
10-17
Lab B: Configuring Administrative Templates
10-24
Lesson 3: Deploying Software Using Group Policy
10-27
Lab C: Deploying Software Using Group Policy
10-37
Lesson 4: Deploying Group Policy Preferences
10-39
Lab D: Deploying Group Policy Preferences
10-46
Module 11: Implementing Security Settings Using Group Policy

Lesson 1: Overview of Security Settings
11-3
Lesson 2: Implementing Fine-Grained Password Policies
11-14
Lab A: Implementing Security by Using Group Policy
11-21
Lesson 3: Restricting Group Membership and Access to Software
11-26
Lab B: Configuring Restricted Groups and Application Control Policies
11-36
Module 12: Providing Efficient Network Access for Remote Offices

Lesson 1: Overview of Remote Office Requirements
12-3
Lesson 2: Implementing Read-Only Domain Controllers
12-6
Lab A: Deploying a Read-Only Domain Controller
12-16
Lesson 3: Implementing BranchCache
12-21
Lab B: Deploying BranchCache
12-34
Module 13: Monitoring and Maintaining Windows Server 2008

Lesson 1: Planning Monitoring Tasks
13-3
Lesson 2: Calculating a Server Baseline
13-9
Lesson 3: Interpreting Performance Counters
13-18
Lesson 4: Selecting Appropriate Monitoring Tools
13-26
Lab: Creating a Baseline of Performance Metrics
13-33
Module 14: Managing Window Server 2008 Backup and Recovery

Lesson 1: Planning and Implementing File Backups on
Windows Server 2008
14-3
Lesson 2: Planning and Implementing File Recovery
14-14
Lab A: Implementing Windows Server Backup and Recovery
14-19
Lesson 3: Recovering Active Directory
14-23
Lesson 4: Troubleshooting Windows Server Startup
14-29
Lab B: Recovering Active Directory Objects
14-37
Sep 7 2011 9:58PM

xi
Nova 4, LLC
xii
Appendix A: Implementing DirectAccess

Exercise 1: Configuring the AD DS domain controller and DNS
A-4
Exercise 2: Configuring the PKI environment
A-6
Exercise 3: Configuring the DirectAccess clients and test Intranet Access
A-9
Exercise 4: Configuring the DirectAccess server
A-11
Exercise 5: Verifying DirectAccess functionality
A-13
Sep 7 2011 9:58PM

Nova 4, LLC
About This Course
xiii
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
This course is designed to provide foundation skills in networking and Windows Server security, network
services, and administration.
Audience
Candidates for this course are information technology (IT) professionals who work in medium to large
organizations. The primary candidate is a Windows Server administrator who operates Windows Servers
on a daily basis and who requires the skills for configuring, managing, and maintaining servers installed
with Windows Server 2008, including the Release 2 (R2) edition. Candidates are typically responsible for
day-to-day management of the server operating system and various server roles such as Dynamic Host
Configuration Protocol (DHCP), Domain Name System (DNS), file and print services, directory services, and
software distribution. This course may also be considered in combination with other exam preparation
materials for candidates wishing to prepare for Microsoft Certified Technology Specialist (MCTS) and
Microsoft Certified IT Professional (MCITP) certification in Windows Server 2008.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least one year experience in operating Windows Servers in the area of account management,
server maintenance, server monitoring, or server security
Certification related to the Microsoft Technology Associate (MTA) Networking Fundamentals, Security
Fundamentals, and Windows Server Administration Fundamentals designations, or equivalent
knowledge as outlined in course 6419B: Fundamentals of Windows Server 2008
A+, Server+, hardware portion of Network+, or equivalent knowledge
Working knowledge of networking technologies
Intermediate understanding of network operating systems
Basic knowledge of Active Directory
An understanding of security concepts and methodologies (for example, corporate policies)
Basic knowledge of TCP/IP
Basic knowledge of scripting tools such as PowerShell and WMI
Course Objectives
After completing this course, students will be able to:
Describe the Windows Server 2008 environment including the roles, features, and tools used to
perform effective server management.
Describe IPv6 addressing and how to install and configure the DNS and DHCP server infrastructure
roles.
Configure secure and efficient access to file services.
Configure and manage a Distributed File System infrastructure.
Sep 7 2011 9:58PM

Nova 4, LLC
xiv
About This Course
Use File Server Resource Manager to assist in data storage capacity management.
Secure remote access by using features such as Virtual Private Networks, Network Access Protection
(NAP), and DirectAccess.
Describe Active Directory infrastructure and how to manage AD DS objects.
Configure and manage AD DS object permissions, and configure trust between AD DS domains.
Create and manage Group Policy Objects (GPOs).
Understand the specific settings that can be managed by using Group Policy.
Secure network clients by using Group Policy.
Describe solutions that can be implemented to provide efficient remote office network access.
Plan for and implement performance baselines and perform server monitoring by using monitoring
tools.
Plan for and identify backup and restore strategies and identify steps needed to recover from server startup
issues.
Course Outline
This section provides an outline of the course:
Module 1, Overview of the Windows Server 2008 Management Environment In this module, you
will gain familiarity with the components of the operating system and the concepts and terminology
found within the Windows Server 2008 environment.
Module 2, Managing Windows Server 2008 Infrastructure Roles In this module, students will learn
the benefits and technologies associated with IPv6. You will learn the features and configuration options
available to implement the DNS and DHCP server roles.
Module 3, Configuring Access to File Services In this module, you will learn the concepts and
terminology involved in file services, and also provide guidance in the practical management of a file
services infrastructure within the Windows Server 2008 environment.
Module 4, Configuring and Managing Distributed File System In this module, you will learn about
the Distributed File System (DFS) solution that you can use to meet challenges by providing fault-tolerant
access and WAN-friendly replication of files located throughout an enterprise.
Module 5, Managing File Resources Using File Server Resource Manager In this module, you will
learn about the various options available for installing Windows Server, and complete an installation. You
will also launch a local media setup and then perform the post-installation configuration of a server.
Module 6, Configuring and Securing Remote Access In this module, you will understand how to
configure and secure your remote access clients by using network policies, and where appropriate,
Network Access Protection (NAP).
Module 7, Managing Active Directory Domain Services In this module, you will learn how to review
key concepts and directory services structure. You will take a high-level look at the major components of
AD DS and how they fit together. You will also receive hands-on experience working with these
components and their associated tools.
Module 8, Configuring Active Directory Object Administration and Domain Trust In this module,
you will learn how to configure permissions and delegate administration for Active Directory objects. This
module also describes how to configure and manage Active Directory trusts.
Sep 7 2011 9:58PM

Nova 4, LLC
About This Course
xv
Module 9, Creating and Managing Group Policy Objects In this module, you will understand how
administrators deliver and maintain customized desktop configurations, ensure the security of a
geographically and logistically dispersed collection of computers, and provide administration and
management for an increasingly complex and growing computing environment.
Module 10, Using Group Policy to Configure User and Computer Settings In this module, you will
learn the skills and knowledge that you need to use Group Policy to configure Folder Redirection, and
how to use scripts.
Module 11, Implementing Security Settings Using Group Policy In this module, you will
understand security-related components that can assist you in implementing security policies in your
environment.
Module 12, Providing Efficient Network Access for Remote Offices In this module, you will learn
how to provide fast and secure logons at remote offices and place a read only domain controller (RODC)
at the remote office. You will also learn how to use BranchCache to speed up access to data across the
WAN and reduce WAN utilization.
Module 13, Monitoring and Maintaining Windows Server 2008 In this module, you will learn how
to identify components that require additional tuning, and improve the efficiency of your servers.
Module 14, Managing Window Server 2008 Backup and Recovery In this module, you will learn
necessary planning for backup and restore procedures, and startup issues, to ensure that you protect data
and servers sufficiently against disasters.
Sep 7 2011 9:58PM

Nova 4, LLC
xvi
About This Course
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical information in a
crisp, tightly-focused format, which is just right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:

Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
Modules: Include companion content, such as questions and answers, detailed demo steps and additional
reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module
Reviews and Takeaways sections, which contain the review questions and answers, best practices, common
issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most up-todate premium content on TechNet, MSDN, Microsoft Press
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the
Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation
to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.
Sep 7 2011 9:58PM

Nova 4, LLC
About This Course
xvii
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save any
changes. To close a virtual machine without saving the changes, perform the following steps: 1. On
the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you
want the virtual machine to do? list, click Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course:
Virtual machine
Role
6419B-NYC-DC1
Windows Server 2008 R2 domain controller in the Contoso.com

domain
6419B-NYC-DC2
Windows Server 2008 R2 domain controller in the Contoso.com

domain
6419B-NYC-SVR1
Windows Server 2008 R2 member server in Contoso.com
6419B-NYC-EDGE1
Windows Server 2008 R2 member server in Contoso.com
6419B-INET1
Windows Server 2008 R2 standalone server
6419B-NYC-CL1
A Windows 7 computer in the Contoso.com domain
6419B-NYC-CL2
A Windows 7 computer in the Contoso.com domain
6419B-NYC-SVRCORE
Windows Server 2008 R2 standalone server with core installation
6419B-VAN-DC1
Windows Server 2008 R2 domain controller in the Adatum.com domain
Software Configuration
The following software is installed on each VM:
Windows Server 2008 R2 Enterprise
Windows 7
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All the virtual
machines are deployed on each student computer.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Sep 7 2011 9:58PM

Nova 4, LLC
xviii
About This Course
Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V) processor
Dual 120 GB hard disks 7200 RM SATA or better*
4 GB RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped
Sep 7 2011 9:58PM

Nova 4, LLC
Overview of the Windows Server 2008 Management Environment
Module 1
Overview of the Windows Server 2008 Management
Environment
Contents:
Lesson 1: Understanding the Windows Server 2008 Environment
1-3
Lesson 2: Overview of Windows Server 2008 Server Roles and Features
1-11
Lesson 3: Windows Server 2008 Administration Tools
1-20
Lesson 4: Managing Windows Server 2008 Server Core
1-28
Lab: Managing Server Roles in a Windows Server 2008 Environment
1-35
Sep 7 2011 9:58PM

1-1
Nova 4, LLC
1-2
Module Overview
Familiarity with the operating system of your servers is the first and most important step towards
effectively managing a server infrastructure. Knowledge of the operating system structure, key
components, common management tools, versions and editions, features, and even its limitations will
help you to configure your server infrastructure in a way that best utilizes the capabilities of your servers
to serve your business needs.
This module will provide you with an overview of all of the above areas as they pertain to Windows
Server 2008. You will gain familiarity with the components of the operating system and the concepts
and terminology found within the Windows Server 2008 environment.
Objectives
After completing this module, you will be able to:
Describe the considerations for implementing and managing a Windows Server 2008 environment.
Explain Windows Server 2008 server roles and features.
Describe Windows Server 2008 administration tools.
Manage Windows Server 2008 Server Core.
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 1
Understanding the Windows Server 2008

Environment
Windows Server 2008 builds upon the familiar Windows operating system features that most users and
administrators are familiar with. The initial release of Windows Server 2008 shares its core build
fundamentals and its look and feel with Windows Vista. Windows Server 2008 R2 shares the same
aspects with Windows 7.
However, unlike the desktop client operating systems, Windows Server 2008 is designed to provide a
robust and complete server platform to meet all the server-based needs of most network environments.
Objectives
After completing this lesson, you will be able to:
Describe the Windows Server 2008 Editions.
Describe the considerations for implementing Windows Server 2008 R2.
Describe the factors for choosing between physical vs. virtual implementations.
Describe the factors to consider for server management.
Sep 7 2011 9:58PM

1-3
Nova 4, LLC
1-4
Overview of Windows Server 2008 Editions
Key Points
Windows Server 2008 is available in different editions to support the various server and workload needs of
network environments. Each edition of Windows Server 2008 is packaged with a unique set of features
that target that edition to a particular environment or even a specific role. The seven editions of Windows
Server 2008 deal with almost every possible type of server implementation you would find or require in a
network environment.
Note: This course covers functionality for both releases of Windows Server 2008. The initial release of
Windows Server 2008 was made available in early 2008. A second release, Windows Server 2008 R2,
came available in the middle of 2009. These two releases are treated as distinct versions of Windows
Server. When discussing the Windows Server 2008 operating system, three separate terms will be used
to differentiate which release is being referenced.
The term Windows Server 2008 initial release will be used to refer the initial, early 2008 release of the
operating system.
The term Windows Server 2008 R2 will be used to refer to the 2009 second release.
The term Windows Server 2008 will be used to refer to features or discussion relating to both releases
and as a general term for the Windows Server 2008 operating system.
The following table lists the most commonly used Windows Server 2008 R2 editions.
Edition
Description
Windows Server
A cost-effective advanced server platform that targets small business owners and
2008 R2 Foundation information technology (IT) generalists. Windows Server Foundation is designed
operating system
to provide core server features at a low cost. Windows Server Foundation is
capable of supporting only one processor and up to 8 gigabytes (GB) of Random
Access Memory (RAM).
Sep 7 2011 9:58PM

Nova 4, LLC
Edition
1-5
Description
Windows Server
2008 R2 Standard
operating system
The Windows Server Standard edition offers the most commonly used features in
Windows Server 2008 and is designed to meet almost all general server
computing requirements. It adds features like Server Core, Hyper-V, and
DirectAccess to the functionality of Windows Server Foundation. Windows Server
Standard supports up to 4 processors and up to 32 GB of RAM.
Windows Server
2008 R2 Enterprise
operating system
Windows Server Enterprise expands upon Windows Server Standard, adding

enterprise-level capabilities such as clustering, extended remote access, and
increased virtualization capabilities. In addition, Windows Server Enterprise
provides support for up to 8 processors and 2 terabytes of RAM.
Windows Server
2008 R2 Datacenter
operating system
Windows Server Datacenter provides the full capabilities of the Windows

Server 2008 platform. Designed for business critical applications and large scale
virtualization implementations, Windows Server Datacenter provides everything
required for complex server solutions. Windows Server Datacenter supports up to
64 processors and 2 terabytes of RAM, and support for hot-swappable processors
and memory.
The following specialized editions of Windows Server 2008 are also available.
Edition
Description
Windows Web
Server 2008 R2
operating system
A Web application and services platform, Windows Web Server 2008 includes
Internet Information Services (IIS) 7.5 and is designed as an Internet-facing server.
Windows Web Server 2008 includes Web server and Domain Name System (DNS)
server roles.
Windows Server
2008 R2 HPC
Edition
Provides an enterprise-class platform for high-performance computing (HPC). It

can scale to thousands of processing cores and includes management consoles
that help you to proactively monitor and maintain system health and stability.
Job scheduling interoperability and flexibility enables integration between
Windows and Linux-based HPC platforms.
Windows Server
2008 for Itaniumbased Systems
operating system
Built specifically to support Itanium-based IA64 processor architecture, Windows

Server 2008 for Itanium-based Systems provides the same feature set as Windows
Server Datacenter, and it is designed for high workload scenarios.
Note: When discussing processor support, it is important to note that the numbers provided here refer
to physical processors, not processor cores. A single physical processor may have multiple cores that
allow for multiple applications or threads to use the processor at the same time in a co-operative
manner.
These charts list the editions available for the most recent version of Windows Server, Windows Server
2008 R2. The Foundation edition is not available in the initial release of Windows Server 2008.
Additionally, the initial release of Windows Server 2008 is available with or without Hyper-V, which is the
Windows Server 2008 virtualization platform. Windows Server 2008 R2 ships with Hyper-V included by
default.
Note: Windows Server 2008 R2 is available only for 64-bit hardware platforms. 32-bit hardware
platforms are no longer supported.
Sep 7 2011 9:58PM

Nova 4, LLC
1-6
Windows Server 2008 R2 Considerations
Key Points
Windows Server 2008 R2, the most recent version of the Windows Server platform, provides a number of
improvements and new features not found in the initial release of Windows Server 2008.
While the improvements and features provide a more robust and powerful operating system,
implementing Windows Server 2008 R2 in your environment requires special considerations.
64-bit Hardware Architecture

First, and most critical from a deployment and upgrade perspective, is the requirement for 64-bit
hardware platform architecture. When upgrading to Windows Server 2008 R2 on older servers, it is
important to examine and catalog hardware architecture to ensure that your existing servers are based on
the 64-bit architecture.
Windows Server 2008 R2 operates on two separate 64-bit hardware architectures.
x64 is the industry standard architecture found in most AMD and Intel-based platforms. The x64
architecture is the most common 64-bit architecture found in 64-bit servers.
Itanium-based systems are built around Intel 64-bit Itanium (IA64) processors and are most
commonly used for mathematically complex or intensive application such as large databases.
Windows Server 2008 R2 will be the last version of Windows Server to support the Itanium processor
architecture.
Because of the 64-bit requirement, servers being upgraded or migrated to Windows Server 2008 R2 will
need to be examined to ensure they are based on a 64-bit platform.
There may be instances in you environment where a 32-bit version of Windows Server 2003 or the initial
release of Windows Server 2008 is running on a 64-bit hardware platform. These systems are capable of
running Windows Server 2008 R2. However, there is no direct upgrade path between 32-bit and 64-bit
versions of Windows Server.
Sep 7 2011 9:58PM

Nova 4, LLC
1-7
Upgrade Paths
When directly upgrading a previous version of Windows Server, only specific upgrade paths are supported
between versions. Keep in mind that because of the 64-bit requirement of Windows Server 2008 R2, all
previous versions of Windows Server operating systems must be 64-bit operating systems.
The following tables illustrate the most common supported upgrade paths.
Windows Server 2003 (SP2, R2)
Windows Server 2008 R2 Version
Standard
Standard, Enterprise
Enterprise
Enterprise, Datacenter
Datacenter
Datacenter
Windows Server 2008 (RTM, SP1, SP2)
Windows Server 2008 R2 Version
Standard
Standard, Enterprise
Enterprise
Enterprise, Datacenter
Datacenter
Datacenter
Web
Standard, Web
Operating System Consistency

In some instances, the new features and functionality that Windows Server 2008 R2 provides may not be
required on pre-existing servers in your environment. It is important to note, however, that Windows
Server 2008 and Windows Server 2008 R2 are different versions of the Windows Server operating system.
Enhancements, bug fixes, and service packs are developed and released separately for each operating
system. If you operate in an environment where consistency and a unified environment are important, you
should consider upgrading all capable (64-bit) servers to Windows Server 2008 R2. It is important to note
that if you still have 32-bit hardware in your environment, you will not be able to upgrade all of your
servers to Windows Server 2008 R2.
Migration and Server Roles

The functionality contained in Windows Server 2008 R2 has changed since the original version of
Windows Server 2008 and even more so since Windows Server 2003. As a result, the functionality
provided by previous versions of the operating system need to be examined and mapped to the features
and functionality provided by Windows Server 2008 R2.
Microsoft provides a number of documents covering this migration process called, Role Migration Guides.
These guides provide information to assist you in planning a smooth transition between the services
provided by your existing server infrastructure and your new Windows Server 2008 R2 infrastructure and
are downloadable from the Microsoft website.
Sep 7 2011 9:58PM

Nova 4, LLC
1-8
Physical vs. Virtual Server Implementations
Key Points
Server virtualization enables you to configure one or more virtual machines that emulate a physical
computer. Multiple virtual machines can run on one physical server, with all the virtual machines sharing
the resources available on the physical server.
Windows Server 2008 introduces Hyper-V as the first integrated virtualization platform of Windows
Server. Hyper-V provides software infrastructure and basic management tools that you can use to create
and manage a virtualized server computing environment.
Server virtualization can overcome the limitations of physical server and provide a solution for challenges
that organizations face with their physical environments. The following list describes common
organization challenges:
Data Centers Are Reaching Capacity

In many organizations, data centers quickly reach capacity for power and space. These organizations
frequently deploy new servers for every new project or requirement. The data centers also require
large amounts of power for cooling and running the servers. Virtualization often results in
significantly fewer physical servers which require less space and less power.
Server Resource Utilization Is Very Low

Many servers run at very low utilization, which is a problem that often aggravates data center
capacity. It is common for some servers to run at less than ten percent of processor capacity.
Virtualization combines several virtual servers onto a single physical server, thereby making more
efficient use of physical resources.
Managing Servers Requires Significantly More Effort

As organizations deploy more servers running many different roles, the effort required to deploy,
support and secure the servers also increases. If several servers can be virtualized and run on a single
physical server, there are fewer physical objects in your environment to support and maintain.
Sep 7 2011 9:58PM

Nova 4, LLC
1-9
Supporting Legacy Systems Is Difficult

Legacy hardware and systems become increasingly costly to maintain. Many organizations have
business applications that were developed many years ago and have not been upgraded to run on
new operating systems (OS) or on new hardware. Often, a virtualized environment can overcome
physical constraints and allow legacy systems to be integrated into your server environment
The factors that make a server a good candidate vary, but any server facing one of the above challenges
should be assessed for potential virtualization.
The Microsoft Assessment and Planning (MAP) Toolkit provides the ability to assess your current IT
infrastructure for a variety of Windows Server 2008 migration projects, including virtualization. The MAP
Toolkit is a powerful inventory, assessment, and reporting tool that can be used to simplify the migration
planning process for a virtualized environment.
Sep 7 2011 9:58PM

Nova 4, LLC
1-10
Server Management Considerations
Key Points
When configuring a server, many aspects of server management need to be considered to ensure that
your server environment is functioning in the most efficient and consistent manner possible.
The following questions should be answered when configuring and managing a Windows Server 2008
server:
What roles does the server perform within the network infrastructure? The functionality of a server is
determined by the operating system software components that are installed and configured.
Are there specific security needs associated with this server? If a server has specific security needs or is
being located in a physical or network environment where the threat of unauthorized malicious use is
high, steps need to be taken to ensure that users with malicious intent have the fewest areas of the
operating system exposed to them.
How will the server be managed? As you will learn, Windows Server 2008 has a number of different
tools that allow you to manage a Windows Server 2008 server. Different tools allow different
management tasks and capabilities, such as scripting, remote access, high level overviews, or multiple
administrators.
Is there a requirement for server availability? Depending on the role of your Windows Server 2008
server, server availability may be a requirement. Your server may be required by policy or business
logic to provide its services in a consistently available manner. Larger organizations and public
organizations such as emergency services, hospitals, phone and power companies, and many others
cannot afford even a few seconds a year of downtime for important services. The servers providing
these services need to be configured in some type of redundant or fault-tolerant configuration to
ensure consistent availability.
Question: Does your organization manage servers that may have some of the requirements in this topic?
Sep 7 2011 9:58PM

Nova 4, LLC
1-11
Lesson 2
Overview of Windows Server 2008 Server Roles and

Features
The usefulness and functionality of a server are determined by the set of components installed and
configured on the server.
In a production environment, determining what components of an operating system need to be installed,
activated, and configured to provide a specific piece of functionality can be an imposing task. In previous
versions of Windows Server, the responsibility was placed on the administrator to determine this list of
components, ensure they were configured correctly, and provide a method of effectively managing these
components.
Windows Server 2008 changes all this with server roles and server features.
Objectives
Describe server roles.
Describe Infrastructure and Application Services roles.
Describe Active Directory server roles.
Describe server features.
Install server roles and features by using Server Manager.
Sep 7 2011 9:58PM

Nova 4, LLC
1-12
What Are Server Roles?
Key Points
Windows Server 2008 uses a role-based configuration. Operating system functionality is controlled
primarily through server roles.
Server Roles
A server role is a collection of operating system components that work together to provide a specific
aspect of server functionality. Rather than having to determine the components required to provide some
type of functionality, as in previous versions, a Windows Server 2008 server administrator can simply
install the role associated with that functionality. Installing a role prompts Windows Server 2008 to enable
the necessary operating system components required to perform the functionality associated with the
role. This ensures that all the components required are enabled when a role is installed. Also, those
components will be disabled if the role is removed from the server.
Role Services
Server roles comprise one or more role services that represent the individual aspects of functionality that a
role provides. Depending on how a role is being implemented, some role services may or may not be
installed as part of the overall role functionality. Role services allow administrators to build onto the
functionality of a role, depending on the requirements.
For example, Print and Document Services is composed of the following role services:
Print Server
LPD Service
Internet Printing
Distributed Scan Server
Sep 7 2011 9:58PM

Nova 4, LLC
1-13
If you are configuring a Windows Server 2008 server to function as a print server, but do not specifically
require scan services, you should not select the Distributed Scan Server role service to be installed as part
of the Print and Document Services Role.
Multiple Roles
While some roles are typically installed as the only role on a server and provide the core of that server
functionality, multiple roles are often installed to work together to provide multiple aspects of
functionality; or they can be combined to better utilize server hardware resources.
When deploying multiple server roles on a single computer, consider the following:
The capacity of the computer should be sufficient for all the installed roles.
The security requirements for the roles you plan to install must co-exist on a single computer.
The security settings should be configured appropriately for all installed roles.
Possible migration paths should be planned in advance, if the computer becomes overloaded.
Question: How do server roles and role-based configuration make it easier to configure functionality on a
Windows Server 2008 server? Are there ways that role-based configuration makes configuration more
difficult?
Sep 7 2011 9:58PM

Nova 4, LLC
1-14
Infrastructure and Application Services Server Roles
Key Points
Windows infrastructure services roles are used to form the underlying framework of software and services
that are used by other applications within the organization and provide application-based services to the
rest of the network.
The following table describes Windows Server 2008 infrastructure and application services roles:
Role
Description
Application Server
Provides a solution for hosting and managing distributed applications
DHCP Server
Automatically allocates IP addresses and IP configuration information

to clients
DNS Server
Provides name resolution for TCP/IP networks
Fax Server
Sends and receives faxes electronically rather than requiring paperbased copies of documents
File Services
Provides technologies for storage management, file replication, and

file searching
Hyper-V
Provides server virtualization functionality
Network Policy and Access

Services
Provides support for LAN or WAN routing, network access policy

enforcement, VPN connections, and dial-up connections
Print and Document Services
Enables and manages network printing, scanning, and document

routing
Remote Desktop Services
Allows users to run programs on a remote server but view the results in
a Remote Desktop window
Sep 7 2011 9:58PM

Nova 4, LLC
1-15
Role
Description
Web Services (IIS)
Enables the capability to act as a web server, installing Internet

Information Server (IIS) and related components
Windows Deployment Services
Deploys Windows operating systems to computers over the network
Windows Server Update

Services (WSUS)
Allows network administrators to control Microsoft Update distribution

to clients and servers

The WSUS server role is new in Windows Server 2008 R2.
Also, the following server roles have been renamed from the initial release of Windows Server 2008 to
Windows Server 2008 R2.
Window Server 2008 Server Role
Windows Server 2008 R2 Server Role
Print Services
Print and Document Services
Terminal Services
Remote Desktop Services
Also, the Universal Description, Discovery, and Integration Services (UDDI) server role has been removed
from Windows Server 2008 R2. UDDI provides capabilities for sharing information about Web services
between servers, but the server role is unsupported on 64-bit platforms, the only platform on which
Windows Server 2008 R2 will run. A new, stand-alone version of UDDI that supports 64-bit platforms is
available for download from the Microsoft website.
Sep 7 2011 9:58PM

Nova 4, LLC
1-16
Active Directory Server Roles
Key Points
Active Directory roles form the core of identity and access management within a Windows Server-ased
network. The various Active Directory roles allow for full control over management and access to various
server-based network resources, including users, computers files, folders, and printers. Also, the Active
Directory server roles allow separate Active Directory infrastructures to seamlessly integrate, allowing for
secured unified administration and information exchange.
The following table lists the Active Directory server roles.
Role
Description
Active Directory
Domain Services (AD
DS)
Stores information about users, computers, and other devices on the network.
AD DS helps administrators securely manage this information and facilitates
resource sharing and collaboration between users and organizations.
Active Directory
Certificate Services
(AD CS)
Provides customizable services for issuing and managing certificates in software

security systems that use public key technologies.
Active Directory
Federation Services
(AD FS)
Provides Web single sign-on (SSO) technologies to authenticate a user to

multiple Web applications that use a single user account.
Active Directory
Organizations that have applications which require a directory for storing
Lightweight Directory application data can use AD LDS as the data store. AD LDS runs as a nonServices (AD LDS)
operating-system service.
Active Directory
Rights Management
Services (AD RMS)
Information protection technology that works with AD RMS-enabled

applications to help safeguard digital information from unauthorized use.
Sep 7 2011 9:58PM

Nova 4, LLC
1-17
What Are Server Features?
Key Points
Server features are Windows Server 2008 components that do not specifically fall into the scope of one of
the server roles. Although they are not directly part of a server role, server features can support or add a
complementary functionality to one or more roles, or improve the functionality of the server, regardless of
which roles are installed.
Server features are typically installed individually, independent of other server features and server roles.
Similar to server roles, server features are installed, configured, and managed primarily through the Server
Manager console in Windows Server 2008 R2.

The following features are available in Windows Server 2008 R2, but not in the initial release of Windows
Server 2008:
Windows BranchCache
Direct Access Management Console
Ink and Handwriting Services
Windows Biometric Framework
Windows Server Migration Tools
Windows Remote Management (WinRM) IIS Extension
XPS Viewer
Remote Server Administration Tools now includes Active Directory Administrative Center, Remote
Desktop (RD) Connection Broker tools, and BitLocker Recovery Password Viewer.
Sep 7 2011 9:58PM

Nova 4, LLC
1-18
Note: Windows 2000 Client Support has been removed from Message Queuing in Windows Server
2008 R2
Also, several features are available only to certain editions of Windows Server 2008. Enterprise level
capabilities like BranchCache Hosted Server and Failover Clustering are not available in the Foundation or
Standard editions. Additionally, DirectAccess Management is not available in the Foundation edition.
Sep 7 2011 9:58PM

Nova 4, LLC
1-19
Demonstration: How to Install Server Roles and Features
Key Points
Server Manager is the key tool used in Windows Server 2008. This demonstration will show you how both
server soles and server features are managed within Server Manager.
In this demonstration, you will learn how to:
Add a server role by using Server Manager.
Add a server feature by using Server Manager.
Configure a server role by using Server Manager.
Sep 7 2011 9:58PM

Nova 4, LLC
1-20
Lesson 3
Windows Server 2008 Administration Tools
Windows Server 2008 is a robust and powerful operating system that contains a large number of
components and capabilities.
To harness the power of Windows Serer 2008, you need to be familiar with the management tools
available, which allow you to effectively manage and administer your Windows Server 2008 servers.
Objectives
Describe the methods used to manage a server environment.
Manage Windows Server 2008 by using Server Manager.
Describe how to use Remote Server Administration Tools (RSAT).
Describe the use and advantages of Windows PowerShell.
Sep 7 2011 9:58PM

Nova 4, LLC
1-21
Methods Used to Manage a Windows Server 2008 Environment
Key Points
There are a variety of methods used to manage a Windows Server 2008 environment. The specific tool or
tools that you will use with Windows Server 2008 may vary, according to you how you are managing your
servers.
The most common management tools are briefly described as follows:
Server Manager
Server Manager is the core tool for management of a Windows Server 2008 server. Built on the Microsoft
Management Console (MMC), Server Manager contains console add-ins for all installed server roles and
server features, and a unified collection of tools and operating system information useful in managing
Windows Server 2008, including the following:
Event Viewer
Services console
Performance monitoring
Device Manager
Task Scheduler
Disk Management
Windows Server 2008 R2 introduces several enhancements to Server Manager that are not available in the
initial release of Windows Server 2008.
Server Manager can now connect to remote servers.
Server Manager has built in Best Practice Analyzers (BPAs) from Microsoft to help administrators
ensure their servers are configured in the most secure and optimal manner possible.
Sep 7 2011 9:58PM

Nova 4, LLC
1-22
New PowerShell cmdlets have been added that allow you to install, remove, or view information
about available roles by using Windows PowerShell.
Command-Line Tools
Windows Server 2008 has a huge number of command-line tools for use by administrators directly from
the command line or for inclusion in administrative scripts batch files or scripting languages such
VBScript.
RSAT
The RSAT download is available for Windows client operating systems (Windows Vista, and Windows 7)
and allows for the remote management of Windows Servers from desktop computers.
Windows PowerShell
Windows PowerShell is a task-based command-line shell and scripting language designed specifically for
system administration. It allows administrators to automate and control the management of Windows
computers and applications that run on Windows.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: Overview of Server Manager
Key Points
This demonstration will show you the Server Manager interface, highlighting the most commonly used
tools and console windows.
In this demonstration, you will learn how to:
Describe how Server Manager unifies administrative consoles for server roles, server features, and
other operating system components.
Navigate the Server Manager console.
Find commonly used management tools and console windows within Server Manager.
Sep 7 2011 9:58PM

1-23
Nova 4, LLC
1-24
What Are the Remote Server Administration Tools?
Key Points
RSAT enables administrators to remotely manage server roles, server features and other operating system
functionality for a Windows Server 2008 server.
Essentially, RSAT installs MMC consoles for server components on the client operating systems and uses
those consoles to connect remotely to Windows Server 2008 computers to perform management tasks.
When you install RSAT onto the client operating system, you will be given a choice of which consoles you
want to install.
RSAT is typically installed on a Windows client operating system used by someone requiring
administrative access to a Windows Server 2008 server. RSAT is available for both Windows Vista and
Windows 7 client operating systems and offers varying functionality, depending on both the operating
system of the client RSAT is installed on and the version of Windows Server 2008 that is being managed.
When running RSAT on a Windows 7 computer, and connecting to a Windows Server 2008 R2 server, the
following remote management tools are available.
Server Administration Tools:
Server Manager
Role Administration Tools:
Active Directory Certificate Services (AD CS) Tools
Active Directory Domain Services (AD DS) Tools
Active Directory Lightweight Directory Services (AD LDS) Tools
DHCP Server Tools
DNS Server Tools
File Services Tools
Sep 7 2011 9:58PM

Nova 4, LLC
Hyper-V Tools
Terminal Services Tools
Feature Administration Tools:
BitLocker Password Recovery Viewer
Failover Clustering Tools
Group Policy Management Tools
Network Load Balancing Tools
SMTP Server Tools
Storage Explorer Tools
Storage Manager for SANs Tools
Windows System Resource Manager Tools
Sep 7 2011 9:58PM

1-25
Nova 4, LLC
1-26
What Is Windows PowerShell?
Key Points
Windows PowerShell is a task-based command-line shell and scripting language designed specifically for
system administration. Built on the .NET framework, PowerShell allows administrators to automate and
control the management of Windows computers and applications that run on Windows.
Windows PowerShell was introduced as part of Windows Vista and the initial release of Windows Server
2008. PowerShell comprises a large number of single instance commands, called cmdlets.
Cmdlets are the core building block of PowerShell. They are typically very narrow in scope, performing
only a single task. This provides for a large number of cmdlets with relatively simple syntax and options,
rather than a smaller list with more complex syntax and methods for use.
Cmdlets
Cmdlets in PowerShell are composed by using a verb-noun syntax that makes it relatively easy to
determine the intended purpose of a cmdlet simply by knowing the cmdlet name. The following list
provides some examples of PowerShell cmdlets:
Get-Date
Start-Service
Restart-Computer
Set-ItemProperty
Get-Help
Clear-Eventlog
PowerShell cmdlets allow the management of almost any aspect of the Windows operating system, and
any installed applications that support PowerShell.
Sep 7 2011 9:58PM

Nova 4, LLC
1-27
PowerShell 2.0
PowerShell 2.0, introduced with Windows Server 2008 R2 and Windows 7, adds a number of important
new features and improvements in functionality over the original version of PowerShell shipped with the
initial release of Windows Server 2008 and Windows Vista. The following is a list of the new features
available with PowerShell 2.0:
Integrated Script Editor (ISE)

The new Integrated Scripting Environment (ISE) is a multi-tabbed graphical PowerShell development
platform that features color-coded syntax, debugging capabilities, and script-output management
capabilities.
Remoting
Remoting is one of the most important changes in PowerShell 2.0, and it provides support for
running scripts on remote systems. PowerShell Remoting lets you run scripts on remote networked
systems in a one-to-one, or one-to-many configuration. This new remoting support requires that
PowerShell 2.0 be installed on both the local and remote systems.
Note: PowerShell remoting relies on Windows Remote Management (WinRM). In order for remoting
to work, WinRM must be enabled on the remote computer.
To enable WinRM with its default configuration, you can execute the following command from the
command prompt on the remote computer.
winrm qc
Eventing
PowerShell Eventing lets you respond to the notifications that many PowerShell objects support.
Added cmdlets, functions, and modules

PowerShell 2.0 adds a host of new cmdlets and other features that make server management by using
PowerShell far more powerful. The following areas have been given new or improved functionality in
PowerShell 2.0.
Active Directory
AppLocker
Best Practices Analyzer
Background Intelligent Transfer Service (BITS)
Failover Cluster
Group Policy
Server Manager
Windows Server Backup
Windows Server Migration Tools
Note: The additional modules mentioned are installed with their corresponding server role or server
feature. They are not part of the default installation of Windows PowerShell V2. For example, the
Active Directory module and its corresponding cmdlets are installed when the Active Directory
Domain Services server role is installed.
Sep 7 2011 9:58PM

Nova 4, LLC
1-28
Lesson 4
Managing Windows Server 2008 Server Core
The Server Core installation option was first introduced in the initial release of Windows Server 2008. It
introduces a stripped down, streamlined version of Windows Server 2008.
This lesson will look at Server Core, its features, capabilities, and limitations, and the tools used to manage
a Server Core installation of Windows Server 2008.
Objectives
Describe the benefits of a Server Core installation.
Describe server roles that are supported by Server Core.
Describe features that are supported by Server Core.
Manage Windows Server 2008 Server Core.
Sep 7 2011 9:58PM

Nova 4, LLC
1-29
Benefits of a Server Core Installation
Key Points
The Server Core installation option in Windows Server installs Windows Server 2008 with a minimal
feature set.
Server Core offers a smaller subset of server roles and features than the full installation of Windows Server
2008. Additionally, Server Core does not include the Windows Explorer graphical interface. All local
interaction with a Server Core installation must be done by using command-line tools.
The Server Core minimal feature set provides the following benefits:
The attack surface is minimized because of limited roles and features.
Malicious users must be familiar with the command line to make changes to the operating system
when accessing a Server Core installation locally.
Hardware requirements are less restrictive for a Server Core installation because of the stripped down
nature of the operating system.
A Server Core installation requires less maintenance than a full installation. The reduced number of
services and applications require fewer updates than a full-featured operating system. Fewer updates
mean fewer restarts of the operating system. This, in turn, leads to increased availability of the server.
Sep 7 2011 9:58PM

Nova 4, LLC
1-30
Roles Supported by the Server Core Installation Option
Key Points
Server Core supports a subset of the standard Windows 2008 roles, primarily roles that are designed to
provide core network infrastructure.
Server Core supports the following server roles in Windows Server 2008:
Active Directory Domain Services
Active Directory Lightweight Directory Services
DHCP Server
DNS Server
File Services
Print Server
Streaming Media Services
Hyper-V
Windows Server 2008 R2 adds the following role changes:
Active Directory Certificate Services
File Server Resource Manager component of the File Services Role
A subset of ASP.NET in the Web Server role
Streaming Media Services has been removed
Sep 7 2011 9:58PM

Nova 4, LLC
Features Supported by the Server Core Installation Option
Key Points
Similar to server roles, Server Core supports a subset of standard Windows Server 2008 features.
Server Core supports the following server features in Windows Server 2008:
Windows Server Backup
Bitlocker Drive Encryption
Failover Clustering
Multipath input\output
Network Load Balancing
Removable Storage
Subsystem for UNIX-based applications
Telnet client
WINS
Windows Server 2008 R2 adds the following feature changes:
.NET Framework
Windows PowerShell
Windows-on-Windows 64-bit (WoW64)
Removable storage feature removed
Ability to be remotely configured by using Server Manager
Sep 7 2011 9:58PM

1-31
Nova 4, LLC
1-32
Methods Used to Manage the Server Core Installation Option
Key Points
Server Core management is a slightly more complicated task than managing a full installation of Windows
Server 2008.
For the initial release of Windows Server 2008, manually entering command-line executables is the only
method available to configure a Server Core installation of Windows Server 2008. While this method is a
deterrent to users with malicious intent who gain access to the server, it also means a more complicated
and tedious work load for those who manage the servers.
Adding and Removing Server Roles and Server Features

Managing the roles and features installed on your computer requires you to work from the command
line. The following tools will allow you to manage installed server roles and server features in Windows
Server 2008.
Ocestup.exe and Oclist.exe

Ocsetup is the default tool used to manage the addition and removal of server roles and server
features in Windows Server 2008. The ocestup.exe command is issued from the command line,
followed by argument that determine which role or feature is being added or removed. For example,
the following command installs the DHCP role on a Server Core installation.
ocsetup DHCPServerRole
To uninstall the role, execute the following command.

ocsetup DHCPServerRole /uninstall
Oclist.exe can be executed to show a list of roles and features available on the current server, along
with the current installation status of those roles.
Sep 7 2011 9:58PM

Nova 4, LLC
1-33
Dism.exe
Dism.exe is the Deployment Image Servicing Management Tool, included with Windows Server 2008
R2. This tool has a wide number of applications to Windows image and configuration management.
One of those applications is the installation removal of Server Core server roles and server features.
Issuing the following command using Dism.exe wil install the DHCP role on a Server Core installation.
Dism /online /enable-feature /featurename:DHCPServerRole
In the line of code above, the command line switches perform the following actions.
The /online switch forces Dism.exe to perform the operation on the currently running
installation of windows. Dism.exe can be used to perform operations on offline images of
Windows as well.
The /enable-feature switch ensures that the feature specified will be installed or enabled. It is
important to note that the word feature in this switch does not refer only to server features.
/enable-feature is used to install both server roles and server features. The /disable-feature
switch will remove an installed role.
The /featurename switch is used to specify the server role or server feature to be installed or
removed. In the case of our example, we are performing our operation on the DHCP server role.
To determine the current status of server roles and features, execute the following command.
Dism /online /get-features
Note: The role and feature names used for ocsetup and dism are the same. DHCPServerCore is used to
refer to the DCHP server role for both tools. It is important to note that these names are also case
sensitive. For example, using dhcpservercore as a feature name will result in an error using either tool.
Other Improvements in Windows Server 2008 R2

In Windows Server 2008 R2, two very important changes have been made to the Server Core installation
option that greatly decrease the administrative workload required for Server Core computers.
Sconfig.exe
Sconfig is a command-line executable that starts a text-based menu for administering a Server Core
installation. Common administration tasks are available in a numbered list for execution. When an
administrator chooses a number from the list, sconfig carries out the configuration command by
using command-line programs without the administrator having to manually enter code.
Sconfig supports the following configuration areas on a Server Core installation of Windows Server
2008 R2.
Computer name and domain/workgroup membership
Add local Administrative users
Configure Remote Management
Windows Update Settings
Configure Remote Desktop
Network Settings
Sep 7 2011 9:58PM

Nova 4, LLC
1-34
Date and Time Settings
Shutdown/Restart server
Server Manager and RSAT

In Windows Server 2008 R2, Server Manager on Windows Server 2008 R2 computers and the RSAT on
Windows Vista or Windows 7 computers can be used to remotely connect to a Server Core
installation and manage the server by using familiar graphical-based tools. This is a great
improvement over previous management methods, because it allows a Server Core installation to be
managed alongside full installations of Windows Server 2008 R2 remotely for a more unified
management environment.
Sep 7 2011 9:58PM

Nova 4, LLC
1-35
Lab: Managing Server Roles in a Windows Server 2008

Environment
Sep 7 2011 9:58PM

Nova 4, LLC
1-36
Exercise 1: Determine Server Roles and Installation Types

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
3.
4.
5.
6.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 through 4 for 6419B-NYC-SVR1.

Repeat steps 2 and 3 for 6419B-NYC-SVRCORE. Do not log on until directed to do so.
Lab Scenario
You have been asked to complete the final configuration for a server being deployed to the Contoso,
Ltd.s New York City location. Your supervisor, Ed Meadows, has sent you an email detailing the
requirements for the final configuration steps that need to be taken on the server.
The main tasks for this exercise are as follows:
1.
2.
Review the supporting documentation.

Determine the server roles, server features, and installation types, and record them in the answers to
the questions in the deployment plan document.
Task 1: Review the supporting documentation.

1.
Review the following email message received from Ed Meadows.
To: You
From:
Ed Meadows [Ed@contoso.com]
Sent:
Apr 20 2010 14:20
To:
you@contoso.com
Subject: NYC-SVR1 deployment
Hi,
Weve arranged to have the new server for the New York City location physically deployed while you are
onsite there.
The server name is NYC-SVR1 and its to be configured as a print server for the New York office. Theyve
just deployed Windows 7 to all desktops in that location and theyre switching away from users having
printers connected directly to their machines and setting up network printers in various locations in the
office, instead.
After youve completed the initial configuration, the server administration team in New York will take over
the management of the server. Theyre located on the fifth floor and this server will be on the eighth floor,
so theyd like to have some type of remote access to the server to perform their management tasks. I
believe there are four of them who will be working together to manage the server; Ill leave the solution
for this up to you.
Sep 7 2011 9:58PM

Nova 4, LLC
1-37
One more thing, the New York admins would also like to be able to back up the server on a regular basis,
so Id like you to configure the server to give them the ability to do local backups.
Thats it for now, let me know if you need anything, and enjoy New York.
Regards,
Ed
Task 2: Determine the server roles, server features, and installation types.
1.
Complete the requirements document by answering the following questions:
New York Location New Server Final Configuration Plan

Document Reference Number: CW010210/1
Document
Author
Date
You
Apr 24, 2011
Requirements Overview
To determine the server roles and features to be installed on the newly deployed NYC-SVR1
Additional Information
The server must be able to provide network printing capabilities for the New York City office.
Administrators in New York will manage the server from their desktop computers and will also be
responsible for ensuring the new server is backed up.
Questions
1.
What server role(s) should be installed on NYC-SVR1? How should the server role(s) be
configured?
2.
What additional server features will be needed to fulfill the requirements specified by Ed?
3.
Are there any additional management considerations that need to be considered for the
ongoing management of NYC-SVR1?
Results: After completing this exercise, you should have determined the server roles, server features,
and installation types to install on NYC-SVR1, according to the requirements document.
Sep 7 2011 9:58PM

Nova 4, LLC
1-38
Exercise 2: Install Windows Server 2008 Server Roles and Features

Lab Scenario
You have read the requirements document and determined what server roles and features need to be
installed on NYC-SVR1. Using your implementation proposal, you have been asked to implement the
recommended server roles and server features on NYC-SVR1 and report to Ed regarding which
management tools need to be installed on the desktop computers of the Server Admins group.
1.
2.
Use Server Manager to install the Print and Document Services Server Role.
Use Server Manager to install the Windows Server Backup Features.
Task 1: Use Server Manager to install the Print and Document Services Server Role.
1.
2.
3.
Connect to the 6419B-NYC-SVR1 virtual machine and log on with a user name, Administrator, and
the password, Pa$$w0rd.
Open Server Manager from the Start Menu.
Open the Roles node in Server Manager and add the Print and Document Services server role.
Task 2: Use Server Manager to install the Windows Server Backup Features.
1.
2.
3.
Within Server Manager, select the Features node.

Add the Windows Server Backup feature.
Close Server Manager.
Result: After completing this exercise, you will have used Server Manager to install server roles and
server features.
Sep 7 2011 9:58PM

Nova 4, LLC
1-39
Exercise 3: Manage Windows Server 2008 Server Core

Lab Scenario
You have been asked to complete the configuration for another server in the New York location.
A new server running the Windows 2008 R2 Server Core installation has been installed in the New York
location. You have been asked to finalize the network configuration on the server and configure the newly
named NYC-SVRCORE to enable Server Manager access for remote management.
The network information is as follows.
NYC-SVRCORE Configuration Spec Sheet
IP State
IP Address
Subnet Mask
Default Gateway
Primary DNS
Secondary DNS
STATIC
10.10.0.20
255.255.0.0
10.10.0.1
10.10.0.10
None
Domain membership
Computer name
Contoso.com
NYC-SVRCORE
Please install the Windows Server Backup feature on this server so the New York IT staff can perform
backup and recovery operations.
Please enable remote administration to allow the New York IT staff to manage this server remotely by
using Server Manager.
1.
Use Sconfig to configure Server Core installation options.
2.
Use Dism to enable the Windows Server Backup feature.
3.
Configure Server Core to enable Server Manager remote administration.
4.
Use Server Manager connect to Server Core
Task 1: Use Sconfig to configure Server Core installation options.

1.
Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2.
Start Sconfig and use the menu options to configure the IP address settings according to the
information supplied.
3.
Join the computer to the Contoso.com domain and rename it to NYC-SVRCORE.
Task 2: Use Dism to install the Windows Server Backup feature

1.
Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2.
Run the Dism command using the /online and /get-features switches to confirm that the
WindowsServerBackup feature is not installed..
3.
Run the Dism command using the /online, /enable-feature and /featurename: switches to install
the WindowsServerBackup feature.
Sep 7 2011 9:58PM

Nova 4, LLC
1-40
4.
Run the Dism command using the /online and /get-features switches to verify the Windows Server
Backup feature has been installed.
Task 3: Use Sconfig to configure Server Core remote management

1.
Start Sconfig and navigate to the Configure Remote Management screen,
2.
Enable both Windows Powershell and Server Manager remote administration options. Restart
when prompted and log back on as Administrator with the password of Pa$$w0rd.
Task 4: Use Server Manager to connect to Server Core

1.
Connect to the 6419B-NYC-DC1 virtual machine and log on with the user name, Administrator, and
the password, Pa$$w0rd.
2.
Open Server Manager from the Administrative Tools section on the Start Menu.
3.
In Server Manager, connect to NYC-SVRCORE.
4.
View the Server Manager nodes available.
Result: After completing this exercise, you should have performed management tasks on a Server Core
installation of Windows Server 2008.
To prepare for the next module

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.
2.
3.
4.
On the host computer, start Hyper-V Manager.

Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Revert Virtual Machine dialog box, click Revert.
Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-SVRCORE.
Sep 7 2011 9:58PM

Nova 4, LLC
1-41
Module Review and Takeaways
Review Questions
1.
Why would an organization want to limit the server roles installed on a server?
2.
What management tool would you recommend for a new junior administrator who has been asked to
manage a Server Core installation of Windows Server 2008 R2?
Common Issues Related to Using Server Manager Remotely

Issue
Troubleshooting Tip
Cannot connect to
remote servers by using
Server Manager
Tools
Tool
Windows
Server 2008 R2
Server Role
Migration
Guides
Use for
Where to find it
Determining how to
migrate server roles
from previous versions
of the Windows Server
operating system
Microsoft
Simplifying and
Assessment and
streamlining the IT
Planning(MAP)
infrastructure
Toolkit
planning by assessing
existing environments
Server Manager Managing a Windows
Start Menu
Sep 7 2011 9:58PM

Nova 4, LLC
1-42
Tool
Use for
Where to find it
Server 2008 server

Remote Server
Managing Windows
Administration
Server 2008 R2 servers
Tools (RSAT) for
remotely
Windows 7
Ocsetup.exe
Adding and removing

Server Core roles and
features
Command-line
Dism.exe
Adding and removing

Server Core roles and
features in Windows
Server 2008 R2
Command-line
Sconfig.exe
Managing a Server
Core installation of
Windows Server 2008
(R2 only)
Type Sconfig.exe at the command line
New Features and Changes

Feature
Version
Module Reference
Foundation Edition licensing option

64-bit hardware support only
New Server Roles available
New Features Available
Server Manager remote management
New RSAT
New Server Core Roles available
New Server Core Features available
Administer Server Core remotely by using
Server Manager
Deployment Image Servicing Management
Tool (Dism.exe)
Sconfig configuration tool for Server Core
Sep 7 2011 9:58PM

Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles
Module 2
Contents:
Lesson 1: Understanding IPv6 Addressing
2-3
Lesson 2: Overview of the DNS Server Role
2-18
Lesson 3: Configuring DNS Zones
2-29
Lab A: Installing and Configuring the DNS Server Role
2-41
Lesson 4: Overview of the DHCP Server Role
2-46
Lesson 5: Configuring DHCP Scopes and Options
2-53
Lab B: Installing and Configuring the DHCP Server Role
2-65
Sep 7 2011 9:58PM

2-1
Nova 4, LLC
2-2
Module Overview
To effectively manage a Windows Server 2008 network, you need to understand the server roles used to
resolve and manage IP addressing. To assist with IP addressing requirements, your network environment
should include two critical server roles, the Domain Name System (DNS) and the Dynamic Host
Configuration Protocol (DHCP). To support many of the new features included with Windows Server 2008,
you need a basic knowledge of not only IPv4, but also IPv6 concepts and transition methods.
This module provides an overview of the benefits and technologies associated with IPv6. You will learn the
features and configuration options available to implement the DNS and DHCP server roles.
Objectives
Describe IPv6 addressing.
Describe the features and concepts related to the DNS server role.
Configure DNS zones.
Describe the features and concepts related to the DHCP server role.
Configure DHCP scopes and options.
Sep 7 2011 9:58PM

Nova 4, LLC
2-3
Lesson 1
Understanding IPv6 Addressing
Internet Protocol (IP) version 4 is the most commonly used communication protocol for both the Internet
and internal network environments. Although IPv4 is robust and scalable, new technologies and higher
demand have paved the way for the eventual adoption of IPv6.
To use the various Windows Server 2008 features, such as Network Discovery and DirectAccess (Windows
Server 2008 R2), you need a better understanding of the IPv6 address space and its integration with the
existing IPv4 networks through transition and tunneling technologies.
Objectives
Describe the differences between IPv4 and IPv6.
Describe the benefits of using IPv6.
Describe the IPv6 address space.
Describe the types of IPv6 addresses.
Describe the IPv6 address autoconfiguration process.
Describe IPv6 over IPv4 tunneling.
Describe IPv6 tunneling technologies.
Sep 7 2011 9:58PM

Nova 4, LLC
2-4
Differences Between IPv4 and IPv6
Key Points
Traditionally, IPv4, due to its simplicity and interoperability, has been used to meet the growing demands
of both internal networks and the Internet. However, it is quickly becoming outdated in both public
address space availability and supported functionality.
The various challenges faced by IPv4 include:
Unavailability of the IPv4 address space. With IPv4 public address spaces becoming scarce, many
organizations have started implementing the network address translator (NAT) technology to map
multiple private IP addresses to a single public IP address. NAT decreases the number of public IP
addresses required for internal networks, but it does not support standards-based network layer
security or map all high layer protocols. This can cause connectivity issues between organizations that
use private IP addressing schemes. In addition, the rise of IP-based devices, such as mobile assistants
and household appliances, has increased the need for an efficient method for IP streaming, security,
and address allocation.
Need for simpler configuration. IPv4 relies on manual configuration or automatic configuration
through DHCP. The auto-address configuration of DHCP and IPv4 supports only a local subnet. With
the need to manage and communicate with Internet-based devices, automatic configuration of
addresses and settings that do not rely on a DHCP infrastructure has become important.
Need for more efficient real-time data delivery. The increased use of multimedia streaming over
the Internet has paved the way for quality of service (QoS) requirements that are only efficiently
addressed when integrated within the IP protocol itself.
Security requirements at the IP level. Security over a public network, such as the Internet, requires
encryption services that protect data from being viewed or modified during transit. IPv4 supports the
Internet Protocol Security (IPsec) standard. However, implementation of IPsec in IPv4 is optional and
is typically implemented by using a variety of solutions.
Sep 7 2011 9:58PM

Nova 4, LLC
2-5
Note: To address many of these concerns, the Internet Engineering Task Force (IETF) has developed
IPv6 as described in Request for Comments (RFC) 4291.
IPv4 and IPv6 Comparison

The following table lists the differences between IPv4 and IPv6:
IPv4
IPv6
Source and destination addresses are

32 bits (4 bytes) in length
Source and destination addresses are 128 bits (16 bytes) in

length
IPsec support is optional
IPsec support is required
The IPv4 header does not include any Packet-flow identification for QoS handling by routers is
packet flow identification for QoS
included in the IPv6 header that uses the Flow Label field
Fragmentation is done by routers and Fragmentation is only by the sending host
the sending host
Header includes a checksum
Header does not include a checksum
Header includes options
All optional data is moved to IPv6 extension headers
Address Resolution Protocol (ARP)

uses broadcast ARP Request frames
to resolve an IPv4 address to a linklayer address
ARP Request frames are replaced with multicast Neighbor

Solicitation messages
Internet Group Management Protocol IGMP is replaced with Multicast Listener Discovery (MLD)
(IGMP) is used to manage local
messages
subnet group membership
Internet Control Message Protocol
(ICMP) Router Discovery, which is
optional, is used to determine the
IPv4 address of the best default
gateway
ICMP Router Discovery, which is required, is replaced with

ICMPv6 router solicitation and router advertisement messages
Broadcast addresses are used to send There are no broadcast addresses in IPv6, their function being
traffic to all nodes on a subnet
superseded by multicast addresses. Link-Local Unicast addresses
are designed to be used for addressing on a single link for
purposes such as automatic address configuration,
neighbor discovery, or when no routers are present. Link-Local
multicast scope spans the same topological region as the
corresponding unicast scope.
Must be configured either manually
or through DHCP
Does not require manual configuration or DHCP
Uses host address (A) resource

records in the DNS to map host
names to IPv4 addresses
Uses host address (AAAA) resource records in DNS to map host

names to IPv6 addresses
Uses pointer (PTR) resource records in Uses PTR resource records in the IP6.ARPA DNS domain to map
the IN-ADDR.ARPA DNS domain to
IPv6 addresses to host names
map IPv4 addresses to host names
Sep 7 2011 9:58PM

Nova 4, LLC
2-6
IPv4
IPv6
Must support a 576-byte packet size

(possibly fragmented)
Must support a 1280-byte packet size (without fragmentation)
Sep 7 2011 9:58PM

Nova 4, LLC
2-7
Benefits of Using IPv6
Key Points
The IPv6 standard introduces several benefits to the networking infrastructure such as the following:
Large address space. IPv6 uses a 128-bit address space, which allows for 3.4x1038 or
340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space is designed to be more
efficient for routers, which means that even though there are many more addresses, routers can
process data much more efficiently because of address optimization.
Stateless and Stateful address configuration. Stateless address configuration refers to host IP
configuration without a DHCP server. Stateful address configuration refers to host IP configuration
that uses a DHCP server. IPv6 supports both stateless and stateful address configuration. With
stateless address configuration, hosts automatically configure themselves with IPv6 link-local
addresses along with additional addresses advertised by local routers.
Built-in security. IPv6 has built-in IP security, which facilitates configuration of secure network
connections.
Prioritized delivery. IPv6 contains a field in the packet that allows network devices to determine the
specified rate at which the packet should be processed. This allows traffic prioritization or QoS. For
example, when streaming video traffic, it is critical that the packets arrive in a timely manner. You can
set this field to ensure that network devices determine that the packet delivery is time-sensitive.
Neighbor detection. IPv6 uses the Neighbor Discovery protocol to manage the interaction between
nodes within the same network link. Neighbor Discovery replaces the broadcast-based Address
Resolution Protocol (ARP) with more efficient multicast and unicast communication within the same
network segment.
Extensibility. IPv6 has been designed so that it can be extended with fewer constraints than IPv4.
Sep 7 2011 9:58PM

Nova 4, LLC
2-8
IPv6 Address Space
Key Points
A traditional IPv4-based IP address is expressed in four groups of decimal numbers, such as 192.168.1.1.
Each set of numbers represents a binary octet. In the binary system, the preceding number is:
11000000.10101000.00000001.00000001
(4 octets = 32 Bits)
The size of an IPv6 address is 128 bits, which is four times the larger than an IPv4 address. IPv6 addresses
are expressed as hexadecimal addresses. For example, an IPv6 address may look like:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
This may seem counterintuitive for end users. However, the average user relies on DNS name resolution
and seldom types IPv6 addresses manually.
Hexadecimal Numbering System (Base 16)

The hexadecimal system (Hex) uses a base 16 represented by sixteen distinct symbols. These symbols
include:
0-9 Represent values 0 to 9
A-F Represent values 10 to 15
For example, if you convert the decimal number 9 to Hex, the result will be Hex 9. However if you
continue and convert the decimal number 10 to Hex, the result will be Hex A. Similarly, the decimal
number 11 will result in Hex B.
Sep 7 2011 9:58PM

Nova 4, LLC
2-9
Using Letters to Represent Numbers

Letters represent numbers, because in the Hex system (base 16), there must be 16 unique symbols for
each position. Because 10 symbols (0 through 9) already exist, the new six symbols for the Hex system is A
through F.
To convert an IPv6 binary address, which is 128 bits in length, to hexadecimal, perform the following
steps:
0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010
1.
Organize the 128-bit address into eight groups of 16 bits.
0010000000000001
0010111100111011
1111111000101000
2.
0000110110111000
0000001010101010
1001110001011010
0000000000000000
0000000011111111
Break down each set of 16 bits into sets of four bits and assign a value of 1, 2, 4, or 8 to each of
the four binary numbers starting from the right and moving left.
If the first bit, starting on the right, has a value of 1 assign a value of 1. If the second bit has a
value of 1 assign of a value of 2. If the third bit has a value of 1, assign a value of 4. If the fourth
(and leftmost) bit has a value of 1, assign a value of 8.
To derive the hexadecimal value for this section of four bits, add up the values assigned to each
bit where the bits are set to 1. For the first group [0010], the only bit that is set to 1 is the bit
assigned the 2 value. The rest are set to zero. Thus, the hex value of this set of four bits is 2.
The first 16 bits in the example is equal to Hex 2001.
Student Exercise
In the given table, calculate the Hex values for the given binary numbers the 128-bit address. The first one
is done for you.
Binary
Hexadecimal
0010 0000 0000 0001
2001
0000 1101 1011 1000

0000 0000 0000 0000
0010 1111 0011 1011
0000 0010 1010 1010
0000 0000 1111 1111
1111 1110 0010 1000
1001 1100 0101 1010
Each 16-bit block, expressed as four Hex characters, is delimited by using colons. The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
Sep 7 2011 9:58PM

Nova 4, LLC
2-10
3.
You can simplify IPv6 representation by removing the leading zeros within each 16-bit block.
However, each block must have at least a single digit. After you remove the leading zeros, the
result is as follows:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
4.
To further simplify IPV6 notation, a contiguous sequence of 16-bit blocks that are set to 0 can be
compressed by using the double colon (::). The computer recognizes :: and substitutes the colon
sequence with the number of zeros necessary to make the appropriate IPv6 address.
In the following example, the address is expressed by using zero compression:

2001:DB8::2F3B:2AA:FF:FE28:9C5A
To determine how many 16-bit blocks are represented by the (::), you can count the number of blocks in
the compressed address, subtract this number from eight. Using the above example, there are seven
blocks. Subtract seven from eight and the result is one. Thus, there's one block of zeros in the address
where the double colon is located.
In a given address, you can use zero compression only once. Otherwise, you cannot determine the
number of 0 bits represented by each instance of a double colon (::).
Sep 7 2011 9:58PM

Nova 4, LLC
2-11
Types of IPv6 Addresses
Key Points
There are three main types of IPv6 addresses:
Unicast. Identifies a single interface within the address scope. Packets that are addressed to this
address are delivered to a single interface.
Multicast. Identifies multiple interfaces and delivers packets to all interfaces that are identified by the
address. It is used for one-to-many communication over a network infrastructure.
Anycast. Identifies multiple interfaces, but delivers packets to the nearest interface. It is used for oneto-many communication, with delivery to a single interface.
Types of Unicast IPv6 Addresses

Unicast addresses can consist of the following scopes:
Global. Global unicast addresses can be compared with public IPv4 addresses. This type of address is
globally routable throughout the IPv6 portion of the Internet. The global address starts with 2000: or
is typically written as 2000:/3. The first three bits are always set to 001 to identify and distinguish this
type of address from other IPv6 addresses.
Link-Local. Link-Local addresses can be compared with the IPv4 Automatic Private IP Addressing
(APIPA) that uses 169.254.0.0/16. IPv6 link-local addresses can communicate with hosts on the same
link, and are not routable. Link-local addresses are automatically assigned and always begin with FE80
or FE80::/64.
Unique-Local. Unique-local addresses represent an entire organizational site or a portion of the site.
This type of IPv6 address can be compared with IPv4 private address spaces 10.0.0.0/8, 172.16.0.0./12,
and 192.168.0.0/16. Unique-local addresses are routable throughout an organization, but are not
configured to be routed outside of the organization network. These types of addresses are not
automatically generated, and must be assigned by using auto-assignment methods, which are
supported by IPv6. Unique-local addresses are always expressed as FC00::/7 or FD00::/8.
Sep 7 2011 9:58PM

Nova 4, LLC
2-12
Note: Unique-Local replaces a previous IPv6 type called Site-local addresses, which were defined for
block FEC0::/10. For more information on the deprecating of site local addresses, read RFC 3879 at
http://tools.ietf.org/html/rfc3879.
Loopback Address. A loopback address is used to identify a loopback interface, which allows a node
to send packets to itself. The IPv6 loopback address is expressed as 0:0:0:0:0:0:0:1 or ::1. This can be
compared with the IPv4 loopback address of 127.0.0.1.
Sep 7 2011 9:58PM

Nova 4, LLC
2-13
Address Autoconfiguration for IPv6
Key Points
A network client proceeds through several states as it goes through the autoconfiguration process, and
there are several ways to assign an IP address and additional options. Based on how the router is set up, a
client may use stateless configuration (no DHCP service) or stateful configuration with the DHCP server
involved. Stateful configuration can be used to assign an IP address and additional network settings or
only assign options such as DNS server references and router IP addresses.
During autoconfiguration, the client computer proceeds through the following high-level process:
1.
The IPv6 client autoconfigures a link-local address for each interface used to communicate with other
hosts on the same link.
2.
IPv6 Neighbor Discover performs neighbor solicitation to ensure that there are no address conflicts.
3.
Router discovery takes place to determine the local routers on an attached link.
4.
It is determined whether the node should use a stateful address protocol, such as DHCPv6, for
addresses and other configuration parameters. A host uses stateful address configuration when a
router advertisement is received with either the Managed Address Configuration flag or the Other
Stateful Configuration flag is set to 1. Stateful address configuration is also performed if there are no
routers on the local link.
5.
All network prefixes defined for the link are obtained from the router. Prefixes include the range of
addresses for nodes on the local link and the valid and preferred lifetimes. If the appropriate stateful
flags are set, information may be obtained from DHCP.
Communication with DHCP

When an IPv6-based host attempts to communicate with a DHCP server, it uses its link-local, self-assigned
IP address. This is different from the IPv4, which uses ARP broadcasts.
Sep 7 2011 9:58PM

Nova 4, LLC
2-14
Using stateful configuration allows organizations to control how IP addresses are assigned by using
DHCPv6. By default, an IPv6 host uses stateless autoconfiguration, but will use stateful address
autoconfiguration, if the following is configured in the Router Advertisement message that a neighboring
router sends:
Managed Address Configuration flag. This flag is also known as the M flag. If this flag is
configured, it instructs the IPv6 host to use DHCPv6 to obtain an IP address.
Other Stateful Configuration flag. This flag is also known as the O flag. If this flag is configured, it
instructs the IPv6 host to use DHCPv6 to obtain other configuration settings such as DNS Server IP
addresses. If your organization wants to leverage technologies such as Network Access Protection
(NAP), you must configure clients with additional options that integrate into DHCP. If there are any
specific scope options that you need to configure, you needs a DHCP server.
It is possible to use a combination of both stateless and stateful configuration. In such a case, you can use
the router to assign IP address ranges and then use DHCPv6 to assign other configuration settings.
Note: On Windows Server 2008-based routers, you can use the following command to configure the M
and O flags:
netsh interface ipv6 set interface Local Area Connection managedaddress=enabled
otherstateful=enabled
Autoconfigured Address States

Autoconfigured addresses are in one or more of the following states:
Tentative. Verification occurs to determine whether the address is unique. This verification is called
duplicate address detection. A node cannot receive unicast traffic to a tentative address. It can,
however, receive and process multicast Neighbor Advertisement messages sent in response to the
Neighbor Solicitation message, which is been sent during the duplicate address detection. This
ensures that the interface can validate that its address is unique.
Valid. The address has been verified as unique, and can send and receive unicast traffic. The valid
state covers the preferred and deprecated states. The Valid Lifetime field in the Prefix Information
option of a Router Advertisement message determines the time that an address remains in the
tentative and valid states. The valid lifetime must be greater than or equal to the preferred lifetime. A
valid address is either preferred or deprecated.
Preferred. The address enables a node to send and receive unicast traffic. The Preferred Lifetime
field in the Prefix Information option of a Router Advertisement message determines the time that
an address can remain in the tentative and preferred states.
Deprecated. The address is valid, but its use is discouraged for new communication. Existing
communication sessions can continue to use a deprecated address. A node can send and receive
unicast traffic to and from a deprecated address.
Invalid. The address no longer allows a node to send or receive unicast traffic. An address enters the
invalid state after the valid lifetime.
Sep 7 2011 9:58PM

Nova 4, LLC
2-15
IPv6 over IPv4 Tunneling
Key Points
As organizations transition from an IPv4-only network to IPv6, hosts must be able to communicate by
using both IP standards. Windows Vista, Windows 7, and Windows Server 2008 support a dual layer IP
architecture that contains both IPv4 and IPv6 Internet layers with a single implementation of the protocol
stack. This dual layer architecture allows for IPv4 packets, IPv6 packets, and IPv6 over IPv4 packets.
Windows Server 2003 and Windows XP use a dual stack architecture that contains a separate
implementation of TCP and UDP for both IPv4 and IPv6. The dual stack architecture provides the same
functionality as dual layer IP architecture to provide support for legacy operating systems.
To communicate over an IPv4 infrastructure, IPv4 tunneling can be used. IPv6 over IPv4 tunneling
encapsulates IPv6 packets within an IPv4 header so that IPv6 packets can be sent over an IPv4
infrastructure.
Within the IPv4 header:
The IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.
The Source and Destination fields are set to IPv4 addresses of the tunnel endpoints. You can
configure tunnel endpoints manually as part of the tunnel interface. Otherwise, they are derived
automatically from the next-hop address of the matching route for the destination and the tunneling
interface.
Sep 7 2011 9:58PM

Nova 4, LLC
2-16
Overview of IPv6 Tunneling Technologies
Key Points
The tunneling technologies used for IPv6 over IPv4 tunneling include:
ISATAP. Local intranets can use Intra-site Automatic Tunnel Addressing Protocol (ISATAP), which
takes advantage of neighbor discovery and autoconfiguration, and it is the primary way in which
internal IPv6 nodes communicate over IPv4. ISATAP uses the interface identifier ::0:5EFE:w.x.y.z,
where w.x.y.z is the private IPv4 address. For public IPv4 addresses, the identifier is written as
::200:5EFE:w.x.y.z.
To allow for ISATAP hosts to communicate between subnets, an ISATAP router can be deployed. An
ISATAP router is an IPv6-based router, which can be used to advertise address prefixes, forward
packets between subnets, and act as a default router for ISATAP hosts.
Note: Windows Server 2008, Windows Vista Service Pack 1, and later do not automatically configure
link-local ISATAP addresses, unless the name ISATAP can be resolved to an ISATAP-based router.
6to4. 6to4 tunneling allows IPv6 routers to communicate over the IPv4 Internet. 6to4 is also
autoconfigured on the host and may require the manual configuration of a 6to4 router. 6to4
addressing converts a standard IPv4 address to an equivalent 6to4 address. For example, IPv4 address
157.60.0.1 would be converted to 2002:9D3C:1::/48. A 6to4 address always starts with 2002.
Teredo. Teredo is a tunneling technology that traverses IPv4 NATs to allow IPv6 networks to
communicate.
IPv6 changes in Windows Server 2008 R2 and Windows 7

Note: The content in this section only applies to Windows Server 2008 R2 and Windows 7.
Sep 7 2011 9:58PM

Nova 4, LLC
2-17
Windows Server 2008 R2 and Windows 7 introduces additional support for IPv6. New features include:
IP-HTTPS. As discussed earlier, 6to4 and Teredo are used to tunnel IPv6 traffic across the IPv4
Internet. However, there may be situations where firewalls or web proxy servers are configured to
block this type of traffic. Windows 7 and Windows Server 2008 R2 can use IP-HTTPS to establish
connectivity through firewalls or web proxy servers. IP-HTTPS tunnels IPv6 packets inside an IPv4based secure HTTPS session. You can configure IP-HTTPS by using Netsh.exe or Group Policy settings.
Teredo Server and Relay. Windows Server 2008 R2 includes support for configuring a Teredo server
and relay functionality. When implemented, a client communicates with a Teredo server to configure
a Teredo-based IPv6 address and initiate communication with other Teredo clients on the Internet.
Windows Server 2008 R2 DirectAccess uses the Teredo server functionality to facilitate DirectAccess
with Internet-based clients.
Group Policy Settings for Transition Technologies. Windows Server 2008 R2 and Windows 7
provide Group Policy settings related to IP-HTTPS, Teredo, 6to4, and ISATAP. You can find these
settings in the Group Policy Management Editor at:
Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6
Transition Technologies
Sep 7 2011 9:58PM

Nova 4, LLC
2-18
Lesson 2
Overview of the DNS Server Role
The DNS server role is a critical component of a Windows Server 2008 domain infrastructure. DNS
provides name resolution and service location to clients on the network. This lesson provides general
information about the DNS server role and how the DNS name space works. This lesson also provides
details about what has changed for the DNS server role in Windows Server 2008 and Windows Server
2008 R2.
Objectives
Describe DNS enhancements for Windows Server 2008.
Describe the types of DNS Resource Records that are available.
Describe how name resolution works in DNS.
Describe how DNS Forwarding works.
Describe how Conditional Forwarding works.
Configure DNS Forwarding
Sep 7 2011 9:58PM

Nova 4, LLC
2-19
DNS Enhancements in Windows Server 2008
Key Points
Windows Server 2008 and Windows Server 2008 R2 both provide enhancements to DNS that improve the
performance of DNS.
DNS Improvements in Windows Server 2008

Windows Server 2008 includes several enhanced features that improve the DNS server role. These features
include:
Background zone loading. DNS servers that host large DNS zones that are stored in AD DS are able
to respond to client queries quicker during restarts, because zone data is now loaded in the
background during the startup process.
IP version 6 support. The DNS server role fully supports IPv6, which includes IPv6 host records
(AAAA records) and IPv6 reverse lookup zones.
Support for read-only domain controllers. The DNS Server role in Windows Server 2008 provides
support for primary read-only zones on read-only domain controllers (RODCs). The RODC is a new
type of domain controller that is typically deployed to remote sites that lack physical security. An
RODC is not allowed to write information back to the full Active Directory servers and DNS servers.
When you install the DNS Server service on an RODC, a read-only copy of the Domain DNS zone
(DomainDNSZones) and the Enterprise DNS zone (ForestDNSZones) is replicated to the RODC. Clients
can query DNS on an RODC but cannot update information directly..
Global single names. The DNS Server service in Windows Server 2008 provides a new zone type
called the GlobalNames zone (GNZ), which you can use to hold unique, single-label names across an
entire forest. This eliminates the need to use the NetBIOS-based Windows Internet Name Service
(WINS) to provide support for single-label names. The GNZ provides single-label name resolution for
large enterprise networks that do not deploy WINS. Some networks may require the ability to resolve
static, global records with single-label names that WINS currently provides. These single-label names
refer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manually
created and does not support dynamic registration of records. The GNZ is intended to help
Sep 7 2011 9:58PM

Nova 4, LLC
2-20
organizations migrate to from WINS to DNS for all name resolution requirements. To create a GNZ,
simple create an AD DS- integrated forward lookup zone called GlobalNames. After the zone is
created, it can be enabled by using the following command on every authoritative DNS server in the
forest:
Dnscmd <ServerName> /config /enableglobalnamesupport 1
Global query block list. By default, well-known host names for services such as Web Proxy AutoDiscovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are
listed in a global query block list. This is to help reduce the chance of malicious users from
dynamically registering host computers that pose as legitimate servers for these services. If you need
to use these services, you have to specifically remove the WPAD or ISATAP name from the global
query block list. To modify the block list, you can use the dnscmd command-line tool.
Note: For more information about the DNS server global query block list, read the DNS server global
query block list.DNS Improvements in Windows Server 2008 R2
Note: The content in this section applies only to Windows Server 2008 R2 and Windows 7.
In addition to the enhancements listed above, Windows Server 2008 R2 and the Windows 7 client support
several additional features. These features include:
DNS Security Extensions (DNSSEC). DNSSEC provides the ability for a DNS zone and all records in
the zone to be cryptographically signed. DNS is often subject to various attacks, such as man-in-themiddle, spoofing, and cache-poisoning. DNSSEC helps protect against these threats and provides a
more secure DNS infrastructure. When a DNS server hosting a signed zone receives a query, it returns
the digital signatures in addition to the records queried for. A resolver or another server can obtain
the public key of the public/private key pair and validate that the responses are authentic and have
not been tampered with. To do so, the resolver or server must be configured with a trust anchor for
the signed zone, or for a parent of the signed zone. The DNSSEC implementation in Windows Server
2008 R2 DNS server provides the ability to sign both file-backed and Active Directoryintegrated
zones through an offline zone signing tool. This signed zone will then replicate or zone transfer to
other authoritative DNS servers. When configured with a trust anchor, a DNS server is capable of
performing DNSSEC validation on responses received on behalf of the client.
DNS Devolution. Devolution is a feature of the DNS client that allows network hosts to resolve server
names by appending portions of the primary DNS domain suffix. For example, when a client that is a
member of corp.contoso.com attempts to resolve the name fileserver, the client will attempt to
resolve fileserver.corp.contoso.com and fileserver.contoso.com. In previous versions of Windows, DNS
devolution is always set to 2. This can cause problems with organizations that use more than two
labels for their root domain. Windows Server 2008 and Windows 7 change this default configuration
so that the devolution level is automatically set to the number of labels in the forest root domain. For
example, if the forest root domain is corp.contoso.com, the devolution level is set to 3. When a client
attempts to resolve the name fileserver, it will only attempt fileserver.corp.contoso.com and not
attempt to resolve the second level domain name of contoso.com.
DNS Cache Locking. When a recursive DNS server responds to a query, it will cache the results
obtained so that it can respond quickly if it receives another query requesting the same information.
The period of time the DNS server will keep information in its cache is determined by the Time to Live
(TTL) value for a resource record. Until the TTL period expires, information in the cache might be
overwritten if updated information about that resource record is received. When you enable cache
locking, the DNS server will not allow cached records to be overwritten for the duration of the TTL
value. Cache locking provides for enhanced security against cache-poisoning attacks.
Sep 7 2011 9:58PM

Nova 4, LLC
DNS Socket Pool. When the DNS service starts, the server will pick a source port from a pool of
available sockets to be used for issuing queries. Instead of using a predicable source port, the DNS
server uses a random port number selected from the socket pool. The socket pool makes cachepoisoning attacks more difficult because an attacker must correctly guess the source port of a DNS
query in addition to a random transaction ID to successfully execute the attack.
Sep 7 2011 9:58PM

2-21
Nova 4, LLC
2-22
DNS Resource Records
Key Points
Many organizations implement DNS to support both an internal Active Directory scope as well as an
external Internet presence. With both types of implementations, resource records are used to provide the
name and service resolution requirements for your network.
Resource records contain information about the resources that are managed within a specific DNS zone.
They include information such as the owner of the record, the resource record type, how long the
resource record can remain in the cache, and data specific to the resource record, such as a host IP
address.
Resource records can be added manually, or they can be added automatically by using a process called
dynamic update.
The following table describes the most common types of resource records:
DNS Resource Record
Description
SOA
Start of authority resource record identifies the primary name server for a
DNS zone
NS
Name Server resource record identifies all the name servers in a domain
Host (A) resource record Is the main record that maps a host name to an IP
address
AAAA
IPv6 Hostresource record is usedto map host names to IPv6 IP addresses
CNAME
Alias (CNAME) resource record is an alias record type used to point more
than one name to a single host
For example, www can be used to point to a DNS host name called Server1
Sep 7 2011 9:58PM

Nova 4, LLC
2-23
DNS Resource Record
Description
MX
Mail exchanger resource record is used to specify an email server for a

particular domain
SRV
Service location resource record identifies a service that is available in the

domain, such as a domain controller or global catalog server. Active Directory
uses these records extensively
PTR
Pointer resource record is used to look up and map an IP address to a

domain name. The reverse lookup zone stores the addresses
Sep 7 2011 9:58PM

Nova 4, LLC
2-24
How DNS Name Resolution Works
Key Points
DNS name resolution begins with a query from a client to a DNS server. A DNS query can be of two types:
Recursive and iterative.
Recursive. By default, when a DNS server receives a query request from a client, the query is
recursive. Recursion is where the DNS server either answers the query or continues to query other
DNS servers on behalf of the requesting client. The recursive query has one of two possible outcomes,
the IP address of the host is returned to the requesting client or an error message stating that the
server cannot resolve the IP address is sent to the requesting client
Note: If a DNS server is not intended to receive recursive queries, recursion should be disabled on that
server by using the DNS Manager or the dnscmd command-line utility. If you disable recursion on a
DNS server, root hints will not be queried, and you will not be able to use forwarders to other DNS
servers for name resolution.
Iterative. When a DNS server receives a request from a client that it cannot answer by using its local
or cached information, it forwards the request to another DNS server by using an iterative query.
When a DNS server receives an iterative query, it may answer with either the IP address for the
requested host name (if known) or by referring the request to the DNS servers that are responsible for
the domain being queried.
A DNS server can be either authoritative or nonauthoritative for the querys namespace.
Authoritative. A DNS server is authoritative when it hosts a primary or secondary copy of a DNS
zone. If the DNS server is authoritative for the querys namespace, the DNS server will check the zone
and either return the requested address or return an authoritative denial of the request because the
name does not exist in the zone.
Sep 7 2011 9:58PM

Nova 4, LLC
Nonauthoritative. If the local DNS server is nonauthoritative for the querys namespace, the DNS
server will do one of the following:
Check its cache and return a cached response.
Forward the unresolvable query to a specific server called a forwarder.
Use root hints to well-known addresses of multiple root servers to find an authoritative DNS
server to resolve the query.
Sep 7 2011 9:58PM

2-25
Nova 4, LLC
2-26
DNS Forwarding
Key Points
DNS Forwarding can be used to manage name resolution for names outside your network. Using a
forwarder, you can minimize the work and traffic that results from your DNS server performing its own
iterative queries.
When you designate a server as a forwarder, that server is responsible for all external queries. Many
organizations designate an external DNS forwarder located at an ISP, which contains a large cache of
external DNS information due to the extensive amount of DNS queries that are resolved through it.
When a DNS server sends a request to a forwarder, the request is a recursive query. This is different from
the standard name resolution, which uses iterative queries to other DNS servers.
Note: By default, root hints will be used if no forwarders are available. You can use DNS Manager to
modify this default setting on the properties of the DNS server.
Sep 7 2011 9:58PM

Nova 4, LLC
2-27
What Is Conditional Forwarding?
Key Points
You can use a conditional forwarder to provide more efficient name resolution between specific DNS
namespaces.
For example, you can configure a DNS server to forward all queries that it receives for names ending with
adatum.com to the IP address of a specific DNS server, or to the IP addresses of multiple DNS servers. Any
query that is specific to the adatum.com domain will be forwarded directly to the appropriate DNS server
instead of the standard iterative query process.
Windows Server 2008 also provides the ability to store conditional forwarders in Active Directory. If you
configure a conditional forwarder to be stored in Active Directory, you can choose to replicate it to all
DNS servers in the forest, all DNS servers in the domain, or all domain controllers in the domain.
Note: If you have conditional forwarders defined for a specific domain, the conditional forwarders will
be used instead of server-based forwarders.
Sep 7 2011 9:58PM

Nova 4, LLC
2-28
Demonstration: How to Configure DNS Forwarding
Key Points
In this demonstration, you will see how to:
Configure a DNS Forwarder.
Configure a Conditional Forwarder.
Demonstration Steps:
1.
Open the DNS Manager.
2.
Right-click the server name and then click Properties.
3.
In the server properties dialog box, click the Forwarders tab, and then configure a forwarder. Click
OK to close the properties dialog box.
4.
To configure a conditional forwarder, click the Conditional Forwarders node.
5.
Right-click the Conditional Forwarders node and click New Conditional Forwarder. Configure the
conditional forwarder by providing the DNS domain and IP address of the authoritative server.
6.
Configure the conditional forwarder to be stored in Active Directory and configure replication
requirements.
Sep 7 2011 9:58PM

Nova 4, LLC
2-29
Lesson 3
Configuring DNS Zones
A DNS zone hosts all or a portion of a DNS domain. A zone is typically configured to be a forward or a
reverse lookup zone and can be replicated to additional DNS servers for redundancy. Zone data can be
stored in a local file that contains the mapping information, or a zone can be integrated into Active
Directory to provide enhanced security and availability. This lesson provides information on the types of
DNS zones and how zones can be replicated between DNS servers.
Objectives
Describe forward and reverse lookup zones.
Describe DNS zone types.
Describe the use and requirements for Active Directory integrated zones.
Create forward and reverse lookup zones.
Describe DNS zone transfer.
Manage DNS zone settings.
Identify tools used to troubleshoot DNS.
Sep 7 2011 9:58PM

Nova 4, LLC
2-30
What Are Forward and Reverse Lookup Zones?
Key Points
You can configure a DNS server to host both forward lookup zones and reverse lookup zones. Each of
these zone types provides name resolution capabilities as described below.
Forward Lookup Zone

DNS clients use a forward lookup zone to resolve an IP address to a DNS domain name or a network
service. This zone hosts the common DNS records such as the Start of Authority (SOA), Name Server (NS),
Host (A) records, and Active Directory-based SRV records.
Reverse Lookup Zone

DNS can also be configured to support a reverse lookup process called a Reverse Lookup zone. When
configured, a DNS client can use a known IP address and look up a computer name based on its address.
To support reverse lookup queries, two special domains have been standardized for DNS:
In-addr.arpa. The in-addr.arpa domain is reserved in the DNS namespace to provide a way to
perform reverse queries for IPv4-based IP addresses. The reverse namespace consists of subdomains
within the in-addr-arpa domain, which uses the reverse ordering of the number of an IP address.
Ip6.arpa. The Ip6.arpa domain provides reverse lookup for IPv6-based IP addresses.
A reverse lookup zone is optional. However, you may need to configure a reverse lookup zone if you have
applications that rely on looking up hosts by their IP addresses. Many applications will log this information
in security or event logs. If you see suspicious activity from a particular IP address, you can resolve the
host by using the reverse zone information. In addition, many email security gateways use reverse lookups
to validate that the IP address sending messages is associated with an authorized and approved domain.
To support reverse lookup functionality, perform the following tasks:
1.
Create a reverse lookup zone that corresponds to the subnet network address.
Sep 7 2011 9:58PM

Nova 4, LLC
2.
2-31
In the reverse lookup zone, add a pointer record that maps the IP address to the host name.
DNS Dynamic Update

Forward and reverse lookup zones both support the ability to perform dynamic updates. These updates
enable DNS clients to automatically register and update their resource records whenever changes occur.
Dynamic updates take place in the following instances:
At startup time when the computer is turned on.
When the ipconfig/registerdns command is used to manually force a refresh of the client name
registration.
When an IP address lease changes or is renewed.
When an IP address is added, removed, or modified in the TCP/IP properties of the client.
Sep 7 2011 9:58PM

Nova 4, LLC
2-32
What Are DNS Zone Types?
Key Points
A forward or reverse lookup zone can be configured to support one of three main types of zones:
Primary zone
Secondary zone
Stub zone
Primary Zone
With a standard primary zone, all DNS records are stored in a zone data file located on the DNS server
called zone_name.dns (where zone_name is the name of the zone) which is stored in the
%windir%\System32\Dns folder. When a zone file is used, the server hosting the Primary zone is the only
server that has a writable copy of the DNS database. If the DNS server is a writable domain controller, you
can also choose to store the zone data in Active Directory Domain Services to provide efficient replication
and increased security of the DNS infrastructure. With Active Directory-integrated primary zones, all data
for a zone resides in the directory.
Secondary Zone
A secondary zone is a copy of a primary zone that is hosted on another DNS server. A secondary zone
must be obtained from another DNS server, and is used to provide load balancing and redundancy for
name resolution.
Secondary zones cannot be stored in AD DS.
Stub Zone
A stub zone is a specific type of zone that only provides information about the authoritative name servers
for the zone. When you create a stub zone, you specify one or more authoritative DNS servers that hosts
the zone. The stub zone replicates data from the authoritative server such as the SOA resource record, NS
resource records, and glue records (which are host (A) records) that are used to locate the name servers.
Sep 7 2011 9:58PM

Nova 4, LLC
2-33
Stub zones are quite useful when an organization contains a large AD DS forest structure consisting of
several parent and child domains. Stub zones are used in this scenario to:
Improve name resolution. When a DNS client queries the DNS server hosting a stub zone, the DNS
server performs recursion by using the stub zones list of name servers. This minimizes the need to
query the Internet or root hints to perform name resolution.
Maintain delegated zone information. The stub zone is updated regularly to ensure that the
current list of authoritative name servers is provided in the stub zone.
Minimize zone transfer traffic. You can use stub zones to distribute a list of authoritative DNS
servers for a zone without using secondary zones. This can minimize zone transfer traffic and improve
name resolution efficiency. However, stub zones do not enhance redundancy or provide load sharing
capabilities like secondary zones.
Note: A stub zone can be configured to store its zone data in Active Directory.
Sep 7 2011 9:58PM

Nova 4, LLC
2-34
What Is an Active DirectoryIntegrated Zone?
Key Points
Primary and stub zones can be stored in the AD DS database when the DNS server is an AD DS
domain controller. This creates an Active Directoryintegrated zone. The benefits of Active
Directoryintegrated zones are significant:
Multimaster updates. Unlike standard primary zones, which can be modified only by a single
primary server, Active Directoryintegrated zones can be written to by any DC to which the zone is
replicated. This removes a single point of failure in the DNS infrastructure. It is particularly important
in geographically distributed environments that use dynamic update zones, because they allow clients
to update their DNS records without having to connect to a potentially distant primary server.
Replication of DNS zone data by using AD DS replication. One of the characteristics of Active
Directory replication is attribute-level replication, in which only changed attributes are replicated. An
Active Directoryintegrated zone can leverage these benefits of Active Directory replication, rather
than replicating the entire zone file as in traditional DNS zone transfer models.
Secure dynamic updates. An Active Directoryintegrated zone can enforce secure dynamic updates.
When you configure an Active Directory-integrated zone to support secure dynamic updates, you can
then use the access control list (ACL) to specify which users or groups have the ability to modify the
zone and the records in the zone. When you create a new Active Directory-integrated zone, it is
configured to use secure dynamic updates by default. Members of the Authenticated Users group are
able to create a new object in the zone. Also, by default, when an authenticated user or computer
creates an object in the zone, it is considered the owner of the object and has full control to modify
or remove the DNS registration as needed.
Granular security. As with other Active Directory objects, an Active Directoryintegrated zone allows
you to delegate administration of zones, domains, and resource records by modifying the access
control list (ACL) on the object.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: How to Create Forward and Reverse Lookup Zones
Key Points
Create a forward lookup zone.
Create a reverse lookup zone.
1.
Open the DNS Manager.
2.
Right-click the Forward Lookup Zones node and then click New Zone.
3.
Use the New Zone Wizard to create the new forward lookup zone.
4.
Right-click the Reverse Lookup Zones node and then click New Zone.
5.
Use the New Zone Wizard to create the new reverse lookup zone.
Sep 7 2011 9:58PM

2-35
Nova 4, LLC
2-36
Overview of DNS Zone Transfer
Key Points
A zone transfer occurs when a zone is transferred from one DNS server to another DNS server. Zone
transfers synchronize primary and secondary DNS server zones.
A full zone transfer occurs when the entire zone is copied from one DNS server to another. A full zone
transfers is known as an All Zone Transfer (AXFR).
An incremental zone transfer occurs when there is an update to the DNS server, and only the resource
records that were changed are replicated to the other server. This is an Incremental Zone Transfer (IXFR).
Windows Servers also perform fast transfers, which is a type of zone transfer that uses compression and
sends multiple resource records in each transmission.
Not all DNS server implementations support incremental and fast zone transfers. When integrating a
Windows 2008 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensure
that the features you need are supported by the BIND version that is installed.
You can configure zone transfers from the Zone Transfers tab of the zone properties dialog box.
DNS Notify
By default, secondary servers query for updated information every 15 minutes. To ensure that secondary
servers receive zone changes as quickly as possible, you can configure the source server to notify specified
secondary servers when a zone is updated.
Sep 7 2011 9:58PM

Nova 4, LLC
2-37
What Is Time Stamping, Aging, and Scavenging?
Key Points
DNS Dynamic update provides many advantages for automatically adding records to the DNS database.
However, there may be times when the records are not automatically removed when devices leave the
network. For example, if a device registers its own host (A) record and then is improperly disconnected
from the network, a stale resource record may remain in the DNS database.
Having a large number of stale resource records can lead to many problems such as out-of-date resource
records that cause clients to experience name resolution issues and unnecessarily long zone transfers.
The DNS Server service addresses this problem by using the following features:
Time Stamping. Any resource record that is dynamically added to a primary zone contains a time
stamp that is based upon the current date and time of the DNS server. This time stamp is used to
assist in the aging and scavenging process.
Note: If you manually add a resource record, a time stamp of 0 is used. This indicates that the record is
not affected by the aging or the scavenging process.
Aging You can configure a specified refresh time period for the entire DNS server or for specific
zones stored on the server. This refresh period is used to determine when scavenging can take place.
Scavenging. Any records that are beyond the specified refresh period can be automatically removed
by the scavenging process. You can configure scavenging to take place automatically, or you can
manually initiate scavenging.
Configuring Aging and Scavenging

By default, aging and scavenging are disabled. You can enable scavenging of stale resource records at the
server level or the zone level by using the following process:
1.
In the DNS Manager console, open DNS server properties dialog box.
Sep 7 2011 9:58PM

Nova 4, LLC
2-38
2.
On the Advanced tab, select the Enable automatic scavenging of stale records check box and
configure an appropriate scavenging period. The default is 7 days.
3.
If you want to configure aging settings for all zones on the server, right-click the DNS server and click
Set Aging\Scavenging for All Zones. You can configure server-based settings in the Zone D:\rahul
m\MSL_SCD_COURSES\03_Production\03_Production\6_Integration\KonaH\6419Bdialog box.
4.
If you want to configure aging settings for a specific zone, right-click the zone and click Properties.
On the General tab, click the Aging button. You can configure zone-based settings in the Zone
Aging/Scavenging Properties dialog box.
Sep 7 2011 9:58PM

Nova 4, LLC
2-39
Tools Used to Troubleshoot DNS
Key Points
DNS functionality may be affected by the following issues:
Network connectivity with other DNS servers. If your DNS server is configured to forward requests
to another DNS server, network connectivity must be maintained to the other DNS server. DNS root
hint queries also require appropriate network connectivity.
Missing records. If a record for a specific host is not registered in the DNS server, name resolution
will fail. This can be caused by incorrectly configured clients, or the records may have been scavenged
prematurely.
Incomplete records. Records require information. If the information is missing to locate the resource
they represent, it can cause clients requesting the resource to return invalid information. A service
record that does not contain a port address is an example of an incomplete record.
Incorrectly configured records. Records that point to an invalid IP address or have invalid
information in their configuration also cause problems when DNS clients try to locate resources.
Tools used to troubleshoot these and other configuration issues include:

IPconfig. Use this command to view and modify IP configuration details that the computer uses. This
utility includes additional command-line options that you can use to troubleshoot and support DNS
clients. You can view the clients local DNS cache by using the ipconfig /displaydns command, and
you can clear the local cache by using ipconfig /flushdns.
Monitoring. The Monitoring tab on the Server Properties dialog box can be used to verify the server
configuration by performing a simple query against the DNS server or a recursive query to other DNS
servers.
Global Logs. The Global Logs node in the DNS Manager provides a list of DNS events that have
taken place on the server. This can be useful to determine scavenging or zone transfer details.
Nslookup. Use this to query DNS information. The tool is very flexible and can provide a lot of
valuable information about DNS server status. You also can use it to look up resource records and
Sep 7 2011 9:58PM

Nova 4, LLC
2-40
validate their configuration. You also can test zone transfers, security options, and MX record
resolution.
Dnscmd. Use this command-line tool to manage the DNS server. This tool is useful in scripting batch
files to help automate routine DNS management tasks or to perform simple unattended setup and
configuration of new DNS servers on your network.
Dnslint. Use this tool to diagnose common DNS issues. This command-line utility diagnoses
configuration issues in DNS quickly and can generate a report in the HTML format regarding the
domain status you are testing.
Sep 7 2011 9:58PM

Nova 4, LLC
Lab A: Installing and Configuring DNS Server Role
Lab Setup
1.
Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 through 4 for 6419B-NYC-SVR1.
Lab Scenario
You are the DNS administrator for Contoso.com. You need to perform the following DNS tasks to help
provide a more effective DNS infrastructure:
Install the DNS server role on NYC-SVR1.
Configure zone transfers for the Contoso.com zone.
Create a secondary zone for Contoso.com to be hosted on NYC-SVR1.
Create a reverse lookup zone for 10.10.0.0.
Configure aging and scavenging for the Contoso.com zone.
Sep 7 2011 9:58PM

2-41
Nova 4, LLC
2-42
Exercise 1: Installing and Configuring DNS Server Role and Zones

Scenario
To support the latest DNS requirements, you need to install and configure the DNS server role on NYCSVR1. After you have installed the DNS server role, you will create a secondary zone and a reverse lookup
zone for Contoso.com.
1.
Install the DNS Server role on NYC-SVR1.
2.
Allow zone transfers for Contoso.com.
3.
Configure a secondary zone for Contoso.com.
4.
Configure a reverse lookup zone.
Task 1: Install the DNS Server role on NYC-SVR1.

1.
On NYC-SVR1, open Server Manager and install the DNS Server role.
Task 2: Allow Zone Transfers for Contoso.com.

1.
On NYC-DC1, open the DNS Manager.
2.
For the Contoso.com zone, configure the following:
Allow zone transfers: enabled
Only to the following servers: 10.10.0.11
Automatically notify: 10.10.0.11
Task 3: Configure a Secondary Zone for Contoso.com.

1.
On NYC-SVR1, open DNS Manager.
2.
Configure a new Forward Lookup zone with the following parameters:
3.
Zone Type: Secondary zone
Zone Name: Contoso.com
Master DNS Servers: 10.10.0.10
Verify that all of the resource records are available in the secondary zone.
Task 4: Configure a Reverse Lookup Zone.

1.
2.
On NYC-DC1, configure a new Reverse Lookup zone with the following parameters:
Zone Type: Primary zone (store the zone in Active Directory)
Active Directory Zone Replication Scope: All DNS servers running on domain controllers in
the Contoso.com domain
Reverse Lookup zone name: IPv4
Network ID: 10.10.0
Dynamic Update: Allow only secure dynamic updates
Update the associated pointer record for NYC-SVR1.
Sep 7 2011 9:58PM

Nova 4, LLC
Results: At the end of this exercise, you will have installed the DNS Server role and configured
secondary and reverse lookup zones.
Sep 7 2011 9:58PM

2-43
Nova 4, LLC
2-44
Exercise 2: Configuring Resource Records, Aging, and Scavenging

Scenario
You have been provided additional requirements for the Contoso.com DNS zone. You need to create an
alias for NYC-SVR1 called www. You also need to enable aging and scavenging.
1.
Add resource records for Contoso.com.
2.
Configure aging and scavenging for Contsoso.com.
Task 1: Add resource records for Contoso.com.

1.
On NYC-DC1, use DNS Manager to add an alias for NYC-SVR1.Contoso.com called www.
Task 2: Configure aging and scavenging for Contoso.com.

1.
On NYC-DC1, enable automatic scavenging of stale records to take place every 10 days.
2.
Enable zone aging and scavenging for Contoso.com by using the default 7-day no-refresh and
refresh intervals.
Results: At the end of this exercise, you will have configured a resource record for Contoso.com and
enabled aging and scavenging.
Sep 7 2011 9:58PM

Nova 4, LLC
2-45
Exercise 3: Verifying DNS Settings

Scenario
You need to verify that the DNS settings work as expected. You also need to produce a report on the DNS
settings to verify that DNS is configured correctly.
1.
Verify that the secondary zone is functional.
2.
Verify records by using Nslookup and DNSlint.
Task 1: Verify that the secondary zone is functional.

1.
Switch to the NYC-SVR1 virtual machine.
2.
In DNS Manager, refresh the Contoso.com zone and verify that www has been transferred
successfully from the authoritative server.
3.
Open the Local Area Network Properties and modify the TCP/IPv4 settings to use 10.10.0.11 as the
preferred DNS Server.
4.
Ping www.contoso.com and verify that the name is resolved.
5.
Close all open windows.
Task 2: Verify records by using Nslookup and DNSlint

1.
Switch to the NYC-DC1 virtual machine.
2.
Use NSlookup to verify the SOA information.
3.
Run DNSLint from C:\Tools\Dnslint and create a zone report. Hint: use the following command.
Dnslint /s 10.10.0.10 /d contoso.com
4.
Read through the report results and then close all open windows.
Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.
Note: Do not shut down the virtual machines; you will need them for the next lab.
Sep 7 2011 9:58PM

Nova 4, LLC
2-46
Lesson 4
Overview of DHCP Server Role
DHCP is used to assign (also called a lease) IPv4-based or IPv6-based IP addresses and other network
settings to computers and devices, which are enabled as DHCP clients. This lesson provides information on
using DHCP and how DHCP is installed and configured to support IP allocation to network clients.
Objectives
Describe new DHCP features for Windows Server 2008.
Describe DHCP Server Authorization.
Describe how DHCP lease generation works.
Describe how DHCP lease renewal works.
Add and authorize the DHCP Server role.
Sep 7 2011 9:58PM

Nova 4, LLC
2-47
New DHCP Features in Windows Server 2008
Key Points
The DHCP protocol simplifies the configuration of IP clients in a network environment. Before DHCP was
used widely, each time you added a client to a network, you had to configure it with information about
the network on which you installed it, including the IP address, the networks subnet mask, and the
default gateway for access to other networks.
With the DHCP server role, you can ensure that all clients are consistent with the same types of
configuration information, which eliminates human error during configuration. When key configuration
information changes in the network, you can update it on the DHCP Server without having to change the
information directly on each computer
The DHCP role on Microsoft Windows Server 2008 supports several new features:
Support for DHCPv6. Stateful and stateless configuration is supported for clients in an IPv6
environment. Stateful configuration occurs when the DHCPv6 server assigns the IP address to the
client, along with additional DHCP data. Stateless configuration occurs when the DHCPv6 IP is
assigned automatically by an IPv6-supported router without the need for a DHCP server.
Support for Network Access Protection (NAP). DHCP can be configured to integrate with NAP to
isolate unauthorized computers from the corporate network. NAP is part of a Windows Server 2008
based toolset that controls access to network resources to ensure that a client is compliant with
internal security policies. For example, a configured policy may require all network clients to have
Windows Firewall enabled and have a valid, up-to-date antivirus program installed.
Support for Windows Server 2008 Server Core. You can install DHCP as a role on a Windows
Server 2008 Server Core installation.
DHCP Improvements in Windows Server 2008 R2

Note: The content in this section applies only to Windows Server 2008 R2.
Sep 7 2011 9:58PM

Nova 4, LLC
2-48
In addition to these enhancements, Windows Server 2008 R2 supports several additional features, which
are listed as follows:
Link-Layer Filtering. Link-Layer filtering allows you to allow or deny DHCP leases based upon the
media access control (MAC) address presented by the client. You can specify either a full MAC
address, or you can specify a MAC address pattern by using the * as a wildcard. This feature is
currently available only for IPv4 networks.
DHCP Split-Scope Configuration Wizard. A DHCP split-scope configuration allows for increased
fault tolerance and redundancy by using two DHCP servers. The Split-scope Wizard provides an
automated method for configuring the scope properties and minimizes errors that are common
during a manual configuration. The split-scope configuration places part of the DHCP scope on a
secondary server with a time delay, which is configured in scope properties. The time delay on the
secondary server ensures that it will only respond to DHCP clients if the primary DHCP server
becomes unavailable. The secondary DHCP server distributes IP addresses until the primary server is
available again to service clients. This feature is only used for IPv4-based scopes.
DHCP Name Protection. Name protection prevents non-Windows-based computers from directly
registering a name and IP address in DNS. When you enable name protection in DHCP, the DHCP
server registers the A and PTR records into DNS on behalf of the client. If a client already exists with
the same registered name, the update fails. Name protection can be configured for both IPv4 and
IPv6 at the server or scope level and will only work for DNS zones that are configured to support
Secure Dynamic Updates.
Sep 7 2011 9:58PM

Nova 4, LLC
2-49
DHCP Server Authorization
Key Points
The DHCP Server role in Windows Server 2008 must be authorized in Active Directory before it begins
leasing IP addresses. It is possible to have a single DHCP server providing IP addresses for subnets that
contain multiple Active Directory domains. Therefore, an Enterprise Administrator account must authorize
the DHCP server.
A DHCP server that is part of the Active Directory domain queries Active Directory for a list of authorized
DHCP servers. If its own IP address is on the list, the DHCP services start, and the server begins to service
DHCP requests. If its IP address is not on the list, the DHCP service does not start and does not service
DHCP requests until it has been authorized.
Stand-Alone DHCP Server Considerations

A stand-alone DHCP server is a computer running Windows Server 2008 that is not part of an Active
Directory domain, and that has the DHCP Server role installed and configured on it. If the stand-alone
DHCP server detects an authorized DHCP server in the domain, it will not lease IP addresses and will shut
down automatically.
Rogue DHCP Servers

Many network devices and network operating systems have DHCP server services that might be enabled
unintentionally. These types of DHCP services will not check for authorization in Active Directory and will
be enabled on the network. In this case, clients may obtain incorrect configuration data.
To eliminate an unauthorized DHCP server, you must locate and disable it from communicating on the
network either physically or by disabling the DHCP service on the network device in which it is running.
Sep 7 2011 9:58PM

Nova 4, LLC
2-50
How DHCP Lease Generation Works
Key Points
The DHCP protocol lease-generation process includes four steps that enable a client to obtain an IP
address. :
1.
The DHCP client broadcasts a DHCPDISCOVER packet. This message is broadcast to each computer in
the subnet. The only computer that responds is the computer that has the DHCP server role or if the
computer is running the DHCP server agent. In the latter case, the agent forwards the message to the
DHCP server with which it is configured.
2.
Any DHCP Server in the subnet will respond by broadcasting a DHCPOFFER packet. This packet
provides the client with a potential address.
3.
The client receives the DHCPOFFER packet. It may receive packets from multiple servers. If the client
receives offers from more than one server, it usually chooses the server that made the fastest
response to its DHCPDISCOVER. This typically is the DHCP server closest to the client. The client then
broadcasts a DHCPREQUEST. The DHCPREQUEST contains a server identifier. This informs the DHCP
servers that the client has chosen to accept the DHCPOFFER.
4.
DHCP servers receive the DHCPREQUEST. The servers that the DHCPREQUEST message does not
accept use the message as notification that the client has declined that servers offer. The chosen
server stores the IP address client information in the DHCP database and responds with a DHCPACK
message. If for some reason the DHCP server cannot provide the address that was offered in the
initial DHCPOFFER, the DHCP server sends a DHCPNAK message.
Sep 7 2011 9:58PM

Nova 4, LLC
2-51
How DHCP Lease Renewal Works
Key Points
When the DHCP lease has reached 50 percent of the lease time, the client attempts to renew the lease.
This is an automatic process that occurs in the background. Computers may have the same IP address for
a long period of time if they operate continually on a network without being shut down.
To renew the IP address lease, the client sends a unicast DHCPREQUEST message to the original DHCP
server that provided the lease. The server that originally leased the IP address sends a DHCPACK message
back to the client that contains any new parameters that have changed since the original lease was
created.
If the client fails to receive a new IP address lease, it continues to use its previously assigned lease until
87.5 percent of the lease duration has expired. At this point, the client attempts to contact any available
DHCP server by broadcasting DHCPRequest messages and will start a new lease-generation process.
Sep 7 2011 9:58PM

Nova 4, LLC
2-52
Demonstration: Adding and Authorizing the DHCP Server Role
Key Points
Install the DHCP server role.
Verify that the DHCP server is authorized.
1.
Open Server Manager and install the DHCP server role.
2.
After the server role is installed, open the DHCP console, right-click DHCP, and then verify that the
server is listed as an authorized DHCP server.
Sep 7 2011 9:58PM

Nova 4, LLC
2-53
Lesson 5
Configuring DHCP Scopes and Options
To effectively manage the DHCP server role, you need to understand scopes and options. This lesson
provides information on how to configure a scope, and the various types of options that can be
configured to support the scope. Finally, the lesson will introduce common issues that you may face and
how to address those issues.
Objectives
Describe DHCP scope.
Configure a DHCP scope.
Describe DHCP options.
Describe DHCP class-level options.
Describe DHCP reservations.
Configure a DHCP option and a reservation.
Describe how DHCP options are applied.
Describe common DHCP troubleshooting issues.
Sep 7 2011 9:58PM

Nova 4, LLC
2-54
What Are DHCP Scope?
Key Points
A DHCP scope is a group of IP addresses on a subnet that are available for lease to network clients.
Each scope will contain the following:
A scope name.
A range of IP addresses to include and exclude.
For IPv4 scopes: A subnet mask to determine the subnet for addresses.
For IPv6 scopes; a prefix and preference.
Lease duration values.
Reservations used to ensure that a DHCP client always is assigned the same IP address.
DHCP scope options such as the IP address of the DNS server and the IP address of the router.
To create a DHCP scope, you need to be a member of the Administrators group or the DHCP
Administrators group on the server.
What Are Superscopes and Multicast Scopes?

A superscope is a collection of scopes that are grouped together into a single administrative unit. This
allows clients to receive an IP address from multiple logical subnets, even when they are on the same
physical subnet.
A superscope is useful in several situations. For example, if a scope has been depleted of addresses, and
you cannot add additional addresses from the subnet, you can add a new scope to the DHCP server. This
scope leases addresses to clients in the same physical network, but clients will be in a separate network
logically. This is known as multinetting. You need to configure routers to recognize the new subnet to
ensure local communication on the physical network.
Sep 7 2011 9:58PM

Nova 4, LLC
2-55
A superscope is also useful when there is a need to move clients gradually into a new IP-numbering
scheme. By having both numbering schemes coexist for the original leases duration, you can move clients
into the new subnet transparently. When you have renewed all client leases in the new subnet, you can
retire the old one.
Multicast scopes
A multicast scope is a collection of IPv4 multicast addresses from the class D IP address range of 224.0.0.0
through 239.255.255.255. These addresses are used when applications need to efficiently communicate
with numerous clients simultaneously. A multicast scope is also known as a Multicast Address Client
Allocation Protocol (MADCAP) scope. Applications that request addresses from these scopes need to
support the MADCAP application programming interface (API).
Sep 7 2011 9:58PM

Nova 4, LLC
2-56
Demonstration: Configuring a DHCPv4 Scope
Key Points
Create and activate a DHCP scope.
1.
Open the DHCP console.
2.
Right-click the IPv4 node and use the New Scope Wizard to create a new scope. Provide the Name,
IP Address Range, Exclusions, and Options.
Sep 7 2011 9:58PM

Nova 4, LLC
2-57
What Are DHCP Options?
Key Points
A DHCP server typically provides more than just an IP address to a client. DHCP also provides information
about network resources such as the IP address of DNS servers and the router. You can apply DHCP
options at the following levels:
Server Options. Scope options configured at the server level affect all scopes hosted on the server.
Scope Options. Scope options configured at the scope level only affect the scope that the options
are configured for.
An option code identifies the DHCP options, and most option code come from the RFC documentation
found on the IETF website.
The following table provides a list of sample IPv4 option codes:.
Option Code
Option Name
003
Router
006
DNS servers
015
DNS domain name
023
Default IP Time-to-live
031
Perform router discovery
033
Static route option
043
Vendor-specific information
044
WINS/NBNS servers
Sep 7 2011 9:58PM

Nova 4, LLC
2-58
Option Code
Option Name
046
WINS/NetBT node type
047
NetBIOS scope ID
Sep 7 2011 9:58PM

Nova 4, LLC
2-59
What Are DHCP Class-Level Options?
Key Points
You may have a group of computers or users that require different configuration options than the rest of
the standard scope. For example, computers that access the network by using a VPN may need to
configure alternate router settings than users who access the network from an internal location.
Option classes provide the ability to receive configuration options based on the following:
User class. You can specify user-class options when you want to set options for a certain class of
users, such as users who connect by using Routing and Remote access or users who are affected by
NAP. You can also configure your own user-class category by using the ipconfig/setclassid
command on each client computer. For example, you may want to provide only laptop computers
with a specific option setting.
Vendor class. The DHCP server role supports the ability to distribute options based on the vendor
class. An example of using DHCP with a vendor class is disabling NetBIOS over TCP/IP for clients that
report a vendor class matching Windows 2000 or Windows XP. Another example is configuring
specific options for a certain computer brand.
Sep 7 2011 9:58PM

Nova 4, LLC
2-60
What Is a DHCP Reservation?
Key Points
A DHCP reservation occurs when an IPv4 address within a scope is set aside for use with a specific DHCP
client.
It is often desirable to provide servers and printers with a reserved IP address. This ensures that IP
addresses in a predefined scope will not be assigned inadvertently to another device and cause an IP
address conflict. This also ensures that devices with reservations are guaranteed to have an IP address if a
scope is depleted of addresses. Configuring a reservation enables you to centralize the management of IP
addresses without resorting to manually configuring a static IP address.
Configuring a DHCP Reservation

You can configure custom DHCP options for reservations. These settings will override all other DHCP
options that you configure at higher levels.
To configure an IPv4 DHCP reservation, you must know the devices MAC or physical address. This address
indicates to the DHCP server that the device should have a reservation. You can acquire a network
interfaces MAC address by using the ipconfig /all command.
MAC addresses for network printers and other network devices are printed on the device itself. Some
laptop computers may also note this information on the lower part of their chassis.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: Configuring DHCP Options and Reservations
Key Points
Configure a DHCP scope option.
Configure a DHCP user class option
Enable scope and configure client computer user class.
Configure a DHCP reservation.
1.
Open the DHCP console.
2.
Expand the scope, and then click the Scope Options node.
3.
Right-click the Scope Options node and click Configure Options.
4.
Configure options as needed.
5.
Under the scope, click Reservations.
6.
Right-click Reservations, and click New Reservation.
7.
Create a new reservation by providing the IP address and MAC address for the client.
8.
Configure reservation-specific options for the client.
Sep 7 2011 9:58PM

2-61
Nova 4, LLC
2-62
How DHCP Options Are Applied
Key Points
If you have configured DHCP options at multiple levels (server, scope, class, and reservation levels), DHCP
applies options to client computers in the following order:
1.
Server level
2.
Scope level
3.
Class level
4.
Reserved-client level
For example, if you configure a specific router setting at the Server level, and a router setting is configured
at the Class level, the Class level will override the original setting. Also note that any options configured
for reserved clients will always take precedence over the other levels.
You need to understand these options when you are troubleshooting DHCP.
Sep 7 2011 9:58PM

Nova 4, LLC
2-63
Common DHCP Issues
Key Points
The following table describes and provides examples of common DHCP issues:
Issue
Description
Possible cause
DHCP service
does not start
You install DHCP and configure a The DHCP server is not in the list of authorized
scope but it will not start.
DHCP servers.
Address
conflicts
The same IP address is offered to An administrator deletes a lease. However, the

two different clients.
client who had the lease still believes the lease is
valid. If the DHCP server does not verify the IP, it
may release the IP to another machine, causing an
address conflict. This also can occur if two DHCP
servers have overlapping scopes.
Failure to
The client does not receive a
obtain a DHCP DHCP address and instead
address
receives an APIPA self-assigned
address.
If a clients network adapter is configured

incorrectly, it may cause a failure to obtain a DHCP
address.
Address
The client is obtaining an IP
obtained from address from the wrong scope,
incorrect scope causing it to experience
communications problems.
This often occurs because the client is connected to

the wrong network.
DHCP
database
suffers data
corruption or
loss
The DHCP database becomes

unreadable or is lost due to a
hardware failure.
A hardware failure can cause the database to

become corrupted.
DHCP server
The DHCP servers IP scopes have All IPs assigned to a scope are leased.
Sep 7 2011 9:58PM

Nova 4, LLC
2-64
Issue
Description
exhausts its IP
address pool
been depleted. Any new client

requesting an IP address will be
refused.
Possible cause
Sep 7 2011 9:58PM

Nova 4, LLC
2-65
Lab B: Installing and Configuring DHCP Server Role
Lab Setup
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat the steps 2 through 4 for 6419B-NYC-SVR1.
Lab Scenario
You are the network administrator at Contoso, Ltd. You have just deployed a new subnet and have
decided to configure the DHCP service to provide IP addresses and configuration options. You need to
address the following requirements:
Install the DHCP server role on NYC-DC1.
Configure an IPv4-based scope for the IP range 10.10.0.50/16 to 10.10.0.100/16.
Lease duration for clients need to be 5 days.
Scope options need to include:
DNS Domain Name: Contoso.com
Sep 7 2011 9:58PM

Nova 4, LLC
2-66
DNS Servers: 10.10.0.10
Router: 10.10.0.1
A reservation needs to be configured for NYC-SVR1 to automatically assign 10.10.0.55 with the
default scope options.
Sep 7 2011 9:58PM

Nova 4, LLC
2-67
Exercise 1: Installing and Authorizing the DHCP Server Role

Scenario
You need to install the DHCP server role on NYC-DC1.
1.
2.
Install the DHCP server role on NYC-DC1.

Verify DHCP authorization.
Task 1: Install the DHCP Server role on NYC-DC1.

1.
On NYC-DC1, open Server Manager and install the DHCP Server role.
Task 2: Verify DHCP Authorization.

1.
On NYC-DC1, in the DHCP console, open the Manage authorized servers dialog box and verify that
nyc-dc1.contoso.com is an authorized DHCP server.
Results: At the end of this exercise, you will have installed the DHCP Server role and verified DHCP
authorization.
Sep 7 2011 9:58PM

Nova 4, LLC
2-68
Exercise 2: Configuring DHCP Scopes, Options, and Reservations

Scenario
Now that you have installed the DHCP server role, you need to configure a valid DHCP scope. You also
need to configure the options as outlined in the requirements list. Finally, you need to configure the
reservation setting for NYC-SVR1.
1.
Configure a DHCP scope.
2.
Configure scope options.
3.
Configure a DHCP reservation.
Task 1: Configure a DHCP Scope.

1.
On NYC-DC1, in the DHCP console, use the New Scope Wizard to configure a scope with the
following settings:
Scope Name: ContosoScope1
Start IP Address: 10.10.0.50
End IP Address: 10.10.0.100
Length: 16
Lease Duration: 5 days
DHCP Options: Domain Name and DNS Servers set at default
Activate Scope: Yes
Task 2: Configure Scope Options.

1.
On NYC-DC1, in the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Scope Options.
2.
Add a new scope option for 003 Router with an IP address of 10.10.0.1.
Task 3: Configure a DHCP Reservation.

1.
On NYC-SVR1, open a command prompt and use ipconfig/all to determine the physical MAC address
for the server. Write down the MAC address here:
On NYC-SVR1, open the Local Area Properties dialog box and configure the network adapter to
obtain both the IP address and DNS server automatically.
2.
On NYC-DC1, configure a DHCP reservation with the following settings:
Reservation name: NYC-SVR1
IP address: 10.10.0.55
MAC Address: [Enter the value entered for step 1. For example: 00-15-5D-01-71-71]
3.
Switch back to NYC-SVR1 and use the ipconfig command to release and then renew the IP address
configuration.
4.
Verify that NYC-SVR1 receives an IP address of 10.10.0.55 with valid scope options.
Results: At the end of this exercise, you will have configured a DHCP scope, scope options, and a DHCP
reservation.
Sep 7 2011 9:58PM

Nova 4, LLC

following steps:
1.
2.
3.
4.
Repeat these steps for 6419B-NYC-SVR1.
Sep 7 2011 9:58PM

2-69
Nova 4, LLC
2-70
Review Questions
1.
What are the different types of unicast IPv6 addresses?
2.
What kind of IP address does an IPv6 client automatically assign itself?
3.
What are the different tunneling technologies in IPv6?
4.
You are presenting to a potential client the advantages of using Windows Server 2008. What are the
new features that you would point out when discussing the Windows Server 2008 DNS server role?
5.
What are the differences between recursive and iterative queries?
6.
What must you configure before a DNS zone that can be transferred to a secondary DNS server?
7.
What are the four DHCP message broadcasts that are used when a successful address lease occurs?
8.
At what point in a DHCP lease does the client usually renew the lease automatically?
9.
Why would you use a superscope?
Windows Server 2008 R2 Features Introduced in this Module

Windows Server 2008 R2 feature
Description
IP-HTTPS
Tunnels IPv6 packets inside an IPv4-based secure HTTPS session.
Teredo Server and Relay
Teredo server functionality for IPv6 communication over the

Internet.
Group Policy settings for IPv6

Transition Technologies
New Group Policy settings that can be used to assist in IPv6

transition.
DNS Security Extensions (DNSSEC)
Provides the ability for a DNS zone and all the records in the zone
Sep 7 2011 9:58PM

Nova 4, LLC
2-71
Description
to be cryptographically signed.
DNS Devolution
Automatically set to the number of labels in the forest root

domain.
DNS Cache Locking
When enabled, the DNS server will not allow cached records to be
overwritten for the duration of the TTL value.
DNS Socket Pool
Uses a random port number for issuing queries.
Link-Layer Filtering
Allows you to specifically allow or deny DHCP leases based on the

MAC address presented by the client.
DHCP Split-Scope Configuration

Wizard
The split-scope Wizard provides an automated method for

configuring a split-scope configuration.
DHCP Name Protection
Prevents non-Windows-based computers from directly registering

a name and an IP address in DNS.
Tools
Tool
Use for
Where to find it
Server Manager
Managing a
Windows Server
2008 server
Start Menu
DHCP console
Managing DHCP
Administrative Tools
DNS Manager
Managing a DNS
server
Administrative Tools
DNSLint
Generating DNS
configuration
reports
http://download.microsoft.com/download
/2/7/2/27252452-e530-4455-846add68fc020e16/dnslint.v204.exe
Sep 7 2011 9:58PM

Nova 4, LLC
2-72
Sep 7 2011 9:58PM

Nova 4, LLC
Configuring Access to File Services
Module 3
Contents:
Lesson 1: Overview of Access Control
3-3
Lesson 2: Managing NTFS File and Folder Permissions
3-13
Lesson 3: Managing Permissions for Shared Resources
3-23
Lesson 4: Determining Effective Permissions
3-36
3-43
Sep 7 2011 9:58PM

3-1
Nova 4, LLC
3-2
Configuring, Managing and Maintaining Windows Server 2008-based Servers
Module Overview
File services is one of the core pieces of functionality in a Microsoft Windows Server 2008 network
environment. The files stored on your servers contain information that spans the entire scope of your
organization. This information may be available on a single server, or it may be shared on the network for
multiple users to access. This information must be safeguarded and protected from unauthorized use, as
well as made available to authorized users.
This module will not only introduce you to the concepts and terminology involved in file services, but also
provide guidance in the practical management of a file services infrastructure within the Windows Server
2008 environment.
Objectives
Describe the concept of access control for file services.
Manage New Technology File System (NTFS) file and folder permissions.
Manage permissions for shared resources.
Determine effective permissions.
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 1
Overview of Access Control
To manage access to resources, you must understand how the Windows Server 2008 operating system
uses a number of different objects and methods to control access to resources. You need to evaluate
certain aspects of the operating system environment to ensure that the level of access for any given
scenario is clearly defined.
This lesson helps you understand what these objects, methods, and operating system variables are and
how they work together to provide a secure and reliable access control mechanism for the Windows
Server environment.
Objectives
Describe the concept of security principals and security identifiers.
Describe access tokens.
Describe how permissions control access to resources.
Describe how access control works.
Describe access-based enumeration.
Sep 7 2011 9:58PM

3-3
Nova 4, LLC
3-4
What Are Security Principals?
Key Points
In basic terms, a security principal defines who you are within the Windows Server environment.
Specifically, a security principal is represented by a user, group, or computer object that you can use for
authentication and assigning access to resources, such as files or folders, on an NTFS volume or objects
within an Active Directory domain.
In Windows Server 2008, a security principal is stored and managed in one of the following two locations:
Local Security Accounts Manager database

Each Windows Server 2008 computer maintains its own, local security database called the Security
Accounts Manager (SAM). You can use the security principals located in a computers local SAM to
manage access to resources on that specific computer.
Active Directory Domain Services database

When a Windows Server 2008 computer is joined to an Active Directory Domain, security principals
for users and groups using that computer are commonly stored in the Active Directory Domain
Services (AD DS) database, which functions as the primary container for storing objects within the
domain, like security principals. The AD DS database is typically replicated between multiple servers in
the domain, and is queried whenever information regarding a domain security principal or resource is
needed.
A security principal created and stored in the Active Directory can be used to manage access to
resources on any computer that belongs to the domain.
Note: The AD DS database is used for much more than storing security principal and resource
information. You will learn more about Active Directory and its various components later in this
course.
Sep 7 2011 9:58PM

Nova 4, LLC
3-5
Security Identifier
Each security principal created, whether stored in the local SAM or the Active Directory, is issued a security
identifier (SID).
A security principals SID is issued when the security principal is created. A SID is represented by an
alphanumeric value that uniquely identifies the security principal within the Windows environment,
whether in a local SAM database or within Active Directory.
When displayed in text, each SID begins with the letter S followed by its various numeric components,
separated by hyphens.
S-1-5-21-1673587447-2629168963-360789496-1000
In the above SID, a user account in a Windows Server 2008 domain is referenced. Like all SIDs, it starts
with the letter number. The second number, 1, refers to the SIDs revision number. The number 5
represents the SID authority value; in this case, the Windows security authority. The next four numbered
groupings represent the sub-authority values or what makes this particular SID unique. In the case of a
computer not joined to a domain, this represents the computer itself as a security principal. In a domain
environment, this number represents both the domain itself and the first computer that was declared as a
domain controller for the domain. The last value, in this case, 1000, is referred to as the relative identifier
or RID.
Relative Identifier
The relative identifier (RID) is used to uniquely identify user accounts or groups within an individual
computer or domain. Each user-created account and group is represented by a system-generated RID,
beginning with 1000. System-generated accounts and groups, such as the Administrator and Guest
accounts or the BUILTIN\Administrators group, are represented by constant value RIDs that remain the
same across any installation of Windows. For example, a RID of 500 will always be used to identify the
System Administrator account in any computer or domain. As such, the SID for the Administrator account
in the domain that the given SID belongs to appears as follows:
S-1-5-21-1673587447-2629168963-360789496-500
The following table illustrates the RID value for some other common Windows accounts and groups:
Relative Identifier(RID) Value Windows Account or Group Object
500
Administrator account
501
Guest account
512
Domain Admins group
544
BUILTIN\Administrators group
545
BUILTIN\Users group
Sep 7 2011 9:58PM

Nova 4, LLC
3-6
What Are Access Tokens?
Key Points
An access token is a protected object that contains information about the identity and rights associated
with a user account.
How Access Tokens Are Created

When a user logs on, if authentication is successful, the logon process provides a SID that represents the
user and a list of SIDs for the security groups of which the user is a member. The Local Security Authority
(LSA) on the computer uses this information to create an access token that includes the SIDs and a list of
rights assigned by the local security policy to the user and the users security groups.
How Access Tokens Are Used to Verify User Rights

After LSA creates the primary access token, a copy of the access token is attached to every process and
thread that executes on the users behalf. Whenever a thread or process interacts with a shared resource
or tries to perform a system task that requires user rights, the operating system checks the access token
associated with the thread to verify the users access to the resource.
Note: A users access token is assembled during the logon process. If a user is added to or removed
from groups after the logon process, the new group membership will not be reflected in the users
access token until the user logs out and logs on again. At this point, the access token will be
reassembled by using the new group membership information.
Sep 7 2011 9:58PM

Nova 4, LLC
3-7
What Are Permissions?
Key Points
Permissions are the rules used to determine what operations can be performed on a specific object, such
as a file or a folder by a specific user. Permissions can be granted or denied by the owner of an object and
by anyone with rights to modify permissions for that object. Typically, this includes administrators on the
system and on the domain. If you own an object, you can grant any user or security group any permission
on that object, including the permission to take ownership.
Permissions are assigned in the Windows environment by either granting or denying a specific level of
access to a security principal; most often a user or a group. Local principals are used to assign permissions
for local resources, and domain-based principals are used to assign permissions for resources in an Active
Directory domain.
Permissions can be assigned to an object in one of two ways.
Explicit Permissions
When permissions are set directly on an object within the Windows environment, such as a file or folder,
the permissions are explicitly applied. The permissions have been assigned to the object directly by
modifying the security settings in the objects properties dialog box.
Inherited Permissions
Resources in a Windows environment, such as files and folders, are typically arranged in a nested or tree
structure. Typically, a folder contains other folders or files, and those folders may contain further files or
folders.
Permission inheritance allows for child objects to inherit the permissions settings of their parent object.
This behavior allows explicit permissions to be assigned to a small number of objects and have inheritance
pass those permissions settings down to child objects within the object structure.
Sep 7 2011 9:58PM

Nova 4, LLC
3-8
Inheritance behavior can be controlled for each object, either choosing to inherit its parents permission
settings or to have its own explicitly defined set of permissions.
Sep 7 2011 9:58PM

Nova 4, LLC
3-9
How Access Control Works
Key Points
The main idea behind access control is that principals, such as users, groups, or computers, request access
to resources, such as files, folders, and printers.
Access Control Essentials

The details of access control are complex. For example, consider a user named Adam Carter attempts to
open a document, Report.doc, in Microsoft Word. In this case, its not Adams account that requests access
to Report.doc. Rather, the Microsoft Word application process uses an internal object referred to as a
thread that requests access by using Adams access token. Provided that Adam is granted the appropriate
permissions, the document opens in Word and Adam is able to view and possibly edit the contents,
depending on the level of permission granted to his user and group accounts.
Access Control Components

Discretionary Access Control List
The Discretionary Access Control List (DACL) is the key component in managing access control to
Windows-based resources. For each resource, a DACL determines which principals have access to that
resource and exactly what level of access they have. Each DACL consists of zero or more Access Control
Entries.
Access Control Entry

Each Access Control Entry (ACE) that exists within the DACL defines a specific rule containing the
following three key elements:
Access type. This can either be allow or deny.
A SID for the principal to which the rule is applied. This is typically the SID of a user or group.
A list of the types of access controlled by the ACE. This list contains specific capabilities (read, write,
modify, and full control) that the SID is either allowed or denied.
Sep 7 2011 9:58PM

Nova 4, LLC
3-10
Note: If a DACL contains no ACEs, access is denied to the object for everyone.
How Windows Uses DACLs and ACEs to Control Access

The following table represents a DACL for an object in Windows and two threads running under the
context of different users attempting to access the object.
Processing ACEs in a DACL

The ACEs within each DACL are processed in the following order:
1.
All explicit ACEs are placed in a group before any inherited ACEs. This means that explicitly defined
permissions always override those inherited from a parent.
2.
Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3.
Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the child
object's parent come first, followed by ACEs inherited from the grandparent, and so on.
4.
For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.
In general, according to these rules, explicitly defined permissions take priority over inherited permissions
and within those two groups, denied permissions take precedence over allowed permissions.
The results for the example below are as follows:
Thread 1 that uses Adam Carters access token is denied access to the object.
Thread 2 that uses Bobby Moores access token is permitted to Read, Write, and Execute the object in
question.
DACL
Deny Access
ACE
1
Adam Carter (SID)

Read, Write, Execute
Allow Access
ACE
2
Thread 1
Access Token
Adam Carter
Marketing Group
Production Group
Research Group
Production Group
(SID)
Write
Thread 2
Access Token
Allow Access
ACE
3
Everyone Group (SID)
Bobby Moore
Production Group
Read, Execute
Although the example in the table does not specifically denote whether the permissions are explicitly
defined or inherited, you can see that the Deny Access for Read, Write, and Execute permissions takes
precedence over any of the Allow Access permissions, thereby denying Adams thread the access to this
object.
Sep 7 2011 9:58PM

Nova 4, LLC
Note: Objects also have System Access Control Lists (SACLs) that can contain ACEs just like a DACL.
However, the ACEs in an SACL are used to record access to an object for auditing purposes rather
than control access for security purpose like the DACL.
Sep 7 2011 9:58PM

3-11
Nova 4, LLC
3-12
What Is Access-Based Enumeration?
Key Points
Beginning in Windows Server 2003 Service Pack 1, Windows Server allows for access-based enumeration
of folders that a server shares over the network.
When you enable access-based enumeration, users see shared files and folders only if they are given the
appropriate access permissions for the folder or files.
Access-based enumeration provides a more streamlined and efficient experience for end users, because
they see only files that they have permission to access.
Enabling Access-Based Enumeration

To enable access-based enumeration, complete the following steps:
1.
Click the Start button, click Administrative Tools, and then click Share and Storage Management.
2.
In the main pane of the Share and Storage Management window, right-click one of the shared
folders, and then click Properties.
3.
In the Properties dialog box, click the Advanced button.
4.
In the Advanced dialog box, select the Enable access-based enumeration check box.
When the Enable access-based enumeration check box is selected, access-based enumeration is
enabled on the shared folder. This setting is unique to each shared folder on the server.
Sep 7 2011 9:58PM

Nova 4, LLC
3-13
Lesson 2
Managing NTFS File and Folder Permissions
NTFS has been the primary file system of the Windows Server operating system for more than 15 years.
One of the keys to its longevity is the logical and efficient way that NTFS manages file properties like
permissions and the way that NTFS has evolved and enhanced its interaction with Windows operating
systems.
To manage and use a Windows Server environment effectively, you need to know the methods that NTFS
uses to assign and propagate properties to files and folders.
Objectives
Describe NTFS permissions.
Describe standard and advanced permissions.
Discuss NTFS permission inheritance.
Determine the effect of copying or moving files and folders.
Sep 7 2011 9:58PM

Nova 4, LLC
3-14
What Are NTFS Permissions?
Key Points
NTFS permissions are assigned to files or folders on a storage volume formatted with NTFS. The
permissions assigned to NTFS files and folders govern user access of these files and folders.
The following points describe the key aspects of NTFS permissions:
NTFS permissions can be assigned to an individual file or folder, or sets of files or folders.
NTFS permissions can be assigned individually to objects which include users, groups and computers.
NTFS permissions are controlled by denying or allowing specific types of NTFS file and folder access,
such as read or write.
NTFS permissions can be inherited from parent folders. By default, the NTFS permissions assigned to a
folder will be also assigned to newly created folders or files within that parent folder.
NTFS Permissions Examples

The following describes a basic example of assigning NTFS permissions.
For the Marketing Pictures folder, an administrator has chosen to assign Allow permissions to Adam
Carter for the Read permission type. Under default NTFS permissions behavior, Adam Carter will have
Read access to the files and folders contained in the Marketing Pictures folder.
When applying NTFS permissions, the results are cumulative. For example, lets carry on with the given
example and say that Adam Carter is also a part of the Marketing group. The Marketing group has been
given Write permissions on the Marketing Pictures folder. When we combine the permissions assigned to
Adam Carters user account with the permissions assigned to the Marketing group, Adam would have
both Read and Write permissions for the Marketing Pictures folder.
NTFS Permissions: Important Rules

There are a few key rules to examine when working with NTFS permissions.
Sep 7 2011 9:58PM

Nova 4, LLC
3-15
There are two groupings of NTFS permissions.
Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a
file or a folder take precedence over those that are inherited from a parent folder.
Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions,
any Deny permissions that exist override conflicting Allow permissions within the group.
Therefore, taking these rules into account, NTFS permissions apply in the following order:
1.
Explicit Deny
2.
Explicit Allow
3.
Inherited Deny
4.
Inherited Allow
It is important to remember that NTFS permissions are cumulative, and these rules are applied only when
two NTFS permission settings conflict with each other.
Note: Further detail regarding conflicting and inherited permissions will be covered later in this lesson.
How to Configure NTFS Permissions

You can view and configure NTFS permissions by following these steps:
1.
Right-click the file or folder you want to assign permissions for and click Properties.
2.
In the Properties window, click the Security tab.

In this tab, you can select the current users or groups that have been assigned permissions to view the
specific permissions assigned to each principal.
3.
To open an editable permissions dialog box so you can modify existing permissions or add new users
or groups, click the Edit button.
Note: More complex permissions settings will be discussed later in this lesson.
Sep 7 2011 9:58PM

Nova 4, LLC
3-16
What Are Standard and Advanced Permissions?
Key Points
Assignable NTFS permissions fall into two categories, Standard and Advanced.
Standard Permissions
Standard permissions provide the most commonly used permission settings for files and folders, and are
presented for assignment in the main NTFS permissions assignment window.
Standard permissions for NTFS files and folders consist of the following:
File permissions
Description
Full Control
Allows the user complete control of the file/folder, including control of

permissions.
Modify
Allows the user read and write file/folder
Read and Execute
Allows the user to read a file and start programs.

Allows the user to see folder content and start programs.
Read
Allows the user read only access.
Write
Allows the user to change file contents and delete files.

Allows the user to change folder content and delete files.
List folder contents

(folders only)
Allows the user to view the contents of the folder only; no access is given to
actual folder contents.
Note: Giving users Full Control permissions on a file or a folder not only gives them the ability to
perform any file system operation on the object, but also the ability to change permissions on the
object. They can also remove permissions on the resource for any or all users, including you.
Sep 7 2011 9:58PM

Nova 4, LLC
3-17
Advanced Permissions
Advanced permissions allow for a much finer level of control over NTFS files and folders. Advanced
permissions are accessible from the Security tab of a file or folders Properties sheet by clicking the
Advanced button.
Advanced permissions for NTFS files and folders consist of the following:
File Permissions
Description
Traverse
Folder/Execute File
The Traverse Folder permission applies only to folders. This permission allows or
denies the user from moving through folders to reach other files or folders,
even if the user has no permissions for the traversed folders. The Traverse folder
takes effect only when the group or user is not granted the Bypass Traverse
Checking user right. The Bypass Traverse Checking user right checks user rights
in the Group Policy snap-in. By default, the Everyone group is given the Bypass
Traverse Checking user right.
The Execute File permission allows or denies access to program files that are
running.
If you set the Traverse Folder permission on a folder, the Execute File
permission is not automatically set on all files in that folder.
List Folder/Read Data
The List Folder permission allows the user to view file names and subfolder
names. The List Folder permission applies only to folders and affects only the
contents of that folder. This permission is not affected if the folder that you are
setting the permission on is listed in the folder list. Also, this setting has no
effect on viewing the file structure from the command-line interface.
The Read Data permission applies only to files and allows or denies the user
from viewing data in files.
Read Attributes
The Read Attributes permission allows the user to view the basic attributes of a
file or a folder such as read-only and hidden attributes. Attributes are defined
by NTFS.
Read Extended
Attributes
The Read Extended Attributes permission allows the user to view the extended
attributes of a file or folder. Extended attributes are defined by programs and
can vary by program.
Create Files/Write Data The Create Files permission applies only to folders and allows the user to create
files in the folder.
The Write Data permission applies only to files and allows the user to make
changes to the file and overwrite existing content by NTFS.
Created
Folders/Append Data
The Create Folders permission applies only to folders and allows the user to
create folders in the folder.
The Append Data permission applies only to files and allows the user to make
changes to the end of the file but not from deleting or overwriting existing
data.
Write Attributes
The Write Attributes permission allows the user to change the basic attributes
of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply that you can create or delete
files or folders; it includes only the permission to make changes to the
attributes of a file or folder. To allow Create or Delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete.
Sep 7 2011 9:58PM

Nova 4, LLC
3-18
File Permissions
Description
Write Extended
Attributes
The Write Extended Attributes permission allows the user to change the
extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders; it includes only the permission to make changes
to the attributes of a file or folder. To allow Create or Delete operations, view
the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete sections in this article.
Delete Subfolders and

Files
The Delete Subfolders and Files permission applies only to folders and allows
the user to delete subfolders and files; even if the Delete permission is not
granted on the subfolder or file.
Delete
The Delete permission allows the user to delete the file or folder. If you have
not been assigned Delete permission on a file or folder, you can still delete the
file or folder if you are granted Delete Subfolders and Files permissions on the
parent folder.
Read Permissions
Read permissions allows the user to read permissions about the file or folder,
such as Full Control, Read, and Write.
Change Permissions
Change Permissions allows the user to change permissions on the file or folder,
such as Full Control, Read, and Write.
Take Ownership
The Take Ownership permission allows the user to take ownership of the file or
folder. The owner of a file or folder can change permissions on it, regardless of
any existing permissions that protect the file or folder.
Synchronize
The Synchronize permission allows different threads to wait on the handle for
the file or folder and synchronize with another thread that may signal it. This
permission applies only to multiple-threaded, multiple-process programs.
Note: Standard permissions are actually combinations of several individual Advanced permissions
grouped into commonly file and folder usage scenarios.
Sep 7 2011 9:58PM

Nova 4, LLC
3-19
What Is NTFS Permissions Inheritance?
Key Points
By default, NTFS uses inheritance to propagate permissions throughout an NTFS folder structure. When a
file or a folder is created, it is automatically assigned the permissions set on any folders that exist above it
in the hierarchy of the folder structure.
How Inheritance Is Applied

Consider the following example structure because it applies to Adam Carter and the groups he is member
of:
Adam Carter
Marketing Group
New York Editors
Folder or File
NTFS Permission
Adams Permissions
Marketing (folder)
Marketing Pictures (folder)
New York (folder)
Fall_Composite.jpg (file)
ReadMarketing Group
None explicitly set
WriteNew York Editors
None explicitly set
Read
Read (inherited)
Read (i) + Write
Read (i) + Write (i)
In this example, Adam is a member of two groups that are assigned permissions for files or folders within
the folder structure.
The top-level folder, Marketing, has an entry for the Marketing Group giving them read access.
In the next level, the Marketing Pictures folder has no explicit permissions set, but because of
permissions inheritance, Adam also has Read access to this folder and its contents from the
permissions set on the Marketing folder.
Sep 7 2011 9:58PM

Nova 4, LLC
3-20
In the third level, the New York folder has Write permissions assigned to one of Adams groups, New
York Editors. In addition to this explicitly assigned Write permission, the New York folder also inherits
the Read permission from the Marketing folder. These permissions will continue to pass down to file
and folder objects, cumulating with any explicit permissions set on those files.
The fourth and last level is the Fall_Composite.jpg file. Even though no explicit permissions have been
set for this file, Adam has both Read and Write access to the file, due to the inherited permissions
from both the Marketing folder and the New York folder.
Permission Conflicts
It is possible that explicitly set permissions on a file or folder will conflict with permissions inherited from a
parent folder. In these cases, the explicitly assigned permissions will always override the inherited
permissions.
In the given example, if Adam Carter was denied Read access to the Marketing folder, but then explicitly
allowed Read Access to the New York folder, this access permission would take precedence over the
inherited Deny Read access permission.
Blocking Inheritance
It is also possible to disable the inheritance behavior for a file or a folder (and its contents) on an NTFS
volume. This can be done to explicitly define permissions for a set of objects without including any of the
inherited permissions from any parent folders.
Windows provides an option for blocking inheritance on a file or a folder within the Advanced section of
the Security tab. To block inheritance on a file or folder, complete the following steps:
1.
Right-click the file or folder where you want to block inheritance and click Properties.
2.
In the Properties window, click the Security tab and then click the Advanced button.
3.
In the Advanced Security Settings window, click the Change Permissions button.
4.
In the next window, clear the Include inheritable permissions from this objects parent check box.
Note: At this point, you are prompted to either add the existing permissions as a starting point for your
explicitly assigned permissions or remove existing permissions on the object to start with a blank
permissions slate.
Resetting Default Inheritance Behavior

After the inheritance is blocked, changes made to permissions on the parent folder structure will no
longer have an effect on the permissions for the object (and its contents), which has blocked inheritance,
unless that behavior is reset from one of the parent folders by selecting the Replace all child objects
with inheritable permissions from this object check box. When this box is selected, the existing set of
permissions on the current folder will be propagated down to all child objects down the tree structure,
overriding all explicitly assigned permissions for those files and folders. This check box is found directly
under the Include inheritable permissions from this objects parent check box.
Sep 7 2011 9:58PM

Nova 4, LLC
3-21
Effects on NTFS Permissions When Copying or Moving Files and Folders
Key Points
NTFS permissions depend on the NTFS structure to maintain their integrity. When you move or copy files
or folders from their original location, NTFS permissions can be affected, depending on the nature of the
move or copy operation.
Note: It is important to define the move and copy process prior to defining the rules that apply to
moving and copying files.
Moving a file or folder causes the object to be relocated to the new destination. After a move operation
is complete, the file or folder no longer exists in the old location.
Copying a file or folder simply makes a copy of the object and places it in the new destination. The
original copy of the file remains in the same state in the original location.
The following rules apply when moving or copying files or folders to another location:
1.
When moving or copying files or folders to another volume, all NTFS permissions are lost. If the
destination volume is NTFS, your files or folders will inherit the NTFS permissions of the parent folder
on the destination volume.
Note: When files are sent to another volume, it is always a copy operation. If you select move from
the Windows Explorer interface, the actual file operation copies the file to the destination and deletes
the files from the original location.
2.
When copying files or folders to another location on the same NTFS volume, the original NTFS
permissions assigned to the original objects are lost. The objects inherit NTFS permissions settings
from the destination parent folder.
Sep 7 2011 9:58PM

Nova 4, LLC
3-22
3.
When moving files or folders to another location on the same NTFS volume, the original explicitly
defined NTFS permissions are retained for the objects in their new location. If no explicit permissions
are defined, the objects inherit from their parent folder in the new location.
Sep 7 2011 9:58PM

Nova 4, LLC
3-23
Lesson 3
Managing Permissions for Shared Resources
Configuring and maintaining NTFS permissions for your file and folder structure is an important part of
administering a file server. However, if your file server must provide those files and folders to your users
on the network, the resources must be set up as shared folders in Windows Server 2008.
Shared folders provide the basis for providing network access to file resources, and their configuration
and deployment should be planned and managed effectively. This lesson will introduce you to the File
Services role in Windows Server 2008 and provide details on sharing and protecting your file structure.
Objectives
Describe the File Services role.
Describe the use of shared folders.
Describe shared folder permissions.
Create shared folders by using Windows Explorer and Share and Storage Management.
Describe offline files.
Describe the file enhancements in Windows Server 2008 R2.
Configure offline file availability and access.
Sep 7 2011 9:58PM

Nova 4, LLC
3-24
Overview of the File Services Role in Windows Server 2008
Key Points
The File Services role provides not only the ability to share your files and folders, but also helps manage
storage, enable file replication, provide network resources to non-Windows clients, and manage access to
and use of your shared folder structure proactively.
The File Services role consists of the following role services that work together to provide a full-featured
file management solution:
File Server is the core of the File Services role. It manages shared folders and enables users to access
files on the server from the network.
Distributed File System (DFS) allows administrators to configure a distributed system for shared
folders. This distribution allows for the same set of shared folders to be hosted on different servers.
DFS Replication allows you to replicate shared folders between servers, and DFS Namespace makes it
possible to use a single network share address to allow access to multiple physical DFS locations.
File Server Resource Manager (FSRM) enables the management of file usage through quotas, file
screening policies, and storage reports.
Services for Network File System allow you to configure NFS to allow access to your shared folders
from UNIX client computers.
Windows Search Service permits indexing of files and folders on your file server. This allows for more
efficient searches from clients that are compatible with Windows Search Service.
Windows Server 2003 File Services provides file services for Windows Server 2003 computers.
BranchCache for Network Files enables computers in branch offices to cache commonly downloaded
files from shared folders and then provide those files to other computers in the branch office. This
reduces network bandwidth usage and provides faster access to the files. This Role Service is available
only in Windows Server 2008 R2.
Sep 7 2011 9:58PM

Nova 4, LLC
3-25
Note: The commonly used File Services components (DFS, FSRM, and BranchCache) will be covered in
more detail later in this course.
Sep 7 2011 9:58PM

Nova 4, LLC
3-26
What Are Shared Folders?
Key Points
Shared folders are the key component of accessing files on your server from the network.
When you share a folder, the folder and all its contents are made available to multiple users
simultaneously over the network. Shared folders maintain a separate set of permissions from the NTFS
permissions on folders contents. These permissions are used to provide an extra level of security for files
and folders made available on the network.
Most organizations deploy dedicated file servers to host shared folders. You can store files in shared
folders according to categories or functions. For example, you can put shared files for the Sales
department in one shared folder and shared files for the Marketing department in another.
Note: The sharing process happens strictly at the folder level. It is not possible to share only an
individual file or a group of files.
Accessing a Shared Folder

A shared folder is accessed most commonly over the network by using its Universal Naming Convention
(UNC) address, which contains the name of the server the folder is hosted on and the actual shared folder
name, separated by a backward slash (\) and preceded by two backward slashes (\\). For example, the
UNC name for the Sales shared folder on the NYC-SVR1 server would be:
\\\NYC-SVR1\Sales
Sharing a Folder on the Network

Windows Server 2008 provides a number of ways to share a folder.
Using the Provision a Shared Folder Wizard from the Share and Storage Management console.
Sep 7 2011 9:58PM

Nova 4, LLC
3-27
Using the File Sharing Wizard, either from the folders right-click menu or by clicking the Share
button on the Sharing tab of the folders Properties window.
Using Advanced Sharing by clicking the Advanced Sharing button on the Sharing tab of the folders
Properties window.
Using the net share command from the command line.

Note: When sharing the folder, you will be asked to give the shared folder a name. This name does
not have to be the same name as the actual folder. It can be a descriptive name that better describes
the folder contents to network users.
Administrative Shares
Administrative or hidden shares can be created for shared folders that need to be available from the
network, but not to users browsing the network.
You can access an administrative share by entering in its UNC path, but the folder will not show up when
you browse the server by using Windows Explorer. Administrative shares also typically have a more
restrictive set of permissions assigned to the shared folder to reflect the administrative nature of the
folders contents.
To hide a shared folder, append the dollar symbol ($) to the folders name. For example, a shared folder
on NYC-SVR1 named Sales can be made into a hidden share by naming it as Sales$. The share is
accessible over the network by using the UNC name:
\\NYC-SVR1\Sales$
Sep 7 2011 9:58PM

Nova 4, LLC
3-28
Shared Folder Permissions
Key Points
Shared folder permissions apply only to users who access the folder over the network. They do not affect
users who access the folder locally on the computer where the folder is stored.
Just like NTFS permissions, you can assign shared folder permissions to user, group, or computer objects.
However, unlike NTFS permissions, shared folder permissions are not configurable for individual files or
folders within the shared folder. Shared folder permissions are set once for the shared folder itself and
apply universally to the entire contents of the shared folder for users who access the folder over the
network.
The following permissions can be applied to a shared folder:
Shared Folder Permission Description
Read
Users can display folder and file names, display file data and attributes, run
program files and scripts, and navigate the folder structure within the
shared folder.
Change
Users can create folders, add files to folders, change data in files, append
data to files, change file attributes, delete folders and files, and perform all
tasks permitted by the Read permission.
Full Control
Users can change file permissions, take ownership of files, and perform all
tasks permitted by the Change permission.
Note: When you assign Full Control permissions on a shared folder to a user, that user can modify
permissions on the shared folder, which includes removing all users, including you, from the shared
folders permissions list. In most cases, Change permission should be assigned instead of Full Control.
When a shared folder is created, the default assigned shared permission is Read for the Everyone group.
Sep 7 2011 9:58PM

Nova 4, LLC
3-29
By default, Windows Server 2008 allows the following groups to create shared folders: Administrators and
Server Operators.
Question: Can you list at least one example of when an administrator might give Full Control permissions
to a user for a shared folder?
Sep 7 2011 9:58PM

Nova 4, LLC
3-30
Demonstration: Creating Shared Folders
Key Points
Create a shared folder and assign permissions by using Windows Explorer.
Create a shared folder and assign permissions by using the Share and Storage Management console.
1.
Open Windows Explorer.
2.
Create a new folder named C:\Research.
3.
Share the folder by using the Advanced Sharing button on the Sharing tab of the properties
window.
4.
Assign Change permission to the Contoso\Research group.
5.
Open the Share and Storage Management console.
6.
Use the Provision a Shared Folder Wizard to create and share the C:\Marketing folder, giving
Change permissions to the Contoso\Marketing group.
Sep 7 2011 9:58PM

Nova 4, LLC
3-31
Offline File Configuration
Key Points
Windows Server 2008 provides the ability to cache network file for offline use. Files can be made available
for clients to cache locally, so the files are available for use when the client computer is disconnected from
the network.
Optionally, offline files and folders are edited or modified by the client, and the changes are synchronized
with the network copy of the files the next time the client is reconnected to the network. The
synchronization schedule and behavior of offline files is controlled by the client operating system.
Offline files are available to Windows XP, Windows Vista, Windows 7, Windows Server2003, Windows
Server 2008 and Windows Server 2008 R2 clients.
On a Windows Server 2008 computer, the Caching button in the Advanced Sharing window brings up the
Offline Settings window for a shared folder. The following options are available within the Offline Settings
window:
Only the files and programs that users specify are available offline. This is the default option
when you set up a shared folder. When you use this option, no files or programs are available offline
by default, and users control which files and programs they want to access when they are not
connected to the network.
Note: There is an Enable BranchCache option that enables BranchCache for the shared folder.
BranchCache will be discussed in more detail later in this course.
No files or programs from the shared folder are available offline. This option blocks Offline Files
on the client computers from making copies of the files and programs on the shared folder.
All files and programs that users open from the shared folder are automatically available
offline. Whenever a user accesses the shared folder or volume and opens a file or program in it, that
file or program is automatically made available offline to that user. Files and programs that are
Sep 7 2011 9:58PM

Nova 4, LLC
3-32
automatically made available offline remain in the Offline Files cache and synchronize with the
version on the server until the cache is full or the user deletes the files. Files and programs that are
not opened are not available offline.
If you select the Optimized for performance check box, executable files (EXE, DLL) that are run from
the shared folder by a client computer are automatically cached on that client computer. The next
time the client computer runs the executable files, it will access its local cache instead of the shared
folder on the server.
Note: The Offline Files feature must be enabled on the client computer for files and programs to be
automatically cached. In addition, the Optimized for performance option does not have any effect on
client computers that use Windows Vista or later as these operating systems automatically perform
the program-level caching specified by this option.
Question: Which client computer type would make the best use of offline files?
Sep 7 2011 9:58PM

Nova 4, LLC
3-33
Offline File Enhancements in Windows Server 2008 R2
Key Points
New features introduced in Windows Server 2008 R2 and Windows 7 further enhance the offline file and
folder experience, which provides optimized offline file synchronization and access to improve the enduser offline files experience.
Fast First Logon

Fast first logon is a new feature in Windows Server 2008 R2 and Windows 7 that runs the offline file
synchronization process in the background the first time a user logs on after offline files have been
designated through Group Policy. Prior to Windows 7, after a policy was applied, the user had to wait
while the contents of the folder were moved to the new location. This process could take a considerable
amount of time if there was a large amount of data to move and the network was slow. On Windows 7,
the user must wait only for Windows to move the files into the local Offline Files cache. After the files are
moved, the user logs on and is free to perform other tasks while Windows synchronizes the locally cached
data over the network as a background task.
Usually Offline Support with Background Sync

This feature provides remote and branch office users with faster access to files that are located in a
network folder across a slow network connection. Windows 7 enhances this feature by including
Background Sync, a feature that synchronizes offline files in the background, ensuring that the server is
frequently updated with the latest changes.
When a client computers network connection to a server is slow (as configured by the administrator),
offline files automatically transition the client computer into an Offline (slow connection) mode. The user
then works from the local Offline Files cache. On Windows 7, Background Sync runs at regular intervals as
a background task to automatically synchronize and reconcile changes between the client computer and
the server. IT administrators can configure synchronization intervals and block-out times. With this
feature, users no longer must worry about manually synchronizing their data with the server when
working offline.
Sep 7 2011 9:58PM

Nova 4, LLC
3-34
Exclusion List
The Exclusion List feature allows for the exclusion of certain file types (large audio or video files) from the
Offline Files synchronization process on Windows 7 clients. This reduces synchronization overhead and
disk space usage on the server and speeds up backup and restore operations. The list of file types is
configured by using Group Policy.
Transparent Caching
With transparent caching, the first time a user opens a file in a shared folder, Windows 7 reads the file
from the server and then stores it in the Offline Files cache on the local hard disk drive. The subsequent
times that a user opens the same file, Windows 7 retrieves the cached file from the hard disk drive instead
of reading it from the server. To provide data integrity, Windows 7 always contacts the server to ensure
that the cached copy is up to date. The cache is never accessed if the server is unavailable, and updates to
the file are always written directly to the server.
Transparent caching is not enabled by default. IT administrators can use a Group Policy setting to enable
transparent caching, improve the efficiency of the cache, and configure the amount of hard disk drive
space that the cache uses.
Note: All the features mentioned in this topic require the client computer to be running Windows 7
Professional, Enterprise, or Ultimate edition. The features also apply to Windows Server 2008 R2
computers acting as offline files clients.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: Configuring Offline File Access
Key Points
Configure offline files for a shared folder.
Make offline files available on a client operating system.
1.
On the server, open Windows Explorer.
2.
Share the E:\Labfiles\Mod03 folder as Mod03 by using the Advanced Sharing button on the
Sharing tab of the properties window.
3.
In the Caching settings, make the folders contents available for offline synchronization.
4.
On the client computer, map a network drive N to \\NYC- SVR1\Mod03.
5.
Right-click the mapped network drive and make the files available for offline use.
Sep 7 2011 9:58PM

3-35
Nova 4, LLC
3-36
Lesson 4
Determining Effective Permissions
Assigning permissions for a single user or a group on a single resource is a straightforward task, and it is
not difficult to determine the results. However, in a typical enterprise environment, permission
assignments are not often simple. Multiple group membership, blocked inheritance and combined NTFS
and shared folder permissions can make determining the actual permissions a user is assigned a complex
task.
Objectives
Describe factors that influence effective NTFS permissions.
Determine effective NTSF permissions.
Describe the effects of combining NTFS and Shared Folder permissions.
Determine the effect of combining Shared Folder and NTFS permissions.
Describe best practices for implementing NTFS and Shared folder permissions.
Sep 7 2011 9:58PM

Nova 4, LLC
3-37
What Are Effective NTFS Permissions?
Key Points
Effective NTFS permissions refer to the cumulative permissions given to a user for an object in relation to
both explicitly defined and inherited permissions allocated to the object for a user and any groups the
user has membership in.
The following principles determine effective permissions:
Cumulative permissions are the combination of the highest NTFS permissions granted to the
user and all the groups of which the user is a member. For example, if a user is a member of a
group that has Read permission and a member of a group that has Modify permission, the user has
Modify permission.
Deny permissions override equivalent Allow permissions. An explicit Allow permission can
override an inherited deny permission. For example, if a user is denied write access to a folder, but is
explicitly allowed write access to a subfolder or a particular file, the explicit Allow overrides the
inherited Deny.
Permissions can be applied to a user or a group. Assigning permissions to groups is preferred

because they are more efficient than managing the permissions of many individuals.
NTFS file permissions take priority over folder permissions. For example, if a user has Modify
permission to a folder, but only has Read permission to certain files in that folder, the effective
permission for those files will be Read.
Every object is owned in an NTFS volume or in Active Directory. The owner controls how
permissions are set on the object and to whom permissions are granted. For example, a user can
create a file in a folder where the user typically has Modify permission. However, because that user
created the file, the user can change the permissions. Then, the user can grant oneself Full Control
over the file.
Sep 7 2011 9:58PM

Nova 4, LLC
3-38
Effective Permissions Tool

Windows Server 2008 provides a tool (Effective Permissions) that shows effective permissions, which are
cumulative permissions based on group membership. You can access this tool by using the following
steps:
1.
Right-click the file or folder that you want to analyze permissions for and then click Properties.
2.
In the Properties window, click the Advanced button.
3.
In the Advanced Security Settings window, click the Effective Permissions tab.
4.
Choose a user or group to evaluate by using the Select button.
Sep 7 2011 9:58PM

Nova 4, LLC
3-39
Discussion: Determining Effective NTFS Permissions
Key Points
In this discussion, you are presented with a scenario in which you are asked to apply NTFS permissions.
You need discuss in class the possible solutions to the scenario.
Scenario
Adam is a member of the Marketing group and the Sales group. The graphic on the slide shows folders
and files on the NTFS partition.
Question: The Marketing group has Write permission, and the Sales group has Read permission for the
Reports folder. Which permissions does Adam have for the Reports folder?
Question: The Marketing group has Read permission for the Reports folder. The Sales group has Write
permission for the New York folder. Which permissions does Adam have for the Region file?
Question: The Marketing group has Modify permission for the Reports folder. The Region file should be
available only to the Sales group, and the Sales group should only be able to read the Region file. What
do you do to ensure that the Sales group has only Read permission for the Region file?
Sep 7 2011 9:58PM

Nova 4, LLC
3-40
Effects of Combining Shared Folder and NTFS Permissions
Key Points
When enabling access to network resources on an NTFS volume, use the most restrictive NTFS permissions
to control access to folders and files, combined with the most restrictive shared folder permissions that
control network access.
NTFS and shared folder permissions work together to control access to file and folder resources accessed
from the network.
How Combining NTFS and Shared Folder Permissions Works

The key rule to remember while applying NTFS and shared folder permissions is that the most restrictive
of the two permission sets dictates the access a user will have to a file or folder where both shared folder
permissions and NTFS permissions applied.
If a user has Full Control permissions on an NTFS folder but the shared folder permissions are set to Read,
that user will be able to obtain Read permissions to the file when accessing the folder over the network.
Access is restricted at the shared folder level, and any greater access at the NTFS permissions level does
not apply. Likewise, if the shared folder is set to Full Control, and the NTFS permissions are set to Write,
the user runs into no restrictions at the shared folder level, but the NTFS permissions on the folder will
allow only Write permissions for that folder.
The user must have appropriate permissions on both the NTFS resource and the shared folder. If no
permissions exist for the user on either resource, access is denied.
Sep 7 2011 9:58PM

Nova 4, LLC
3-41
Discussion: Determining Effective NTFS and Shared Folder Permissions
Key Points
In this discussion, you will determine effective NTFS and shared folder permissions.
Scenario
The figure shows two shared folders that contain folders or files that have NTFS permissions. Look at each
example and determine a users effective permissions.
In the first example, the Users folder has been shared, and the Users group has the shared folder
permission Full Control. User1, User2, and User3 have been granted the NTFS permission Full Control only
to their folder. These users are all members of the Users group.
Question: In diagram 1, discuss what the effective permissions are for User1, User2, and User3. Can User1
take full control of User2s directory? Give reasons. How does using the share permission instead of the
NTFS permission prevent users from accessing other Users directories?
Question: In diagram 2, you have shared the Data folder to the Sales group, granting Full Control
permissions. Within the Data directory, you have given the Sales group Read permissions on the NTFS
Sales folder. When users in the Sales group try to save a file in the \Data\Sales directory, they get an
access-denied error. Give reasons. Which permission must be changed and why?
Sep 7 2011 9:58PM

Nova 4, LLC
3-42
Considerations for Implementing NTFS and Shared Folder Permissions
Key Points
Here are several considerations to make administering permissions more manageable:
Grant permissions to groups instead of users. Groups can always have individuals added or
deleted, while permissions on a case-by-case basis are difficult to track.
Use Deny permissions only when necessary. Because deny permissions are inherited exactly like
allow permissions, assigning deny permissions to a folder can result in users not being able to access
files lower in the folder structure. Deny permissions should be assigned in the following situations:
To exclude a subset of a group that has Allow permissions.
To exclude one specific permission when you have granted Full Control permissions already to a
user or a group.
Never deny the Everyone group access to an object. If you deny everyone access to an object, you
deny administrators access. Instead, remove the Everyone group, as long as you grant permissions for
the object to other users, groups, or computers.
Grant permissions to an object that is as high in the folder structure as possible so that the
security settings are propagated throughout the tree. For example, instead of bringing groups
representing all departments of the company together into a Read folder, assign Domain Users
(which is a default group for all user accounts on the domain) to the share. In this manner, you
eliminate the need to update department groups before new users receive the shared folder.
Use NTFS permissions instead of shared permissions for fine-grained access. Configuring both
NTFS and shared folder permissions can be difficult. Consider assigning the most restrictive
permissions for a group that contains many users at the shared folder level and then by using NTFS
permissions to assign more specific permissions.
Sep 7 2011 9:58PM

Nova 4, LLC
3-43
Lab Setup
1.
2.
3.
4.
5.
6.
Password: Pa$$w0rd
7.
Domain: Contoso
8.
9.
Repeat steps 2 through 4 for 6419B-NYC-SVR1

Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.
Lab Scenario
Contoso, Ltd has recently deployed a new file server, NYC-SVR1, to its New York location. The New York
office has staff from both the Production and Research departments. Both departments require the ability
to save their documents to the new file server. Their files will be created in the E:\Labfiles\Mod03 folder.
The Production department work together on tasks and projects, and all members need the ability to save
files to the folder from their desktop. Any member of the Production team should be able to modify the
folders saved by anyone in the Production department. The Production department manager, Susanna
Stubberod, needs a folder for her monthly reports configured, so her staff can view the reports, but only
she should be able to make changes to files in the folder.
The Research department needs a folder to store the project results. All project results will be saved
directly to the server locally from an application installed on NYC-SVR1. All members of the Research
Sep 7 2011 9:58PM

Nova 4, LLC
3-44
department should be able to make modifications to the files if they are logged on to NYC-SVR1. The
Research department needs to access their files from the network, but no changes should be allowed to
be made to the files, because that will interfere with the application. Max Stevens of the Research
department also uses a laptop, NYC-CL1, which he frequently takes offsite. He needs access to the
Research department files when he is not connected to the network.
1.
Planning the shared folder implementation.
2.
Implementing the shared folder structure.
3.
Evaluating the shared folder structure.
Sep 7 2011 9:58PM

Nova 4, LLC
3-45
Exercise 1: Planning a Shared Folder Implementation (Discussion)

In this exercise, you will discuss and determine the best solutions for a shared folder implementation.
Discussion Questions:
1.
What folder structure should be created on NYC-SVR1 to support the requirements of this scenario?
2.
Which NTFS permissions should be assigned to the Production departments folder structure to fulfill
the scenario requirements? Which permissions should be assigned to the shared folder?
3.
Which NTFS permissions should be assigned to the Research departments folder structure to fulfill
the scenario requirements? Which permissions should be assigned to the shared folder?
4.
How will you make the Research departments files available to Max Stevens when he is offsite with
the NYC-CL1?
Result: In this exercise, you discussed and determined solutions for a shared folder implementation.
Sep 7 2011 9:58PM

Nova 4, LLC
3-46
Exercise 2: Implementing a Shared Folder Implementation

In this exercise, you will create the shared folder implementation based on the discussions in the previous
exercise.
The main tasks are as follows:
1.
Verify the File Services Role on NYC-SVR1.
2.
Create a shared folder structure by using Windows Explorer.
3.
Create a shared folder structure by using the Share and Storage Management console.
4.
Configure offline files.
Task 1: Verify the File Services Role on NYC-SVR1

1.
On NYC-SVR1, open Server Manager.
2.
Verify that the File Services role has been installed with the File Server role service.
3.
Task 2: Create a shared folder structure by using Windows Explorer

1.
On NYC-SVR1, open Windows Explorer.
2.
Create the E:\Labfiles\Mod03\Production folder and assign the Production group Full Control
permissions.
3.
Share the Production folder, assign the Contoso\Production group Change permissions on the shared
folder, and remove the Everyone group.
4.
Create a new text document in E:\Labfiles\Mod03\Production.
5.
Create the E:\Labfiles\Mod03\Production\Reports folder and create a new text document in

E:\Labfiles\Mod03\Production\Reports named Report1.txt
6.
Assign Susanna Stubberod Full Control permissions on the E:\Labfiles\Mod03\Production\Reports

folder. Block permissions inheritance to ensure that no other users have permissions on this folder.
Task 3: Create shared folders by using the Share and Storage Management Console
1.
On NYC-SVR1, open the Share and Storage Management console.
2.
Run the Provision a Shared Folder Wizard to provision a share named Research located at
E:\Labfiles\Mod03\Research.
3.
Assign the following NTFS permissions to the E:\Labfiles\Mod03\Research folder. Assign Full Control
for the Research group.
4.
Assign the following shared folder permissions to the Research shared folder. Assign Read for the
Research group.
Task 4: Configure Offline files

1.
Log on to NYC-CL1 as Contoso\Max, with password Pa$$w0rd.
2.
Map the \\NYC-SVR1\Research network location to the R: drive.
3.
Configure Drive R to be always available offline.

Results: In this exercise, you implemented a shared folder structure.
Sep 7 2011 9:58PM

Nova 4, LLC
3-47
Exercise 3: Evaluating the Shared Folder Implementation

In this exercise, you will evaluate the shared folder implementation you created in the previous exercise.
Task 1: Test Research Folder Permissions

1.
If necessary, log on to NYC-CL1 as Contoso\Max with password Pa$$w0rd.
2.
Test to ensure that Max cannot create any new documents on the Research folder (Drive R).
3.
Log off of NYC-CL1.
Task 2: Test Production Shared Folder Permissions

1.
Log on to NYC-CL1 as Contoso\Scott with password Pa$$w0rd.
2.
Test to ensure that Scott has Full Control to \\NYC-SVR1\Production and no access to \\NYCSVR1\Production\Reports.
3.
Log off NYC-CL1.
4.
Log on to NYC-CL1 as Contoso\Susanna with password Pa$$w0rd.
5.
Test to ensure that Susanna has Full Control to \\NYC-SVR1\Production and \\NYCSVR1\Production\Reports.
6.
Log off NYC-CL1.

Results: In this exercise, you evaluated a shared folder implementation.

following steps:
1.
2.
3.
4.
Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1
Sep 7 2011 9:58PM

Nova 4, LLC
3-48
Review Questions
1.
What is a common reason to use advanced NTFS permissions rather than the standard set of NTFS
permissions?
2.
What advantages does creating a shared folder by using the Share and Storage Management tools
have over using Windows Explorer?

Description
Offline Files enhancements
New features that enhance the Offline Files experience for Windows
Server 2008 R2 and Windows 7 computers.
Tools
Tool
Share and Storage
Management
Console
Use for
Provisioning shared
folders and storage
objects
Where to find it
Installed with the File Services role and found on
the Administrative Tools menu.
Sep 7 2011 9:58PM

Nova 4, LLC
Configuring and Managing Distributed File System
Module 4
Contents:
Lesson 1: Distributed File System Overview
4-3
Lesson 2: Configuring DFS Namespaces
4-14
Lesson 3: Configuring DFS Replication
4-20
Lab: Installing and Configuring Distributed File System
4-28
Sep 7 2011 9:58PM

4-1
Nova 4, LLC
4-2
Module Overview
Many organizations maintain a large number of file servers containing vast amounts of data needed by
users. With so many file resources on the network, it is often a challenge for users to locate files quickly
and efficiently.
Larger enterprise organizations may manage multiple data sites, which often introduces additional
challenges, such as increased network traffic over wide area network (WAN) connections, and ensuring
the availability of files during WAN or server failures.
This module introduces the Distributed File System (DFS) solution that you can use to meet these
challenges by providing fault-tolerant access and WAN-friendly replication of files located throughout an
enterprise.
Objectives
Describe the Distributed File System.
Configure DFS Namespaces.
Configure DFS Replication.
Sep 7 2011 9:58PM

Nova 4, LLC
4-3
Lesson 1
Distributed File System Overview
DFS in Microsoft Windows Server 2008 incorporates technology to provide efficient access and high
availability to file resources.
This lesson introduces DFS Namespaces and DFS Replication, and discusses scenarios and requirements for
deploying a DFS solution within your network environment.
Objectives
Define DFS.
Describe how DFS namespaces and DFS replication function.
Describe common DFS Scenarios.
Describe the types of DFS Namespaces.
Describe folders and folder targets.
Install the DFS role service.
Describe new DFS features for Windows Server 2008 R2.
Sep 7 2011 9:58PM

Nova 4, LLC
4-4
What Is the Distributed File System?
Key Points
To access a typical file share, most users need to know which file server the share is located on, and the
name of the share to access. Many large organizations may have hundreds of file servers, dispersed
geographically. This introduces a number of challenges for users to find and access files efficiently.
Distributed File System is a Windows Server 2008 role service that is included with the File Server role. The
DFS role service can be used to logically combine shared folders located on different servers into a virtual
namespace. Users only need to know the name of the virtual namespace, to access the shared folder
structure.
Another benefit of DFS is the ability to replicate both the virtual namespace and the shared folders to
multiple servers within the organization. This can ensure that the shares are fault tolerant and the shared
folders are located as close as possible to users, thereby providing efficient access to the data.
DFS includes two technologies that are implemented as role services. These technologies are:
DFS Namespaces. DFS Namespaces (DFS-N) allows administrators to group shared folders located
on different servers into one or more logically structured namespaces. Each namespace appears to
users as a single shared folder with a series of subfolders. The subfolders typically point to shared
folders that are located on various servers in multiple geographical sites throughout the organization.
DFS Replication. DFS Replication (DFS-R) is a multi-master replication engine used to synchronize
files between servers for both local and WAN network connections. DFS-R supports replication
scheduling, bandwidth throttling, and Remote Differential Compression (RDC). When enabled and
applied, RDC updates only the portions of files that have changed since the last replication. DFS-R can
be used in conjunction with DFS Namespaces or can be used as a stand-alone file replication
mechanism.
Sep 7 2011 9:58PM

Nova 4, LLC
4-5
How DFS Namespaces and DFS Replication Work
Key Points
Even though DFS Namespaces and DFS Replication are separate role services, they can be used together
to provide high availability and data redundancy. The following process describes how DFS Namespaces
and DFS Replication work together:
1.
2.
User accesses folder in the DFS namespace. When a user attempts to access a folder in a DFS
namespace, the client computer contacts the server hosting the namespace root. The host server can
be a stand-alone server hosting a stand-alone namespace, or the host server can use a domain-based
configuration that is stored in Microsoft Active Directory Domain Services (AD DS) and replicated
to various locations to provide high availability. The namespace server sends back to the client
computer a referral containing a list of servers that host the shared folders (called folder targets)
associated with the folder being accessed.
Client computer accesses the first server in the referral. The client computer caches the referral
information and then contacts the first server in the referral. This referral typically is a server in the
clients own site, unless there is no server located within the clients site. In this case, the administrator
can configure a target priority which helps to determine the next best server to which a user will
contact to access a file resource.
For example, in the diagram, the Marketing folder that is published within the namespace actually
contains two shared folders (folder targets). One share is located on a file server in New York, and the
other share is located on a file server in London. The shared folders are kept synchronized by DFS-R. Even
though multiple servers host the source folders, this fact is transparent to users, who only access a single
folder in the namespace. If one of the target folders becomes unavailable, users can be redirected to the
remaining targets within the namespace.
Sep 7 2011 9:58PM

Nova 4, LLC
4-6
DFS Scenarios
Key Points
Several key scenarios can benefit from DFS Namespaces and DFS Replication. These scenarios include:
Sharing files across branch offices
Data collection
Data distribution
Sharing Files Across Branch Offices

Large organizations that have many branch offices often have to share files or collaborate between these
locations. DFS-R can help replicate files between branch offices or from a branch office to a hub site.
Having files in multiple branch offices also benefits users who travel from one branch office to another.
The changes that users make to their files in one branch office are replicated back to their branch office.
Note: This scenario is recommended only if users can tolerate some file inconsistencies as changes are
replicated throughout the branch servers. Also, note that DFS-R only replicates a file after it is closed.
Therefore, DFS-R is not recommended for replicating database files or any files that are held open for
long periods of time.
Data Collection
DFS technologies can collect files from a branch office and replicate them to a hub site, thus allowing the
files to be used for a number of specific purposes. Critical data can be replicated to a hub site by using
DFS-R, and then backed up at the hub site by using standard backup procedures. This increases the
branch office data recoverability if a server fails, because files will be available in two separate locations
and backed up. Additionally, companies can reduce branch office costs by eliminating backup hardware
and onsite information technology (IT) personnel expertise. Replicated data can also be used to make
Sep 7 2011 9:58PM

Nova 4, LLC
4-7
branch office file shares fault tolerant. If the branch office server fails, clients in the branch office can
access the replicated data at the hub site.
Data Distribution
You can use DFS-N and DFS-R to publish and replicate documents, software, and other line-of-business
data throughout your organization. DFS-N and folder targets can increase data availability and distribute
client load across various file servers.
Note: Do not use DFS Replication in an environment where multiple users update or modify the same
files simultaneously on different servers. Doing so can cause DFS Replication to move conflicting copies
of the files to the hidden DfsrPrivate\ConflictandDeleted folder. When multiple users need to modify
the same files at the same time on different servers, use the file check-out feature of a product such as
Windows SharePoint Services to ensure that only one user is working on a file.
Sep 7 2011 9:58PM

Nova 4, LLC
4-8
Types of DFS Namespaces
Key Points
You can create either a domain-based or stand-alone namespace. Each type has different characteristics.
Domain-Based Namespace
A domain-based namespace can be used when:
Namespace high availability is required, which is accomplished by replicating the namespace to

multiple namespace servers.
You need to hide the name of the namespace servers from users. This also makes it easier to replace a
namespace server or migrate the namespace to a different server. Users will then use the
\\domainname\namespace format as opposed to the \\servername\namespace format.
If you choose to deploy a domain-based namespace, you will also need to choose whether to use the
Windows 2000 Server mode or the Windows Server 2008 mode. Windows Server 2008 mode provides
additional benefits such as support for access-based enumeration; increased replication performance, and
it increases the number of folder targets from 5,000 to 50,000. Access-based Enumeration enables you to
hide folders that users do not have permission to view.
To use Windows Server 2008 mode, the following requirements must be met:
The Active Directory forest must be at Microsoft Windows Server 2003 or higher forest functional
level.
The Active Directory domain must be at the Microsoft Windows Server 2008 domain functional
level.
All namespace servers must be Windows Server 2008.
Sep 7 2011 9:58PM

Nova 4, LLC
4-9
Note: You can migrate a domain-based namespace from Windows 2000 Server mode to Windows
Server 2008 mode by using the DFSutil command-line tool. You can also enable or disable Access-based
Enumeration by using the Share and Storage Management MMC.
Stand-Alone Namespace
A standalone namespace must be used when:
Your organization has not implemented AD DS.
Your organization does not meet the requirements for a Windows Server 2008 mode, domain-based
namespace, and you have requirements for more than 5,000 DFS folders. Stand-alone DFS
namespaces support up to 50,000 folders with targets.
Sep 7 2011 9:58PM

Nova 4, LLC
4-10
What Are Folders and Folder Targets?
Key Points
A DFS namespace is a virtual view of shared folders in an organization. As the administrator, you select
which shared folders to present in the namespace, design the hierarchy in which those folders appear, and
determine the names that the shared folders show in the namespace. When a user views the namespace,
the folder structure appears to reside on a single disk.
Folders
Folders are the primary namespace elements. They appear under the namespace root (\\server\rootname
or \\domain\rootname) and help build the namespace hierarchy. As with standard disk structures, folders
are organized into tree structures similar to the way you use folders on a hard disk to organize files. When
you create a folder by using the DFS Management console, you type a name for the folder and specify
whether to add any folder targets.
Folder Targets
A folder target is based upon a Universal Naming Convention (UNC) path to one of the following
locations:
A shared folder, for example, \\server\share
A folder within a shared folder, for example, \\server\share\folder
A path to another namespace, for example, \\domainname\rootname
To increase the folders redundancy, you can specify multiple folder targets. If one of the folder targets is
not available, the client will attempt to access the next folder target in the referral. This increases the data
availability in the folder.
Sep 7 2011 9:58PM

Nova 4, LLC
4-11
Demonstration: Installing the Distributed File System Role Service
Key Points
Install the DFS Role Service.
1.
Open Server Manager.
2.
If necessary, use the Add Roles Wizard to install the File Services server role. If the role is already
installed, use the Add Role Services Wizard to install the required role services.
3.
Select the Distributed File System role services. Note that you can select the DFS Namespaces and
DFS Replication role services individually, if required.
Sep 7 2011 9:58PM

Nova 4, LLC
4-12
DFS Enhancements in Windows Server 2008 R2
Key Points
Microsoft Windows Server 2008 R2 provides a number of enhancements and new features to both DFSN and DFS-R. The following sections discuss these new capabilities:
Note: The content in this section only applies to Windows Server 2008 R2.
Updates to DFS Namespaces
Performance improvements. The DFS Namespaces service takes less time to start, which increases
performance especially with large domain-based namespaces with 5,000 or more folder targets.
Windows Server 2008 R2 also includes three new performance counters that can be used to monitor
DFS Namespaces:
DFS Namespace Service API Queue. Displays the number of requests in the queue waiting to
be processed by the DFS Namespace service.
DFS Namespace Service API Requests. Provides a number of objects showing the information
of DFS requests as average response time, requests processed, requests failed, and requests
processed per second.
DFS Namespace Service Referrals. Provides a number of objects showing the information of
referral requests processed by the DFS Namespace service. Information includes average
response time, requests processed, requests failed, and requests processed per second.
New DFS Management tool support. A number of enhancements to the DFS Management tool
include the following:
Accessbased enumeration management improvements. When access-based enumeration is

enabled on a shared folder or DFS folder, users will only see folders and files for which they have
Read (or equivalent) permissions. Previously, access-based enumeration could only be enabled on
Sep 7 2011 9:58PM

Nova 4, LLC
4-13
a shared folder by using Share and Storage Management, or by using the Dfsutil command for
DFS folders. Windows Server 2008 R2 provides an additional enhancement by allowing you to
enable and configure access-based enumeration for a namespace by using the DFS Management
tool.
Support for selectively enabling or disabling namespace root referrals. The DFS Management
tool provides the ability to enable or disable namespace servers. This allows you to control
whether a server is available for referrals.
Improvements to the Dfsdiag.exe command-line tool. Windows Server 2008 R2 includes

changes to the Dfsdiag.exe command-line tools help text. When you type Dfsdiag /?, the help
and error message text has been rewritten to provide more clear and descriptive
information.
Updates to DFS Replication
Failover cluster support. The DFS Replication service in Windows Server 2008 R2 is now designed to
coordinate with a Windows Server 2008 R2-based failover cluster. You can add a failover cluster as a
member of a replication group.
Read-only replicated folders. Prior to Windows Server 2008 R2, the only way to configure a readonly replicated folder was to manually set share permissions and access control lists on the folders,
which required additional administrative effort. Windows Server 2008 R2 provides the ability to
configure a replicated folder as a read-only or a read-write member. You can use either the DFS
Management tool or the Dfsradmin command-line tool to configure read-only replicated folders.
Note: Read-only domain controllers based upon Windows Server 2008 R2 use read-only replicated
folders to secure the SYSVOL folder.
Improvements to the Dfsrdiag.exe command-line tool. Windows Server 2008 R2 includes changes
to the Dfsrdiag.exe command-line tool. The following switches provided enhanced diagnostic
capabilities:
Replstate. Displays a summary of the replication status across all connections on the specified
replication group member.
IdRecord. Displays the DFS Replication ID record and version of a specified file or folder. You can
use this information to determine if a file has replicated properly to another member.
FileHash. Computes and displays a hash value for a particular file. This can be used to compare
two files to ensure that they are identical.
Sep 7 2011 9:58PM

Nova 4, LLC
4-14
Lesson 2
Configuring DFS Namespaces
Configuring a DFS Namespace consists of several tasks, including creating the namespace structure,
creating folders within the namespace, and adding folder targets. You may also choose to perform
additional management tasks, such as configuring the referral order, enabling client fail back, and
implementing DFS replication. This lesson provides information on how to complete these configuration
and management tasks to deploy an effective DFS solution.
Objectives
Describe the process for deploying namespaces to publish content.
Describe the permissions required to create and manage a namespace.
Create and configure DFS namespaces and folder targets.
Sep 7 2011 9:58PM

Nova 4, LLC
4-15
Deploying Namespaces for Publishing Content
Key Points
You use DFS namespaces to publish content for users. To configure a namespace for publishing content
to users, perform the following procedures:
1.
2.
3.
4.
Create a namespace. Use the New Namespace Wizard to create the namespace from within the DFS
Management console. To create a namespace, you must specify a namespace server, a namespace
name and a namespace type (either domain-based or stand-alone). You can also specify whether the
namespace is enabled for Windows Server 2008 mode.
Create a folder in the namespace. After the namespace is created, add a folder in the namespace
that will be used to contain the content that you want to publish. During the folder creation, you
have the option to add folder targets, or you can perform a separate task to add, edit, or remove
folder targets later.
Add folder targets. After a folder is created within the namespace, the next task is to create folder
targets. The folder target is a shared folders UNC path on a specific server. You can browse for shared
folders on remote servers and create shared folders as needed. You can also add multiple folder
targets to increase the folders availability in the namespace. If you add multiple folder targets,
consider using DFS-R to ensure that the content is the same between the targets.
Set the ordering method for targets in referrals. A referral is an ordered list of targets that a client
computer receives from the namespace server when a user accesses a namespace root or folder.
When a client receives the referral, the client attempts to access the first target in the list. If the target
is not available, the next target is attempted. By default, targets in the clients site are always listed
first in the referral. You can configure the method for ordering targets outside the clients site on the
Referrals tab of the Namespace Properties dialog box. You have the choice of configuring the
lowest cost, random order, or configuring the ordering method to exclude targets outside the
clients site.
Sep 7 2011 9:58PM

Nova 4, LLC
4-16
Note: Folders inherit referral settings from the namespace root. You can override the namespace
settings on the Referrals tab of the Folder Properties dialog box by excluding targets outside the
clients site.
Optional Management Tasks

There are a number of optional tasks that you may want to consider, such as:
Set target priority to override referral ordering. You may have a specific folder target that you
want everyone to use from all site locations, or you may have a specific folder target that should be
used last among all targets. You can configure these scenarios by overriding the referral ordering on
the Advanced tab of the Folder Target Properties dialog box.
Enable client failback. If a client cannot access a referred target, the next target is selected. Client
failback will ensure that clients fail back to the original target after it is restored. You can configure
client failback on the Referrals tab of the Namespace Properties dialog box by selecting the check
box next to Clients fail back to preferred targets. All folders and folder targets inherit this option.
However, you can also override a specific folder to enable or disable client failback features if
required.
Replicate folder targets using DFS-R. You can use DFS-R to keep the contents of folder targets in
sync. The next lesson discusses DFS-R in detail.
Additional ReadingChecklist:
Deploy DFS Namespaces

http://technet.microsoft.com/en-us/library/cc725830.aspx
Sep 7 2011 9:58PM

Nova 4, LLC
4-17
Permissions Required to Create and Manage a Namespace
Key Points
To perform DFS namespace management tasks, a user either has to be a member of an administrative
group or has to be delegated specific permission to perform the task. You can right-click the namespace
and then click Delegate Management Permissions to delegate the required permissions.
The following table describes the groups that can perform DFS administration by default, and the method
for delegating the ability to perform DFS management tasks:
Task
Groups that can

perform the task
by default
Delegation method
Create a domain-based
namespace.
Domain admins
Delegate Management Permissions.

Add user to local administrators group on the
namespace server.
Add a namespace server

to a domain-based
namespace.
Domain admins

namespace server.
Manage a domain-based
namespace.
Local
administrators on
each namespace
server
Create a stand-alone
namespace.
Local
administrators on
each namespace
server

namespace server.
Manage a stand-alone
Local
Sep 7 2011 9:58PM

Nova 4, LLC
4-18
Task
Groups that can

perform the task
by default
namespace.
administrators on
each namespace
server
Create a replication
group or enable DFS
replication on a folder.
Domain admins
Delegation method
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: How to Create Namespaces
Key Points
Create a new namespace.
Create a new folder and folder target.
1.
Open DFS Management.
2.
Use the New Namespaces Wizard to create a new namespace. Configure options such as the
namespace type and Windows Server 2008 mode.
3.
Use the New Folder dialog box to create a main folder, and then add Folder Targets as required.
Sep 7 2011 9:58PM

4-19
Nova 4, LLC
4-20
Lesson 3
Configuring DFS Replication
To configure DFS-R effectively, it is important to understand the terminology and requirements associated
with the feature. This lesson provides information on the specific elements, requirements, and scalability
considerations as they relate to DFS-R, and provides a process for configuring an effective replication
topology.
Objectives
Describe DFS replication.
Describe replication groups and replicated folders.
Describe DFS-R requirements.
Deploy a replication group.
Discuss tools used to troubleshoot DFS-R.
Generate diagnostic reports and perform propagation tests.
Sep 7 2011 9:58PM

Nova 4, LLC
4-21
What Is DFS Replication?
Key Points
DFS-R provides a way to keep folders synchronized between servers across both well-connected and
limited bandwidth connections. It is important to take note of the following key points related to DFS-R:
DFS-R can use Remote Differential Compression (RDC). RDC is a client-server protocol that can be
used to efficiently update files over a limited bandwidth network. RDC detects data insertions,
removals, and re-arrangements in files, enabling DFS-R to replicate only the changed file blocks when
files are updated. RDC is only used for files that are 64 kilobytes (KB) or larger by default. DFS-R also
supports cross-file RDC, which allows DFS replication to use RDC, even when a file with the same
name does not exist at the client. Cross-file RDC can determine files that are similar to the file that
needs to be replicated, and it uses blocks of similar files that are identical to the replicating file to
minimize the amount of data that needs to be replicated. To use cross-file RDC, one member of the
replication connection must be running an edition of the Windows operating system that supports
cross-file RDC.
DFS-R uses a hidden staging folder to stage a file before sending or receiving it. Staging folders act as
caches for new and changed files to be replicated from sending members to receiving members. The
sending member begins staging a file when it receives a request from the receiving member. The
process involves reading the file from the replicated folder and building a compressed representation
of the file in the staging folder using the XPRESS compression format. XPRESS is similar to ZIP or RAR
compression. Any files that are placed in staging are compressed with XPRESS unless the file has an
extension that is included on a specific exclusion list After being constructed, the staged file is sent to
the receiving member; if remote differential compression is used, only a fraction of the staging file
might be replicated. The receiving member downloads the data and builds the file in its staging
folder. After the file download is completed on the receiving member, DFS-R decompresses the file
and installs it into the replicated folder. Each replicated folder has its own staging folder, which by
default is located under the local path of the replicated folder in the DfsrPrivate\Staging folder.
DFS-R detects changes on the volume by monitoring the update sequence number (USN) journal,
and replicates changes only after the file is closed.
Sep 7 2011 9:58PM

Nova 4, LLC
4-22
DFS-R uses a version vector exchange protocol to determine which files need to be synchronized. The
protocol sends less than 1 KB per file across the network to synchronize the metadata associated with
changed files on the sending and receiving members.
DFS-R uses a conflict resolution heuristic of last writer wins for files that are in conflict (that is, a file
that is updated at multiple servers simultaneously) and earliest creator wins for name conflicts. Files
and folders that lose the conflict resolution are moved to a folder known as the Conflict and Deleted
folder. You can also configure the service to move deleted files to the Conflict and Deleted folder for
retrieval, should the file or folder be deleted. Each replicated folder has its own hidden Conflict and
Deleted folder, which is located under the local path of the replicated folder in the
DfsrPrivate\ConflictandDeleted folder.
DFS-R is self-healing and can automatically recover from USN journal wraps, USN journal loss, or DFS
Replication database loss.
DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces to
obtain configuration and monitoring information from the DFS Replication service.
Sep 7 2011 9:58PM

Nova 4, LLC
4-23
What Are Replication Groups and Replicated Folders?
Key Points
A replication group consists of a set of member servers that participate in replicating one or more
replicated folders. There are two main types of replication groups:
Multipurpose replication group. Use to configure replication between two or more servers for
publication, content sharing, or other scenarios.
Replication group for data collection. Configures a two-way replication between two servers, such
as a branch office server and a hub server. This group type is used to collect data from the branch
office server to the hub server. You can then use standard backup software to back up the hub server
data.
A replicated folder is a folder that is synchronized between each member server.

Creating multiple replicated folders within a single replication group helps to simplify the following for
the entire group:
Replication Group type
Topology
Hub and spoke configuration
Replication schedule
Bandwidth throttling
The replicated folders stored on each member can be located on different volumes in the member.
Replicated folders do not need to be shared folders or part of a namespace, though the DFS Management
snap-in makes it easy to share replicated folders, and optionally, publish them in an existing namespace.
Sep 7 2011 9:58PM

Nova 4, LLC
4-24
DFS-R Requirements
Key Points
To use DFS-R, you must be aware of specific replication requirements. These requirements include:
Ensure that the Active Directory schema has been updated to include the new DFS replication objects.
If you plan to use DFS Replication, the Active Directory schema must be updated to at least the
version equal to Microsoft Windows Server 2003 R2, so that it includes the Active Directory classes
and attributes that DFS Replication uses. To use read-only replicated folders, the schema must include
the Windows Server 2008 or newer schema additions. To upgrade the schema, on the schema
operations master, run adprep.exe /forestprep. This tool is available in the Windows\sources\adprep
folder of the Windows Server 2008 installation media.
All Servers in a replication group must be in the same forest. You cannot enable replication across
servers in different forests.
The servers that will participate in DFS Replication must run a Windows Server 2003 R2, Windows
Server 2008, or Windows Server 2008 R2 operating system. You must install the DFS Replication
service role on each server that will take part in replication, and you must install the DFS Management
snap-in on one server to manage replication. DFS replication is supported on all x64 editions of
Windows Server 2008 R2 and on all x86 and x64 editions of Windows Server 2008. DFS is not
supported on Itanium-based computers..
To support failover clustering, the failover cluster server must be running Windows Server 2008 R2.
Antivirus software must be compatible with DFS Replication in that antivirus software can cause
excessive replication if their scanning activities alter the timestamp on files in a replicated folder.
Contact your antivirus software vendor to check for compatibility.
Sep 7 2011 9:58PM

Nova 4, LLC
4-25
Demonstration: How to Deploy a Replication Group
Key Points
Create a new folder target for replication.
Create a new replication group.
1.
2.
Use the New Folder Target dialog box to create an additional folder target to be used for
replication.
3.
Use the New Replication Group Wizard to configure options such as the Replication Group Type,
Replication Group name, Replication group members, and Topology selection.
Sep 7 2011 9:58PM

Nova 4, LLC
4-26
Tools Used to Troubleshoot DFS-R
Key Points
Windows Server 2008 provides a number of tools that can be used to monitor and troubleshoot DFS-R.
The tools include:
Diagnostic Reports. You can run a diagnostic report for the following:
Health Report. Shows extensive replication statistics and reports on replication health and
efficiency.
Propagation Test. Generates a test file in a replicated folder to be used to verify replication and
provide statistics for the propagation report.
Propagation Report. Provides information about the progress for a test file that is generated
during a propagation test. This report will ensure that replication is functional.
Verify Topology. Used to verify and report on the status of the replication group topology. This will
report any members that are disconnected.
Dfsrdiag.exe. This command-line utility can be used to monitor the replication state of the DFS
replication service.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: How to Generate Diagnostic Reports and Propagation

Tests
Key Points
Generate a Health Report.
Generate a Propagation Test and Report.
1.
2.
Under the Replication node, right-click the replication group, and then click Create Diagnostic
Report.
3.
Select either Health Report, Propagation test, or Propagation report.
4.
Complete the Diagnostic Report Wizard.
Sep 7 2011 9:58PM

4-27
Nova 4, LLC
4-28
Lab: Installing and Configuring the Distributed File

System Role Service
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps from 2 through 4 for 6419B-NYC-SVR1.
Lab Scenario
You are a network administrator for Contoso, Ltd. Your organization currently stores files on a number of
servers located throughout the infrastructure. To simplify file access for users and provide high availability
and redundancy of the file services, you decide to implement a DFS solution. For this project, you must
complete the following tasks:
Install the DFS role service to include DFS namespaces and DFS replication.
Create a domain-based DFS namespace called, CorpDocs, with NYC-SVR1 as the namespace server.
Enable Access-Based Enumeration for the CorpDocs namespace.
Sep 7 2011 9:58PM

Nova 4, LLC
4-29
Add the following folders to the CorpDocs namespace:
MarketingTemplates folder target located on NYC-DC1
PolicyFiles folder target located on NYC-SVR1
Configure availability and redundancy by adding additional folder targets and replicating the folder
targets for the PolicyFiles folder.
Configure the replicated folder target for PolicyFiles to be read-only.
Provide reports on the health of the CorpDocs folder replication.
Sep 7 2011 9:58PM

Nova 4, LLC
4-30
Exercise 1: Installing the Distributed File System Role Service

Scenario
In this exercise, you will install the DFS role service on NYC-DC1 and NYC-SVR1.
1.
Install the DFS role service on NYC-SVR1.
2.
Install the DFS role service on NYC-DC1.
Task 1: Install the Distributed File System Role Service on NYC-SVR1.

1.
2.
Use the Add Role Services wizard to install the Distributed File System role services and configure
the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
Create a DFS Namespace: Create a namespace later.
Task 2: Install the Distributed File System Role Service on NYC-DC1.

1.
On NYC-DC1, open Server Manager.
2.
In the details pane, under the File Services section, use the Add Role Services wizard to install the
Distributed File System role services and configure the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
Create a DFS Namespace: Create a namespace later.
Results: After completing this exercise, you have installed the DFS role service on NYC-SVR1 and NYCDC1.
Sep 7 2011 9:58PM

Nova 4, LLC
4-31
Exercise 2: Creating a DFS Namespace

Scenario
You decide to create the CorpDocs namespace on NYC-SVR1. As per the requirements, the namespace
will be domain-based and will have access-based enumeration enabled.
1.
Use the New Namespace Wizard to create the CorpDocs namespace.
2.
Enable access-based enumeration for the CorpDocs namespace.
Task 1: Use the New Namespace Wizard to create the CorpDocs namespace.
1.
On NYC-SVR1, open the DFS Management console.
2.
Start the New Namespace Wizard and configure the following:
3.
Namespace Server: NYC-SVR1
Namespace Name and Settings: CorpDocs
Namespace Type: Domain-based namespace
Enable Windows Server 2008 mode: Enabled
Use the DFS Management console to verify that the \\NYC-SVR1\CorpDocs namespace is enabled.
Task 2: Enable access-based enumeration for the CorpDocs namespace.

1.
From the \\Contoso.com\CorpDocs Properties dialog box, enable access-based enumeration.
Results: After completing this exercise, you have created the CorpDocs namespace and configured it to
use access-based enumeration.
Sep 7 2011 9:58PM

Nova 4, LLC
4-32
Exercise 3: Configuring Folder Targets

Scenario
Two folders need to be added to the CorpDocs workspace. One folder is located on NYC-DC1 and is
called, MarketingTemplates. The other folder is located on NYC-SVR1 and is called, PolicyFiles.
1.
Add the MarketingTemplates folder to the CorpDocs Namespace.
2.
Add the PolicyFiles folder to the CorpDocs Namespace.
3.
Verify the CorpDocs Namespace.
Task 1: Add the MarketingTemplates folder to the CorpDocs namespace.

1.
2.
In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: MarketingTemplates
Folder Target: \\NYC-DC1\MarketingTemplates
Task 2: Add the PolicyFiles folder to the CorpDocs namespace.

1.
In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: PolicyFiles
Folder Target: \\NYC-SVR1\PolicyFiles
Task 3: Verify the CorpDocs namespace.

1.
On NYC-SVR1, access the \\Contoso.com\Corpdocs namespace and verify that both

MarketingTemplates and PolicyFiles are visible.
Results: After completing this exercise, you have configured Folder Targets for the CorpDocs
namespace.
Sep 7 2011 9:58PM

Nova 4, LLC
4-33
Exercise 4: Configuring DFS Folder Replication

Scenario
Your requirements state to configure the PolicyFiles folder to be highly available and redundant. You
decide to add a second folder target for the PolicyFiles folder on NYC-DC1 and configure replication to
keep the two folders synchronized.
1.
Create another Folder Target for PolicyFiles.
2.
Configure DFS Replication.
3.
View Diagnostic Reports.
Task 1: Create another Folder Target for PolicyFiles.

1.
2.
In DFS Management, under Contoso.com\CorpDocs\PolicyFiles, create a new folder target with the
following configuration:
Folder Target: \\NYC-DC1\PolicyFiles
Local path of shared folder: C:\PolicyFiles
Shared folder permissions: Administrators have full access; other users have read and write
permissions
Click Yes to start the Replicate Folder Wizard.
Task 2: Configure DFS Replication.

1.
In DFS Management, complete the Replicate Folder Wizard with the following configuration:
Replication Group and Replicated Folder Name: Default settings
Replication Eligibility: Verify that both servers are eligible
Primary Member: NYC-SVR1
Topology Selection: Full mesh
Replication Group Schedule and Bandwidth: Replicate continuously using the specified
bandwidth
2.
Verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1.
3.
From the DFS Management console, configure the NYC-DC1 member to be read-only.
Task 3: View Diagnostic Reports.

1.
On NYC-SVR1, in the DFS Management console, under Replication, use the Diagnostic Report
Wizard to create a Health report. Use NYC-SVR1 as the reference member.
2.
Review the DFS Replication Health Report for errors.
Results: After completing this exercise, you will have configured DFS Folder Replication and produced a
diagnostic report.
Sep 7 2011 9:58PM

Nova 4, LLC
4-34
To prepare for the next module.

When you complete the lab exercises, revert the virtual machines to their initial state. To do this, complete
the following steps:
1.
2.
3.
4.
Sep 7 2011 9:58PM

Nova 4, LLC
4-35
Review Questions
1.
How can you use DFS in your File Services deployment?
2.
What kind of compression technology is used by Windows Server 2008 DFS?
3.
What is the difference between a domain-based DFS namespace and a stand-alone DFS namespace?
4.
What is the default ordering method for client referral to folder targets?
5.
What does the Primary Member configuration do when setting up replication?
6.
Which folder is used to cache files and folders where conflicting changes are made on two or more
members?

Windows Server 2008 R2
Feature
Description
Read-only replicated
folders
Ability to configure read-only replicated folders from the DFS Management

console
Failover cluster support
Failover cluster support for DFS
Tools
Tool
Used for
Where to Find It
Dfsutil
Performing advanced
operations on DFS
namespaces
On a namespace server, type Dfsutil at the command prompt.
Sep 7 2011 9:58PM

Nova 4, LLC
4-36
Tool
Used for
Where to Find It
Dfsdiag
Configure and monitor

DFS
On a namespace server, type Dfsdiag at the command prompt.
Dfsrdiag
Monitoring replication
On a namespace server, type Dfsrdiag at the command

prompt.
Dfscmd.exe
Scripting basic DFS tasks

such as configuring DFS
roots and targets
On a namespace server, type Dfscmd at the command prompt.
DFS
Performing tasks related
Managemen to DFS namespaces and
t
replication
Click Start, point to Administrative Tools, and then click DFS

Management.
Sep 7 2011 9:58PM

Nova 4, LLC
Managing File Resources Using File Server Resource Manager
Module 5
Managing File Resources Using File Server Resource
Manager
Contents:
Lesson 1: Overview of File Server Resource Manager
5-3
Lesson 2: Configuring Quota Management
5-11
Lab A: Installing FSRM and Implementing Quota Management
5-19
Lesson 3: Implementing File Screening
5-22
Lesson 4: Managing Storage Reports
5-28
5-33
Lesson 5: Implementing Classification Management and

File Management Tasks
5-36
Lab C: Configuring Classification and File Management Tasks
5-49
Sep 7 2011 9:58PM

5-1
Nova 4, LLC
5-2
Module Overview
The files on your servers are constantly changing with content being added, removed, and modified. The
Microsoft Windows Server 2008 File Service role is designed to help administrators in an enterprise
environment manage the continually growing amount of data. The file storage requirements and
demands within an enterprise are constantly changing and adapting to new requirements or policies.
When storage requirements change and the data being stored changes as well, you need to manage an
increasingly larger and complex storage infrastructure. Therefore, to meet the needs of your organization,
you need understand and control how the existing storage is used.
This module introduces you to File Server Resource Manager (FSRM), a built-in component of Windows
Server 2008 that helps you address and manage these issues.
Objectives
Describe FSRM.
Configure Quota Management.
Implement File Screening.
Manage storage reports.
Implement Classification Management and file management tasks.
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 1
Overview of File Server Resource Manager
FSRM is a set of tools that allow you to understand, control, and manage the quantity and type of data
stored on your servers. Using FSRM, you can place quotas on storage volumes, screen files and folders,
generate comprehensive storage reports, control the file classification infrastructure, and use file
management tasks to perform scheduled actions on sets of files. These tools not only help you monitor
existing storage resources, but also aid in planning and implementing future policy changes.
Objectives
Describe common capacity management challenges.
Describe the features available within FSRM.
Describe FSRM configuration options.
Install and configure the FSRM role service.
Sep 7 2011 9:58PM

5-3
Nova 4, LLC
5-4
Capacity Management Challenges
Key Points
Capacity management is a proactive process of determining the current and future capacity needs for
your enterprise's storage environment. As the size and complexity of the data increase, the need for
capacity management also increases. To effectively meet the storage needs of your organization, you
need to track how much storage capacity is available, how much storage space you need for future
expansion, and how you are using the environments storage.
Key Capacity Management Challenges

Capacity management brings with it the following key challenges:
Determining existing storage use. To manage your storage environment and ensure that you can
perform the simplest capacity management task, you need to understand your environments current
storage requirements. Knowing how much data is being stored on your servers, what types of data is
being stored, and how that data is currently being used is the benchmark for measuring the various
aspects of capacity management in your environment.
Establishing and enforcing storage use policies. Capacity management includes ensuring that your
storage environment is being used to its full potential. Managing growth is important to ensure that
your storage environment is not overwhelmed by unplanned or unauthorized data storage on your
servers. Modern media data such as audio, video, and graphic files consume a large amount of
storage space and, if left unchecked, the unauthorized storage of these types of files can consume the
storage space required for legitimate business use.
Anticipating future requirements. Storage requirements are constantly changing. New projects and
new organizational initiatives require increased storage. New applications and imported data require
additional storage. If you are not able to anticipate or prepare for events like these, your storage
environment may not be able to meet the storage requirements.
Sep 7 2011 9:58PM

Nova 4, LLC
5-5
Addressing Capacity Management Challenges

To address these key challenges, you need to implement basic capacity management measures to
roactively manage the storage environment and prevent challenges from becoming problems.
Analyze how storage is being used. The first step in capacity management is analyzing the current
storage environment. Accurate analysis begins with proper tools that provide usable and organized
information regarding the current state of your storage environment.
Define storage resource management policies. A robust set of policies are necessary to maintain
the current storage environment and ensure that storage growth happens in a manageable and
predictable way. Preventing unauthorized files from being saved to your servers, ensuring that data is
stored in the right location, and ensuring that users have the required storage are a few of the key
areas your capacity management policies may address.
Implement policies to manage storage growth. After implementing capacity management policies,
you need to have an effective tool to ensure that the policies established are technically enforced.
Quotas placed on a users data storage must be maintained, restricted files must be prevented from
being saved, and business files must be stored in the proper locations.
Implement a system for reporting and monitoring. Also, a reporting and notification system must
be established to inform you how policies are enforced, besides the general state of your capacity
management system and data storage situation.
Sep 7 2011 9:58PM

Nova 4, LLC
5-6
What Is File Server Resource Manager?
Key Points
FSRM is a role service of the File Services role in Windows Server 2008. You can install it as part of the File
Services role by using Server Manager. Then, you can use the FSRM console to manage FSRM on your
server.
FSRM is intended to act as a capacity management solution for your Windows Server2008 server. It
provides a robust set of tools and capabilities that allow you to effectively manage and monitor your
servers storage capacity.
FSRM contains five components that work together to provide a capacity management solution.
Quota Management
Quota management allows you to create, manage, and obtain information about quotas that are used to
set a storage limit on a volume or folder (and its contents). By defining notification thresholds, you can
send email notifications, log an event, run a command or script, or generate reports when users approach
or exceed a quota.
Quota management also allows you to create and manage quota templates to simplify the quota
management process.
File Screening Management

File screening management allows you to create, manage, and obtain information about file screens. This
information can be used to prevent specific file types from being stored on a volume or folder or notify
you when those files are being stored. When users attempt to save unauthorized files, file screening can
block the process and notify the administrators to allow for proactive management.
Like quota management, file screening management allows you to create and manage file screen
templates to simplify file screening management. You can also create file groups that allow you to
manage which file types may be blocked or allowed.
Sep 7 2011 9:58PM

Nova 4, LLC
5-7
Storage Reports Management

Storage reports management allows you to schedule and configure storage reports. These reports provide
information regarding the components and aspects of FSRM including:
Quota usage
File screening activity
Files that may negatively affect capacity management, such as large files, duplicate files, or unused
files
List and filter files according to owner, file group, or a specific file property.
Note: Storage reports can be run based on a schedule or generated on demand.
Classification Management (Windows Server 2008 R2 Only)

Classification Management allows you to create and manage classification properties that you can assign
to files. You can assign property values to files by using classification rules, which can be applied on
demand or based on a schedule. Classification allows you categorize and manage files by using a wide
array of properties to identify and group your files.
File Management Tasks (Windows Server 2008 R2 Only)

With file management tasks, you can schedule and configure specific tasks, which can automate the
application or expiration of custom commands, allowing for automated file management procedures.
File management tasks leverage the capabilities of Classification Management to allow you to delete old
files or move files to a specific location based on a file property (file name or file type).
Note: Volumes that FSRM manages must be formatted by using the New Technology File System
(NTFS). FSRM is included with Windows Server 2003 SP1 and later.
Question: Do you currently implement any capacity management functionality in your server
environment? If so, which of the FSRM features does it provide?
Sep 7 2011 9:58PM

Nova 4, LLC
5-8
FSRM Configuration Options
Key Points
FSRM has several configuration options that apply globally to all FSRM components.
You can access these options by using the following steps:
1.
Open the File Server Resource Manager console.
2.
Right-click the root File Server Resource Manager node in the left pane, and then click Configure
Options.
FSRM Options
In the File Server Resource Manager Options properties sheet, several tabs allow you to configure various
aspects of FSRM.
Email Notifications
This tab allows you to provide the name or address of an SMTP server name, along with other details that
FSRM will use to send email notifications.
Notification Limits
Notification limits allow you to specify a time period that FSRM will wait between sending notifications to
avoid excessive notifications from a repeatedly exceeded quota or unauthorized file detection. It allows
you set separate values for email notifications, entries recorded to the event log, and commands being
run or reports being generated. The default value for each is 60 minutes.
Storage Reports
The Storage Reports tab allows you to configure and view the default parameters for any existing storage
reports.
Sep 7 2011 9:58PM

Nova 4, LLC
5-9
Report Locations
This tab allows you to view and modify the location in which the following three different types of storage
reports are stored: incident reports, scheduled reports, and on demand reports. By default, each category
is stored in its own folder: %systemdrive%\Storage Reports.
Note: If FSRM generates a large number of storage reports, you may want to relocate the storage
report folders to another physical volume to decrease disk I/O load on your system volume. You may
also want to change the location if the size of your storage reports causes a capacity issue on your
system volume.
File Screen Audit

On the File Screen Audit tab, a single check box allows to enable or disable the recording of file screening
activity to the auditing database. You can view the resulting file screening activity when you run the File
Screening Audit report from Storage Reports Management.
Automatic Classification
This tab allows you to provide a schedule that governs the automatic classification of files. Within the tab,
you can specify which logs to generate and if and how to generate a report of the classification process.
Managing FSRM Remotely

You can connect remotely to another server running FSRM by using the FSRM console. From here, you
manage FSRM in the same way that you manage resources on your local computer.
To remotely manage FSRM:
Both servers must be running Windows Server 2008 R2 with FSRM installed.
The Remote File Server Resource Manager Management exception must be enabled from within
Windows Firewall manually through the Control Panel applet or by using Group Policy.
You must be logged on to the local computer with an account that is a member of the local
Administrators group on the remote computer.
FSRM Command-Line Tools

If you prefer to work from the command line, you can use the following tools:
Dirquota.exe: Create and manage quotas, auto-apply quotas, and quota templates.
Filescrn.exe: Create and manage file screens, file screen exceptions, file screen templates, and file
groups.
Storrept.exe: Configure report parameters and generate storage reports on demand. You can also
create report tasks and then use Schtasks.exe to schedule the tasks.
Note: The command-line tools are added to the system path when you install File Server Resource
Manager, and they must be run from an Administrator Command Prompt window.
Sep 7 2011 9:58PM

Nova 4, LLC
5-10
Demonstration: Installing and Configuring FSRM
Key Points
Use Server Manager to install the FSRM role service.
View FSRM configuration options.
1.
2.
Add the File Server Resource Manager role service.
3.
Open File Server Resource Manager.
4.
View the FSRM configuration options.
5.
View the FSRM Quota Management, File Screening Management, Storage Report Management,
Classification Management, and File Management Tasks components.
Sep 7 2011 9:58PM

Nova 4, LLC
5-11
Lesson 2
Configuring Quota Management
Data is the core component of your server infrastructure. Under most circumstances, the server
infrastructure provides the data contained in the files on the server to your users or applications.
The requirement for data storage continues to grow. Whether files are added to your servers by users or
applications, quota management can help you to ensure that users and applications use the only the
amounts of space allotted to them.
Objectives
Describe quota management by using FSRM.
Compare FSRM quotas with NTFS Disk quotas.
Define quota templates.
Create and configure a quota.
Describe methods used to monitor quota usage.
Sep 7 2011 9:58PM

Nova 4, LLC
5-12
What Is Quota Management?
Key Points
In FSRM quota management allows you to limit the disk space that is allocated to a volume or folder. The
quota limit applies to the entire folder subtree.
Using quotas, you can manage capacity restrictions in a variety of ways. For example, you can use a quota
to ensure that individual users do not consume excessive amounts of storage with their home drives, or
limit the amount of space consumed by multimedia files in a particular folder.
Quota Types
Two different types of quotas can created within quota management.
A hard quota prevents users from saving files after the space limit is reached, and it generates
notifications when the volume of data reaches each configured threshold.
A soft quota does not enforce the quota limit, but it generates all the configured notifications.
Quota Notifications
To determine what happens when the quota limit approaches, you can configure notification thresholds.
For each threshold you define, you can send email notifications, log an event, run a command or script, or
generate storage reports. For example, you might want to notify the administrator and the user who
saved the file when a folder reaches 85 percent of its quota limit and then send another notification when
the quota limit is reached. In some cases, you might want to run a script that raises the quota limit
automatically when a threshold is reached.
Creating Quotas
When you create a quota on a volume or a folder, you can base the quota on a quota template or use
custom properties. Whenever possible, base a quota on a quota template. You can reuse a quota template
to create additional quotas, and it simplifies ongoing quota maintenance.
Sep 7 2011 9:58PM

Nova 4, LLC
5-13
FSRM can also generate quotas automatically. When you configure an auto-apply quota, you apply a
quota template to a parent volume or folder. Then, a quota based on the template is created for each of
the existing subfolders, and a quota is automatically generated for each new subfolder that is created.
Question: In which scenario would you want to use a soft quota?
Sep 7 2011 9:58PM

Nova 4, LLC
5-14
FSRM Quotas vs. NTFS Disk Quotas
Key Points
In the earlier versions of Windows, the only option for managing storage was by using the native NTFS
quota system.
NTFS quotas allow an administrator to declare a general storage limit on a per user basis for an NTFS
formatted volume. This method governs a users storage consumption across the volume, regardless of
which folder it is in. NTFS quotas do not account for NTFS compression, which means that even though a
compressed file may take up less physical room than if it were uncompressed, the quota will be applied
based on the files uncompressed size.
NTFS disk quotas are based on file ownership, so operating system accounts are not immune to disk
quotas. System accounts such as the local system are also susceptible to running out of disk space due to
disk quotas having been set.
FSRM quota management introduces some key advantages over NTFS quotas. The following table
outlines the key difference between FSRM-based quota management and using NTFS disk quotas.
Quota Feature
NTFS Quotas
FSRM Quotas
Quota Tracking
Per user on a volume
By folder or by volume
Disk usage calculation
Logical file size reported

by NTFS
Actual physical disk space
Notification mechanisms
Event logs only
Email, custom reports, running commands or

scripts, event logs
Sep 7 2011 9:58PM

Nova 4, LLC
5-15
What Are Quota Templates?
Key Points
FSRM gives you the flexibility in creating, using, and managing templates for quotas.
A quota template defines a space limit, the quota type (hard or soft), and a set of notifications to be
generated when the quota limit is approached or exceeded.
Quota templates simplify the creation and maintenance of quotas. Using a quota template, you can apply
a standard storage limit and a standard set of notification thresholds to many volumes and folders on
servers throughout your organization.
Template-Based Quota Updating

If you base your quotas on a template, you can update all quotas that are based on the template by
editing that template. This feature simplifies the updating the properties of quotas by providing a central
point where IT administrators can make all changes.
For example, you can create a User Quota template that you use to place a 200 MB limit on the personal
folder of each user. For each user, you would then create a quota based on the User Quota template and
assign it to the users folder. If you later decide to allow each user additional space on the server, you only
change the space limit in the User Quota template and choose to update each quota that is based on that
quota template.
Quota Template Examples

File Server Resource Manager provides several quota templates. For example:
You can use the 200 MB Limit Reports to User template to place a hard 200 MB limit on the personal
folder of each user and send storage reports to users who exceed the quota.
For some folders, you might want to use the 200 MB Limit with 50 MB Extension template to grant a
one-time 50MB quota extension to users who exceed the 200 MB quota limit.
Sep 7 2011 9:58PM

Nova 4, LLC
5-16
Other default templates are designed for monitoring disk usage through soft quotas such as the
Monitor 200 GB Volume Usage template and the Monitor 500 MB Share template. When you use
these templates, users can exceed the quota limit, but email and event log notifications are generated
when they do so.
Question: What advantage does creating 50 quotas from a template have over creating each quota
individually?
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: Creating and Configuring a Quota
Key Points
Create a new quota template.
Create a new quota based on a quota template.
Generate a quota notification.
Sep 7 2011 9:58PM

5-17
Nova 4, LLC
5-18
Monitoring Quota Usage
Key Points
In addition to the information in the notifications sent by quotas, you can find about quota usage by
viewing the quotas in quota management within the FSRM console by generating a Quota Usage report
or by creating soft quotas for monitoring the overall disk usage.
Quota Usage Report

Use the Quota Usage report to identify quotas that may soon be exceeded so that you can take the
appropriate action. Generating a Quota Usage report will be covered in greater detail in the Managing
Storage Reports lesson.
Templates for Monitoring Disk Usage

To monitor the overall disk usage, you can create soft quotas for volumes or shares. FSRM provides the
following default templates that you can use (or adapt) for this purpose.
Monitor 200 GB Volume Usage
Monitor 500 MB Share
Sep 7 2011 9:58PM

Nova 4, LLC
5-19
Lab A: Installing FSRM and Implementing Quota

Management
Lab Setup
1.
Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You need to begin the implementation and configuration of FSRM for NYC-SVR1. The first step in this
process is installing the FSRM role service.
You have also been asked to establish an initial quota governing user data directories. You must configure
a quota template that allows users a maximum of 100 MB of data in their user folders. When users exceed
85 percent of the quota, or when they attempt to add files larger than 100 MB, an event should be logged
to the Event Viewer on the server.
Sep 7 2011 9:58PM

Nova 4, LLC
5-20
Exercise 1: Installing the FSRM Role Service

You need to install the FSRM role service on NYC-SVR1.
The main task is as follows:
1.
Install the FSRM Role Service.
Task 1: Install the FSRM role service.

1.
2.
Add File Server Resource Manager role service.
3.
In the Configure Storage Usage Monitoring page, select Allfiles (E:).
4.
After the installation is complete, close the Add Role Services Wizard.
5.
Sep 7 2011 9:58PM

Nova 4, LLC
5-21
Exercise 2: Configuring Storage Quotas

You must configure a quota template that allows users a maximum of 100 MB of data in their user folders.
When users exceed 85 percent of the quota, or when they attempt to add files larger than 100 MB, an
event should be logged to the Event Viewer on the server.
1.
Create a quota template.
2.
Configure a quota based on the quota template.
3.
Test that the quota is functional.
Task 1: Create a quota template.

1.
In the File Server Resource Manager console, use the Quota Templates node to configure a template
that sets a hard limit of 100 MB on the maximum folder size. Make sure this template also notifies the
Event Viewer when the folder reaches 85 percent and 100 percent capacity.
Task 2: Configure a quota based on the quota template.

1.
Use the File Server Resource Manager console and the Quotas node to create a quota on the
E:\Labfiles\Mod05\Users folder by using the quota template that you created in Task 1. Configure
the quota to auto apply on existing and new subfolders.
2.
Create an additional folder named Max in the E:\Labfiles\Mod05\Users folder, and ensure that the
new folder is listed in the quotas list in FSRM.
Task 3: Test that the quota is functional.

1.
Open a command prompt and use the fsutil file createnew file1.txt 89400000 command to create
a file in the E:\Labfiles\Mod05\Users\Max folder.
2.
Check the Event Viewer for an Event ID of 12325.
3.
Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then press
Enter.
Hint: fsutil file createnew file2.txt 16400000
4.
Close the command prompt.
5.
Close all open windows on NYC-SVR1.
Results: In this exercise, you configured a storage quota.
Sep 7 2011 9:58PM

Nova 4, LLC
5-22
Lesson 3
Implementing File Screening
Both the integrity of the data stored on your servers and the availability of free storage space for creating
new data are extremely important in your storage environment. If non-business files are allowed to be
stored on servers, both integrity and availability can be compromised.
File screening by using FSRM allows you prevent unauthorized files from being stored on your servers.
Objectives
Describe File Screening Management.
Describe File Groups.
Configure File Screen Templates.
Implement File screening.
Describe File Screen Exceptions.
Sep 7 2011 9:58PM

Nova 4, LLC
5-23
What Is File Screening Management?
Key Points
File Screening Management allows you to create file screens to block files from being saved on a volume
or in a folder tree. A file screen affects all folders in the designated path. You use file groups to control the
types of files that file screens manage. For example, you might create a file screen to prevent users from
storing audio and video files in their personal folders on the server.
Like all components of FSRM, you can choose to generate email or other notifications when a file
screening event occurs.
File Screen Types

A file screen can be active or passive:
Active screening prevents users from saving unauthorized file types on the server and generates
configured notifications when they attempt to do so.
Passive screening sends configured notifications to users who are saving specific file types, but it does
not prevent users from saving those files.
File Screening Management Considerations

To simplify managing file screens, base your file screens on file screen templates, which will be covered
later in this lesson.
For additional flexibility, you can configure a file screen exception in a subfolder of a path where you have
created a file screen. When you place a file screen exception on a subfolder, you allow users to save file
types there that would otherwise be blocked by the file screen applied to the parent folder.
Note: A file screen does not prevent users and applications from accessing files that were saved to the
path before the file screen was created, regardless of whether the files are members of blocked file
groups.
Sep 7 2011 9:58PM

Nova 4, LLC
5-24
What Are File Groups?
Key Points
Before you begin working with file screens, you must understand the role of file groups in determining
which files are screened. A file group is used to define a namespace for a file screen or a file screen
exception, or to generate a Files by File Group storage report.
File Group Characteristics

A file group consists of a set of file name patterns, which are grouped as files to include and files to
exclude:
Files to include: Files to which the file group apply.
Files to exclude: Files to which the file group does not apply.
For example, an Audio Files file group might include the following file name patterns:
Files to include:*.mp*: Includes all audio files created in the current and future MPEG formats (MP2,
MP3, and so forth).
Files to exclude:*.mpp: Excludes files created in Project (.mpp files), which would otherwise be
included by the *.mp* inclusion rule.
FSRM provides several default file groups, which you can view in File Screening Management by clicking
the File Groups node. You can define additional file groups or change the files to include and exclude.
Any change that you make to a file group affects all existing file screens, templates, and reports to which
the file group has been added.
Note: For convenience, you can modify file groups when you edit the properties of a file screen, file
screen exception, file screen template, or the Files by File Group report. Note that any changes that you
make to a file group from these property sheets affect all items that use that file group.
Sep 7 2011 9:58PM

Nova 4, LLC
5-25
What Is a File Screen Template?
Key Points
To simplify file screen management, you can create your file screens based on file screen templates. A file
screen template defines the following:
File groups to block.
Screening types to perform.
Notifications to be generated.
You can configure two screening types in a file screen template. Active screening does not allow users to
save any files related to the selected file groups configured with the template. Passive screening allows
users to save files, but provides notifications for monitoring.
FSRM provides several default file screen templates, which you can use to block audio and video files,
executable files, image files, and email files, to meet common administrative needs. To view the default
templates, select the File Screen Templates node in the File Server Resource Manager console tree.
By creating file screens exclusively from templates, you can manage your file screens centrally by updating
the templates instead of individual file screens.
Note: File Screens are created from File Screen Templates just like Quotas are created from Quota
Templates, as discussed in Lesson 2.
Sep 7 2011 9:58PM

Nova 4, LLC
5-26
Demonstration: How to Implement File Screening
Key Points
Create a File Group.
Create a File Screen Template.
Create a File Screen by using a File Screen Template.
1.
2.
Expand the File Screening Management node.
3.
Create a new File Group called MPx Media Files that includes all files with a file extension beginning
with .mp. Exclude .mpp files from this File Group.
4.
Create a new File Screen Template called Block MPx Media Files by using the MPx Media Files File
Group and configure it to send a warning to the event log.
5.
Create a new File Screen for E:\Labfiles\Mod05 by using the Block MPx Media Files File Screen
Template.
Sep 7 2011 9:58PM

Nova 4, LLC
5-27
What Is a File Screen Exception?
Key Points
Occasionally, you need to allow exceptions to file screening. For example, you might want to block video
files from a file server, but you need to allow your training group to save video files for their computerbased training. To allow files that other file screens are blocking, create a file screen exception.
A file screen exception is a special type of file screen that overrides any file screening that would
otherwise apply to a folder, and all its subfolders in a designated exception path. That is, it creates an
exception to any rules derived from a parent folder. To determine which file types the exception will allow,
file groups are assigned.
File Screen Exceptions are created by specifically choosing the Create File Screen Exception from the File
Screens node under File Screening Management in FSRM.
Note: File Screen Exceptions always override File Screens with conflicting settings. Therefore, you must
plan and implement File Screen Exceptions carefully.
Sep 7 2011 9:58PM

Nova 4, LLC
5-28
Lesson 4
Managing Storage Reports
Knowing and using the tools to enforce capacity management measures is only part of a capacity
management solution. To effectively manage your storage environment, you need to stay informed
regarding the status of your servers and how your enforcement policies are working.
This lesson will introduce storage reports in FSRM. Storage reports allow you to view information about
how FSRM components are operating on your server.
Objectives
Describe the storage reports feature of FSRM.
Configure and schedule a Report Task.
Generate On-Demand Reports.
Sep 7 2011 9:58PM

Nova 4, LLC
5-29
What Are Storage Reports?
Key Points
FSRM can generate reports that help you understand file usage on the storage server. You can use the
storage reports to monitor disk usage patterns (by file type or user), identify duplicate files and dormant
files, track quota usage, and audit file screening.
From the Storage Reports Management node, you can create report tasks, which are used to schedule one
or more periodic reports, or you can generate reports on demand. For on-demand and scheduled reports,
current data is gathered before the report is generated. Reports can also be generated automatically to
notify you when a user exceeds a quota threshold or saves an unauthorized file.
Storage Report Types

The following table describes each storage report that is available.
Report
Description
Duplicate Files
Lists files that appear to be duplicates (files with the same size and
last-modified time). Use this report to identify and reclaim disk space
that is wasted due to duplicate files.
File Screening Audit
Lists file screening events that have occurred on the server for a
specific number of days. Use this report to identify users or
applications that violate screening policies.
Files by File Group
Lists files that belong to specific file groups. Use this report to identify
file group usage patterns and file groups that occupy large amounts
of disk space. This can help you determine which file screens to
configure on the server.
Files by Owner
Lists files, grouped by file owners. Use this report to analyze usage
patterns on the server and users who use large amounts of disk space.
Sep 7 2011 9:58PM

Nova 4, LLC
5-30
Report
Description
Files by Property
Lists files by the values of a particular classification property. Use this

report to observe file classification usage patterns.
Large Files
Lists files that are of a specific size or larger. Use this report to identify
files that are consuming the most disk space on the server. This can
help you quickly reclaim large quantities of disk space.
Least Recently Accessed Files
Lists files that have not been accessed for a specific number of days.
This can help you identify seldom-used data that might be archived
and removed from the server.
Most Recently Accessed Files
Lists files that have been accessed within a specified number of days.
Use this report to identify frequently used data that must be highly
available.
Quota Usage
Lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage levels so
that you can take appropriate action.
Configuring Report Parameters

Except for the Duplicate Files report, all reports have configurable report parameters that determine the
content in the report. The parameters vary with the type of report. For some reports, report parameters
can be used to select the volumes and folders on which to report, set a minimum file size to include, or
restrict a report to files owned by specific users.
Saving Reports
Regardless of how you generate a report, or whether you choose to view the report immediately, the
report is saved on the disk. Incident reports are saved in the Dynamic HTML (DHTML) format. You can
save scheduled and on-demand reports in DHTML, HTML, XML, CSV, and text formats.
Scheduled reports, on-demand reports, and incident reports are saved in separate folders within a
designated report repository. By default, the reports are stored in the subdirectories of the
%Systemdrive%\StorageReports\ folder. To change the default report locations, in the File Server
Resource Manager Options dialog box, on the Report Locations tab, specify where to save each type of
storage report.
Sep 7 2011 9:58PM

Nova 4, LLC
5-31
What Is a Report Task?
Key Points
A report task is a set of storage management reports that run based on a schedule.
The report task specifies which reports to generate and what parameters to use, which volumes and
folders to report on, how often to generate the reports, and which file formats to save them in.
When you schedule a set of reports, the reports are saved in the report repository. You also have the
option of sending the reports to a group of administrators by email.
Report tasks can be scheduled by using the following steps from within FSRM.
1.
Click the Storage Reports Management node.
2.
Right-click Storage Reports Management and click Schedule a New Report Task (or click
Schedule a New Report Task in the Actions pane). The Storage Reports Task Properties dialog
box appears.
Note: To minimize the impact of report processing on server performance, generate multiple reports on
the same schedule so that the data is only gathered once.
Sep 7 2011 9:58PM

Nova 4, LLC
5-32
Generating On-Demand Reports
Key Points
During daily operations, you may want to generate reports on demand to analyze the different aspects of
the current disk usage on the server. Before the reports are generated, current data is gathered.
When you generate reports on demand, the reports are saved in the report repository, but no report task
is created for later use. You can optionally view the reports immediately after they are generated or send
the reports to a group of administrators by email.
1.
Click the Storage Reports Management node.
2.
Right-click Storage Reports Management, and then click Generate Reports Now (or click
Generate Reports Now in the Actions pane). The Storage Reports Task Properties dialog box
appears.
Note: When generating an on-demand report, you can wait for the reports to be generated and then
immediately display them. If you choose to open the reports immediately, you must wait while the
reports are generated. Processing time varies, depending on the types of reports and the data scope.
Sep 7 2011 9:58PM

Nova 4, LLC
5-33
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
You need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. You
need to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be saved
on the server. Your manager has asked you to ensure that the saving of Microsoft Project files (.mpp) is
not affected by your file screening setup.
You have also been asked to provide a report to your manager about the attempts to save these media
files on NYC-SVR1.
Sep 7 2011 9:58PM

Nova 4, LLC
5-34
Exercise 1: Configuring File Screening

You need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. You
need to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be saved
on the server. Your manager has asked you to ensure that the saving of Project files (.mpp) is not affected
by your file screening setup.
Task 1: Create a file group.

1.
2.
Open the File Server Resource Manager Configuration Options dialog box and enable the Record
file screening activity in auditing database option on the File Screen Audit tab.
Note: This step is to allow recording of File Screen events that supply data for the a File Screen Audit
report to be run in Exercise 2
3.
Create a new File Group with the following properties.
File group name: MPx Media Files
Files to include: *.mp*
Files to exclude *.mpp
Task 2: Create a file screen template.

1.
Create a File Screen Template with the following properties.
Template name: Block MPx Media Files
Screening type: Active
File groups: MPx Media Files
Event Log: Send a warning to the event log
Task 3: Create a file screen.

1.
Create a File Screen based on the Block MPx Media Files File Screen Template for the
E:\Labfiles\Mod05\Users directory.
2.
Close the File Server Resources Manager.
Task 4: Test the file screen.

1.
Click Start, and then click Computer.
2.
Create a new text document in E:\Labfiles\Mod05 and rename it as musicfile.mp3.
3.
Copy musicfile.mp3 into E:\Labfiles\Mod05\Users. You will be notified that the system was unable
to copy the file to E:\Labfiles\Mod05\User.
Results: After this exercise, you should have configured file screening by creating a file group, a file
screen template, and a file screen.
Sep 7 2011 9:58PM

Nova 4, LLC
Exercise 2: Generating Storage Reports

You need to provide a report that documents attempts to save these media files on NYC-SVR1.
Task 1: Generate an On-Demand Storage Report.

1.
Open the File Services Resource Manager console.
2.
Right-click Storage Reports Management, select Generate Reports Now and then provide the
following parameters:
3.
Report on E:\Labfiles\Mod05\Users.
Generate only the File Screening Audit report.
Results: In this exercise, you generated a storage report.
Sep 7 2011 9:58PM

5-35
Nova 4, LLC
5-36
Lesson 5
Implementing Classification Management and File

Management Tasks
Most applications manage files based on the directory they are contained in. This leads to complicated file
layouts that require a lot of attention from administrators. Such layout can also lead to frustration among
the users.
In Windows Server 2008 R2, Classification Management and File Management tasks enable administrators
to manage groups of files based on various file and folder attributes. With Classification Management and
File Management tasks, you can automate file and folder maintenance tasks such as cleaning up stale data
or protecting sensitive information.
In this lesson, you will learn how Classification Management and File Management tasks work to together
to make it easier for you to manage and organize the files and folders on your servers.
Note: The capabilities and components described in this lesson are available only in Windows Server
2008 R2.
Objectives
Describe the Classification Management feature of FSRM.
Describe how to create Classification Properties.
Describe how Classification Rules are used to automatically assign Classification Properties.
Configure Classification Management.
Describe considerations for using Classification Management.
Sep 7 2011 9:58PM

Nova 4, LLC
Describe File Management Tasks.
Configure File Management Tasks.
Sep 7 2011 9:58PM

5-37
Nova 4, LLC
5-38
What Is Classification Management?
Key Points
Most applications manage files based on their location or the folder they are contained in. This leads to
complicated folder structure that often negatively affects the usability of the files and folders and
increases administrative requirements.
To reduce the cost and risk associated with this type of data management, the File Classification
infrastructure uses a platform that allows administrators to classify files and apply policies based on that
classification. The storage layout is unaffected by data management requirements, and the organization
can adapt more easily to a changing business and regulatory environment.
Classification Management is designed to ease the burden and management of data that is spread out in
your organization. Files can be classified in a variety of ways. In most scenarios, classification is performed
manually. The File Classification infrastructure in Windows Server 2008 R2 allows organizations to convert
these manual processes into automated policies. Administrators can specify file management policies
based on a files classification and apply corporate requirements for managing data based on business
value. They can easily modify the policies and use tools that support classification to manage their files.
You can use file classification to perform the following actions:
1.
Define classification properties and values, which can be assigned to files by running classification
rules.
2.
Create, update, and run classification rules. Each rule assigns a single predefined property and value
to files within a specified directory based on installed classification plug-ins.
3.
When running a classification rule, reevaluate files that are already classified. You can choose to
overwrite existing classification values or add the value to properties that support multiple values.
Sep 7 2011 9:58PM

Nova 4, LLC
5-39
What Are Classification Properties?
Key Points
Classification properties are used to assign values to files. There are many property types that you can
choose from, as listed in the table below. You can define these properties based on the needs of your
organization. Classification properties are assigned to files that use classification rules, which will be
discussed in the next topic.
The following table defines the available property types and the policy that is applied when a file is
reclassified:
Yes/No
A Boolean property that can be Yes or No. When multiple values are
combined, a No value overwrites a Yes value.
Date-Time
A simple date and time property. When multiple values are combined,
conflicting values prevent reclassification.
Number
A simple number property. When multiple values are combined,

Multiple Choice List
A list of values that can be assigned to a property. More than one

value can be assigned to a property at a time. When multiple values
are combined, each value in the list is used.
Ordered List
A list of fixed values. Only one value can be assigned to a property at a

time. When multiple values are combined, the value highest in the list
is used.
String
A simple string property. When multiple values are combined,

Multi-string
A list of strings that can be assigned to a property. More than one
Sep 7 2011 9:58PM

Nova 4, LLC
5-40
value can be assigned to a property at a time. When multiple values

are combined, each value in the list is used.
Sep 7 2011 9:58PM

Nova 4, LLC
5-41
What Is Classification Rule?
Key Points
A classification rule assigns a Classification Property to a file system object. A classification rule includes
information detailing when to assign a classification property to a file.
Key Classification Rule Properties

To define the behavior of a classification rule, ask yourself the following questions:
Is the rule enabled? On the Rule Settings tab, the Enabled check box allows you to specifically
disable or enable the classification rule.
What is the scope of the rule? On the Rule Settings tab, the scope parameter allows you to select a
folder or folders that the classification rule will apply to. When the rule is run, it processes and
attempts to classify all file system objects within this location.
What classification mechanism will the rule use? On the rules Classification tab, you must choose
a classification method that the rule will use to assign the classification property. By default, there are
two methods that you can choose from:
Folder Classifier. The folder classifier mechanism assigns properties to a file based on the files
folder path.
Content Classifier: The content classifier searches for strings or regular expressions in files. This
means that the content classifier classifies a file based on the textual contents of the file, such as
whether it contained a specific word, phrase, or numeric value or type.
What property will the rule assign? The main function of the classification rule is to assign a
property to a file object based on how the rule applies to that file object. You must specify a property
and the specific value of that property to be assigned by the rule on the Classification tab.
What additional classification parameters will be used? The core of the rules logic lies in the
additional classification parameters. Clicking the Advanced button on the Classification tab takes you
to the Additional Classification Parameters window. Here, you can specify additional parameters like
strings or regular expressions that, if found in the file system object, will cause the rule to apply itself.
Sep 7 2011 9:58PM

Nova 4, LLC
5-42
This could be something like looking for the phrase Social Security Number or any number with the
format 000-000-000 to apply a Yes value for a Confidential classification property to the file. This
classification could then be leveraged to perform some tasks on the file system object like moving it
to a secure location.
A classification parameter can be one of the following three types:
RegularExpression. Match a regular expression by using the .NET syntax. For example, \d\d\d
will match any three-digit number.
StringCaseSensitive: Match a case-sensitive string. For example, Confidential will only match
Confidential and not confidential or CONFIDENTIAL.
String: Match a string, regardless of case. Confidential will match both Confidential and
CONFIDENTIAL.
Classification Scheduling
You can run classification rules in two ways, on-demand or based on a schedule. Either way you choose,
each time you run classification, it uses all rules that you have left in the Enabled state.
Configuring a schedule for classification allows you to specify a regular interval at which file classification
rules will run, ensuring that your servers files are regularly classified and up to date with the latest
classification properties.
Sep 7 2011 9:58PM

Nova 4, LLC
5-43
Demonstration: How to Configure Classification Management
Key Points
In this demonstration you will see how to:
Create a Classification Property.
Create a Classification Rule.
Modify the Classification Schedule.
1.
Open File Server Resource Manager and expand the Classification Management node.
2.
Using the Classification Properties node, create a new Classification Property named Confidential
with the Yes/No property type.
3.
Using the Classification Rules node, create a new Classification Rule named Confidential
Documents.
4.
Configure the rule to classify documents with a value of Yes for the Confidential classification
property if the file contains the string value payroll.
5.
Create a classification schedule that runs daily at 8:30 A.M.
6.
Using the Classification Rule node, manually run Classification With All Rules Now and view the
report.
Sep 7 2011 9:58PM

Nova 4, LLC
5-44
Considerations for Using File Classification
Key Points
Although Classification Management provides a powerful mechanism to catalog, categorize, and classify
your file system objects, you should consider certain factors when dealing with Classification
Management.
How Classification Properties Are Stored

The properties are stored in an alternate data stream, which is a feature of NTFS. Alternate data streams
move with a file if the file moves within NTFS file systems, but they do not appear in the files contents.
The properties are also stored within file formats in Office products as custom document properties or
server document properties.
Movement Can Affect a Files Classification Properties

A file retains its classification properties if the file is moved to another NTFS file system by using a
standard mechanism such as Copy or Move. If a file is moved to a non-NTFS volume, file classification
properties are not retained. However, the classification properties for files in Microsoft Office products
remain attached, regardless of how the file is moved.
The Classification Management Process Exists Only in Windows Server 2008 R2

Classification properties are available only to servers running Windows Server 2008 R2. However,
Microsoft Office documents will retain classification property information in Document Properties, which
is viewable regardless of the operating system being used.
Classification Rules Can Conflict

The File Classification infrastructure attempts to combine property where a potential conflict exists. The
following behaviors will occur with their corresponding property.
For Yes or No properties, a Yes value takes priority over a No value.
For ordered list properties, the highest property value takes priority.
Sep 7 2011 9:58PM

Nova 4, LLC
For multiple choice properties, the property sets are combined into one set.
For multiple string properties, a multistring value is set that contains all the unique strings of the
individual property values.
For other property types, an error occurs.
5-45
Classification Management Cannot Not Classify Certain Files

The File Classification Infrastructure will not identify individual files within a container file such as a .zip or
.vhd file. Also, FCI will not allow content classification for the contents of encrypted files.
Sep 7 2011 9:58PM

Nova 4, LLC
5-46
What Are File Management Tasks?
Key Points
File management tasks automate the process of finding subsets of files on a server and applying simple
commands to them on a scheduled basis. Files are identified by classification properties that have been
assigned to the file by a classification rule.
File management tasks include a file expiration command, and you can also create custom tasks. You can
define files that will be processed by a file management task through the following properties:
Location
Classification properties
Creation time
Modification time
Last accessed time
File name
You can also configure file management tasks to notify file owners of any impending policy that will be
applied to their files.
File Expiration Tasks

File expiration tasks are used to automatically move all files that match certain criteria to a specified
expiration directory, where an administrator can back up those files and delete them.
When a file expiration task is run, a new directory is created within the expiration directory. The new
directory is grouped by the server name on which the task was run, and it is named according to the
name of the file management task and the time it was run. When an expired file is found, it is moved into
the new directory, while preserving its original directory structure.
Sep 7 2011 9:58PM

Nova 4, LLC
5-47
Custom File Management Tasks

Expiration is not always a desired action to be performed on files. File management tasks allow you to run
custom commands. Using the custom commands dialog box, you to run an executable file, script, or other
custom commands to perform an operation on the files within the scope of the file management task.
Note: Custom tasks are configured by selecting the Custom type on the Action tab of the Create File
Management Task window.
Sep 7 2011 9:58PM

Nova 4, LLC
5-48
Demonstration: How to Configure File Management Tasks
Key Points
Create a File Management Task.
Configure a File Management Task to Expire Documents.
1.
Open FSRM and expand the File Management Tasks node.
2.
Create a file management task named Expire Confidential Documents with a scope of
E:\Labfiles\Mod05\Data.
3.
On the Action tab, configure the task for file expiration to E:\Labfiles\Mod05\Expired.
4.
Add a condition that Confidential equals Yes.
5.
Run the File Management Task and view the report.
Sep 7 2011 9:58PM

Nova 4, LLC
5-49
Lab C: Configuring Classification and File

Management Tasks
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The Finance department of Contoso, Ltd has discovered that several payroll documents are being stored
in locations that are not secure.
You have been asked to use the Classification Management and File Management Tasks components of
FSRM to ensure that all payroll-related files are located in a secure location.
Sep 7 2011 9:58PM

Nova 4, LLC
5-50
Exercise 1: Configuring Classification Management

The Finance department wants all documents related to the company payroll to be classified as
confidential. You must create a Classification Property and a Classification Rule that classifies any files
containing the word payroll as confidential.
Task 1: Create a classification property.

1.
Create a Classification Property with the following attributes.
Property name: Confidential
Description: Assigns a confidentiality value of Yes or No
Property Type: Yes/No
Task 2: Apply classification properties by using classification rules.

1.
Create a new Classification Rule.
2.
Configure the Rule Settings tab with the following attributes.
3.
Rule name: Confidential Payroll Documents
Description: Classify documents containing the word payroll as confidential
Scope: E:\Labfiles\Mod05\Data
Configure the Classification tab with the following attributes
Classification Mechanism: Content Classifier
Property name: Confidential
Property value: Yes
4.
On the Classification tab, click Advanced.
5.
Click the Additional Classification Parameters tab and add the following parameters.
Name: String
Value: payroll
6.
Right-click the Classification Rules node and Run Classification With All Rules Now and selecting
the Wait for classification to complete execution option.
7.
View the generated report and ensure that January.txt is displayed in the report.
8.
View the contents of E:\Labfiles\Mod05\Data\January.txt.
9.
Results: In this exercise, you configured Classification Management.
Sep 7 2011 9:58PM

Nova 4, LLC
5-51
Exercise 2: Implementing File Management Tasks

You have been notified that the Finance department wants all payroll-related documents that you have
classified to be relocated to a more secure location. Your task is to create a File Management task that will
move any documents classified as confidential to the E:\Labfiles\Mod05\Confidential folder.
Task 1: Configure file management tasks based on classification properties.

1.
Open the File Server Resource Manager and create a File Management task and configure the
properties according to the following steps.
2.
On the General tab, configure the following attributes:
3.
4.
Task name: Move Confidential Files
Description: Move confidential documents to another folder
Scope: E:\Labfiles\Mod05\Data.
On the Action tab, configure the following attributes.
Type: File expiration
Expiration directory: E:\Labfiles\Mod05\Confidential
On the Condition tab, configure the following attributes.
Property conditions:
Property: Confidential
Operator: Equals
Value: Yes
5.
On the Schedule tab, create a schedule to run at 9:00 A.M. every day, starting today.
6.
Right-click the newly created task, and then click Run File Management Task Now. Select the
option to wait for task to complete execution and then review the report. Ensure that January.txt is
listed in the report.
7.
In Windows Explorer, browse to the E:\Labfiles\Mod05\Confidential folder. January.txt should be

located in this folder and no longer in E:\Labfiles\Mod05\Data.
Results: In this exercise, you implemented File Management Tasks.

following steps:
1.
2.
3.
4.
Sep 7 2011 9:58PM

Nova 4, LLC
5-52
Review Questions
1.
What criteria need to be met to use FSRM for managing a servers file structure?
2.
In what ways can Classification Management and File Management Tasks decrease administrative
overhead when dealing with a complex file and folder structure?

Description
Classification Management (FSRM)
Create and assign user-defined properties to files that use an

automated file classification infrastructure
File Management Tasks (FSRM)
Perform automated file management tasks leveraging the file

classification infrastructure
Tools
Tool
File Server
Resource Manager
Use for
Managing your file
server infrastructure
Where to find it
Install the FSRM role service as part of the File
Services server role
Sep 7 2011 9:58PM

Nova 4, LLC
Configuring and Securing Remote Access
Module 6
Contents:
Lesson 1: Configuring a Virtual Private Network Connection
6-3
Lesson 2: Overview of Network Policies
6-16
6-26
Lesson 3: Integrating Network Access Protection with VPNs
6-31
Lesson 4: Configuring VPN Enforcement Using NAP
6-39
Lab B: Implementing NAP into a VPN Remote Access Solution
6-48
Lesson 5: Overview of DirectAccess
6-56
Sep 7 2011 9:58PM

6-1
Nova 4, LLC
6-2
Module Overview
For an organization to support its distributed workforce, it must implement technologies that enable
remote users to connect to the organizations network infrastructure. These technologies include virtual
private networks (VPNs) and DirectAccess. You need to understand how to configure and secure your
remote access clients by using network policies and, where appropriate, Network Access Protection (NAP).
This module explores these remote access technologies.
Objectives
Configure a VPN Connection.
Explain network policies.
Describe VPN enforcement with NAP.
Configure NAP.
Describe and deploy DirectAccess.
Sep 7 2011 9:58PM

Nova 4, LLC
6-3
Lesson 1
Configuring a Virtual Private Network Connection
A VPN provides a point-to-point connection between the components of a private network through a
public network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a
connection to a VPN servers listening virtual port.
To properly implement and support a VPN environment within your organization, you must understand
how to select a suitable tunneling protocol, configure VPN authentication, and configure the Network
Policy and Access Services server role to support your chosen configuration.
Objectives
Describe virtual private networking.
Describe methods used to authenticate remote systems.
Identify the tunneling protocols used for a VPN Connection.
Describe considerations for installing a VPN server.
Configuring a VPN server.
Describe additional tasks related to managing and configuring a VPN server.
Describe VPN Reconnect.
Sep 7 2011 9:58PM

Nova 4, LLC
6-4
What Is Virtual Private Networking?
Key Points
To emulate a point-to-point link, the data is encapsulated or wrapped and prefixed with a header. This
header provides routing information that enables the data to traverse the shared or public network to
reach its endpoint.
To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted on
the shared or public network are indecipherable without encryption keys. The link in which the private
data is encapsulated and encrypted is known as a VPN connection.
There are two types of VPN connections:
Remote access
Site-to-site
Remote Access VPN connections enable your users working at home, customer site, or through a public
wireless access point to access resources on your organizations private network by using the
infrastructure that a public network provides, such as the Internet.
From the users perspective, the VPN is a point-to-point connection between their computer, the VPN
client, and your organizations resources. The exact infrastructure between the client and the resource is
irrelevant because it appears logically as if the data is sent over a dedicated private link.
Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices or with other organizations over a
public network while helping to maintain secure communications.
A VPN connection routed across the Internet logically operates as a dedicated wide area network (WAN)
link. When networks connect over the Internet, a router forwards packets to another router across a VPN
connection.
Sep 7 2011 9:58PM

Nova 4, LLC
6-5
A site-to-site VPN connection connects two portions of a private network. For example, a branch office
router, acting as a VPN server, can create a VPN connection between itself and a corporate hub router
across the Internet. As the calling router, the branch office router authenticates itself to the answering
router on the corporate hub, and, for mutual authentication, the answering router authenticates itself to
the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN
connection typically do not originate at the routers.
In a site-to site VPN connection, the packets sent from either router across the VPN connection typically
do not originate at the routers.
Properties of VPN Connections

VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with
Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) have the following
properties:
Note: These tunneling protocols are discussed in the next few topics.
Encapsulation. With VPN technology, private data is encapsulated with a header that contains
routing information that allows the data to traverse the transit network.
Authentication. Authentication for VPN connections takes the following three different forms:
User-level authentication by using PPP authentication.
To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the
connection by using a PPP user-level authentication method and verifies that the VPN client has the
appropriate authorization. If you use mutual authentication, the VPN client also authenticates the
VPN server, which provides protection against computers that are masquerading as VPN servers.
Computer-level authentication by using Internet Key Exchange (IKE).
To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to
exchange either computer certificates or a preshared key. In either case, the VPN client and server
authenticate each other at the computer level. It is recommended that you use computer-certificate
authentication because it is a much stronger authentication method. Computer-level authentication is
only performed for L2TP/IPsec connections.
Data origin authentication and data integrity.
To verify that the data sent on the VPN connection originated at the connections other end and was
not modified in transit, the data contains a cryptographic checksum based on an encryption key
known only to the sender and the receiver. Data origin authentication and data integrity are only
available for L2TP/IPsec connections.
Data encryption. To ensure the confidentiality of data as it traverses the shared or public transit
network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption
processes depend on both the sender and the receiver by using a common encryption key.
Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone
who does not have the common encryption key. The encryption keys length is an important security
parameter. You can use computational techniques to determine the encryption key. However, such
techniques require more computing power and computational time as the encryption keys get larger.
Therefore, it is important to use the largest possible key size to ensure data confidentiality.
Sep 7 2011 9:58PM

Nova 4, LLC
6-6
Types of VPN Authentication Methods
Key Points
Authentication of access clients is an important security concern. Authentication methods typically use an
authentication protocol that is negotiated during the connection establishment process.
PAP
Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication
protocol. It is negotiated if the remote access client and remote access server cannot negotiate a more
secure form of validation.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication
protocol that uses the Message Digest 5 (MD5) one-way encryption scheme to hash the response to a
challenge issued by the remote access server. CHAP is an improvement over PAP because the password is
never sent over the link. Instead, the password is used to create a one-way hash from a challenge string.
The server, knowing the client's password, can duplicate the operation and compare the result with that
sent in the client's response.
A server running routing and remote access supports CHAP so that remote access clients that require
CHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you should
consider using another authentication protocol, such as MS-CHAP version 2.
MSCHAPv2
Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) is an encrypted password, and
mutual-authentication process that works as follows:
1.
The authenticator (the remote access server or the computer running Network Policy Server) sends a
challenge to the remote access client that consists of a session identifier and an arbitrary challenge
string.
Sep 7 2011 9:58PM

Nova 4, LLC
2.
The remote access client sends a response that contains a one-way encryption of the received
challenge string, the peer challenge string, the session identifier, and the user password.
3.
The authenticator checks the response from the client and sends back a response containing an
indication of the success or failure of the connection attempt and an authenticated response based
on the sent challenge string, the peer challenge string, the clients encrypted response, and the user
password.
4.
The remote access client verifies the authentication response and, if correct, uses the connection. If
the authentication response is not correct, the remote access client terminates the connection.
6-7
Extensible Authentication Protocol

EAP
With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a
remote access connection. The remote access client and the authenticator (either the remote access server
or the Remote Authentication Dial-In User Service (RADIUS) server) negotiate the exact authentication
scheme to be used. Routing and Remote Access includes support for EAP-Transport Level Security (EAPTLS) by default. You can plug in other EAP modules to the server running Routing and Remote Access to
provide other EAP methods.
Using Smart Cards for Remote Access

Using smart cards for user authentication is the strongest form of authentication in the Windows Server
2008 family. For remote access connections, you must use EAP with the Smart card or other certificate
(TLS) EAP type, also known as EAP-TLS.
To use smart cards for remote access authentication, you must:
Configure remote access on the remote access server.
Install a computer certificate on the remote access server computer.
Configure the smart card or other certificate (TLS) EAP type in network policies.
Enable smart card authentication on the dial-up or VPN connection on the remote access client.
Sep 7 2011 9:58PM

Nova 4, LLC
6-8
Tunneling Protocols for a VPN Connection
Key Points
PPTP, L2TP, and SSTP depend heavily on the features originally specified for PPP. PPP was designed to
send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets
within PPP frames and then transmits the encapsulated PPP packets across a point-to-point link. PPP was
defined originally as the protocol to use between a dial-up client and a network access server.
PPTP
PPTP enables you to encrypt and encapsulate in an IP header multi-protocol traffic, which is then sent
across an IP network or a public IP network, such as the Internet. You can use PPTP for remote access and
site-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is a
PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet.
Encapsulation: PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses
Transmission Control Protocol (TCP) connection for tunnel management and a modified version of
Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of the
encapsulated PPP frames can be encrypted, compressed, or both.
Encryption: The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using
encryption keys generated from the MS-CHAPv2 or EAP-TLS authentication process. VPN clients must
use the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP frames can be
encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously
encrypted PPP frame.
L2TP
L2TP enables you to encrypt multi-protocol traffic to send over any medium that supports point-to-point
datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and
Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F.
Sep 7 2011 9:58PM

Nova 4, LLC
6-9
Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP
relies on IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as
L2TP/IPsec.
Both the VPN client and server must support L2TP and IPsec. Client support for L2TP is built in to the
Windows XP, Windows Vista, and Windows 7 remote access clients, and VPN server support for L2TP
is built in to members of the Windows Server 2008 and Windows Server 2003 family.
Note: L2TP is installed with the TCP/IP protocol.
Encapsulation: Encapsulation for L2TP/IPsec packets consists of two layers:
First layer: L2TP encapsulation

A PPP frame (an IP datagram) is wrapped with an L2TP header and a User Datagram Protocol
(UDP) header.
Second layer: IPsec encapsulation

The resulting L2TP message is wrapped with an IPsec Encapsulating Security Payload (ESP) header
and trailer, an IPsec Authentication trailer that provides message integrity and authentication,
and a final IP header. The IP header contains the source and destination IP address that
corresponds to the VPN client and server.
Encryption: The L2TP message is encrypted with one of the following protocols by using encryption
keys generated from the IKE negotiation process: Advanced Encryption Standard (AES) 256, AES 192,
AES 128, and 3DES encryption algorithms.
SSTP
SSTP is a tunneling protocol that uses the Secure Hypertext Transfer Protocol (HTTPS) protocol over TCP
port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic.
SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the
HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL
provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS
layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload.
Encapsulation: SSTP encapsulates PPP frames in IP datagrams for transmission over the network. SSTP
uses a TCP connection (over port 443) for tunnel management and as PPP data frames.
Encryption: The SSTP message is encrypted within the SSL channel of the HTTPS protocol.
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. Because
of its support for mobility (MOBIKE), IKEv2 is much more resilient to changing network connectivity,
making it a good choice for mobile users who move between access points and even switch between
wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client moves
from one wireless hotspot to another or when it switches from a wireless to a wired connection; this ability
is a requirement of VPN Reconnect.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods.
Encapsulation: IKEv2 encapsulates datagrams by using IPsec ESP or AH headers for transmission over
the network.
Sep 7 2011 9:58PM

Nova 4, LLC
6-10
Encryption: The message is encrypted with one of the following protocols by using encryption keys
generated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192,
AES 128, and 3DES encryption algorithms.
IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2.
Note: IKEv2 is the default VPN tunneling protocol in Windows 7.
Sep 7 2011 9:58PM

Nova 4, LLC
6-11
Considerations for Installing a VPN Server
Key Points
Before you deploy your organizations VPN solution, consider the following factors:
To accept incoming connections, your VPN server requires two network interfaces: determine which
network interface connects to the Internet and which network interface connects to your private
network. During configuration, you must choose which network interface connects to the Internet. If
you specify the incorrect interface, your remote access VPN server will not operate correctly.
Determine whether remote clients receive IPv4 addresses from a Dynamic Host Configuration
Protocol (DHCP) server on your private network or from the remote access VPN server that you are
configuring. If you have a DHCP server on your private network, the remote access VPN server can
lease ten addresses at a time from the DHCP server and assign those addresses to remote clients. If
you do not have a DHCP server on your private network, the remote access VPN server can generate
and assign IP addresses automatically to remote clients. If you want the remote access VPN server to
assign IP addresses from a range that you specify, you must determine what that range should be.
Determine whether you want connection requests from VPN clients to be authenticated by a RADIUS
server or by the remote access VPN server that you are configuring. Adding a RADIUS server is useful
if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS
clients to your private network.
Determine whether IPv4 VPN clients can send DHCP messages to the DHCP server on your private
network. If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages
from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a
DHCP server is on a different subnet from your remote access VPN server, ensure that the router
between subnets can relay DHCP messages between the clients and the server. If your router is
running Windows Server 2008 or Windows Server 2008 R2, you can configure the DHCP Relay Agent
service on the router to forward DHCP messages between subnets.
Ensure that the individual responsible for the deployment of your VPN solution has the necessary
administrative group memberships to install the server roles and configure the necessary services;
membership of the local Administrators group is required to perform these tasks.
Sep 7 2011 9:58PM

Nova 4, LLC
6-12
Demonstration: Configuring a VPN Server
Key Points
Configure user dial-in settings.
Configure Routing and Remote Access as a VPN server.
Configure a VPN client.
1.
Verify the dial-in permission of Adam Carter.
2.
Determine group memberships of Adam Carter.
3.
Add the Network Policy Server role to NYC-EDGE1.
4.
Configure and enable a VPN server on NYC-EDGE1.
5.
Disable existing NPS policies on NYC-EDGE1.
6.
Create a VPN connection on NYC-CL1.
7.
Attempt to connect to NYC-EDGE1 by using the VPN.
Sep 7 2011 9:58PM

Nova 4, LLC
6-13
Additional Configuration Tasks for VPN Servers
Key Points
After you complete the steps in the Add Roles Wizard and complete the configuration in Routing and
Remote Access, your server is ready for use as a remote access VPN server.
The following are the additional tasks that you can perform on your remote access/VPN server:
Configure static packet filters. Add static packet filters to better protect your network.
Configure services and ports. Choose which services on the private network you want to make
available for remote access users.
Adjust logging levels for routing protocols. Configure the level of event details that you want to log.
You can decide which information you want to track in log files.
Configure the number of VPN ports. Add or remove VPN ports.
Create a Connection Manager profile for users. Manage the client connection experience for users
and simplify troubleshooting of client connections.
Add Active Directory Certificate Services (AD CS). Configure and manage a certification authority (CA)
on a server for use in a PKI.
Increase remote access security. Protect remote users and the private network by enforcing use of
secure authentication methods, requiring higher levels of data encryption, and more.
Increase VPN security. Protect remote users and the private network by requiring use of secure
routing and tunneling protocols, configuring account lockout, and more.
Consider implementing VPN Reconnect. VPN Reconnect uses IKEv2 technology to provide seamless
and consistent VPN connection, automatically re-establishing a VPN when users temporarily lose their
Internet connections.
Sep 7 2011 9:58PM

Nova 4, LLC
6-14
What Is VPN Reconnect?
Key Points
In dynamic business scenarios, users must be able to securely access data anytime, from anywhere and
access it continuously, without interruption. For example, users might want to securely access data on the
companys server in the head office, from a branch office, or while on the road.
To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows
Server 2008 R2 and Windows 7. This enables users to securely access the companys data by using a VPN
connection, which will automatically reconnect if connectivity is interrupted. It also enables roaming
between different networks.
VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to provide seamless and
consistent VPN connectivity. VPN Reconnect automatically re-establishes a VPN connection when Internet
connectivity is available again. Users who connect by using a wireless mobile broadband benefit most
from this capability.
Consider a user with a laptop running Windows 7. When the user travels to work in a train, the user
connects to the Internet by using a wireless mobile broadband card and then establishes a VPN
connection to the companys network. When the train passes through a tunnel, the Internet connection is
lost. After the train comes out of the tunnel, the wireless mobile broadband card automatically reconnects
to the Internet. With earlier versions of Windows client and server operating systems, VPN did not
reconnect automatically. Therefore, the user needed to manually repeat the multistep process of
connecting to the VPN. This was time-consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows Server 2008 R2 and Windows 7 automatically re-establish active VPN
connections when the Internet connectivity is re-established. Even though the reconnection might take
several seconds, users stay connected and have uninterrupted access to internal network resources.
The system requirements for using the VPN Reconnect feature are as follows:
Windows Server 2008 R2 as a VPN server
Sep 7 2011 9:58PM

Nova 4, LLC
Windows 7 or Windows Server 2008 R2 client
PKI infrastructure, because a computer certificate is required for a remote connection with VPN
Reconnect. Certificates issued by either an internal or public CA can be used.
Sep 7 2011 9:58PM

6-15
Nova 4, LLC
6-16
Lesson 2
Overview of Network Policies
Network policies determine whether a connection attempt is successful, and if such an attempt is
successful, the network policy defines connection characteristics, such as day and time restrictions, session
idle-disconnect times, and other settings.
Understanding how to configure network policies is essential if you are to successfully implement VPNs
based on the Network Policy and Access Services Server role within your organization.
Objectives
Describe the Network Policy and Access Services role.
Describe how network polices are used to control and secure a VPN connection.
Describe the process for creating and configuring a Network Policy.
Create a Network Policy to be used for VPN connections.
Describe how network policies are processed.
Sep 7 2011 9:58PM

Nova 4, LLC
6-17
What Is the Network Policy and Access Services Role?
Key Points
The Network Policy and Access Services role in Windows Server 2008 R2 provides the following network
connectivity solutions:
NAP. NAP is a client health policy creation, enforcement, and remediation technology that is
included in the NAP included with Windows XP with SP3, Windows Vista, Windows 7 client operating
systems and in the Windows Server 2008 and Windows Server 2008 R2 operating systems. With NAP,
you can establish and automatically enforce health policies, which can include software requirements,
security update requirements, required computer configurations, and other settings. If client
computers do not comply with a health policy, you can restrict their network access until their
configuration is updated and brought into compliance. Depending on how you choose to deploy
NAP, noncompliant clients can be updated automatically so that users can regain full network access
quickly without manually updating or reconfiguring their computers.
Secure wireless and wired access. When you deploy 802.1X wireless access points, it provides
wireless users with a secure password-based authentication method, which is easy to deploy. When
you deploy 802.1X authenticating switches, wired access allows you to secure your network by
ensuring that intranet users are authenticated before they can connect to the network or obtain an IP
address by using DHCP.
Remote access solutions. With remote access solutions, you can provide users with VPN and
traditional dial-up access to your organizations network. You also can connect branch offices to your
network with VPN solutions, deploy full-featured software routers on your network, and share
Internet connections across the intranet.
Central network policy management with RADIUS server and proxy. Rather than configuring
network access policy at each network access server, such as wireless access points, 802.1X
authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location
that specify all aspects of network connection requests, including who is allowed to connect, when
they can connect, and the level of security they must use to connect to your network.
Sep 7 2011 9:58PM

Nova 4, LLC
6-18
What Is a Network Policy?
Key Points
Network policies are sets of conditions, constraints, and settings that enable you to designate who is
authorized to connect to the network and the circumstances under which they can, or cannot, connect.
Additionally, when you deploy NAP, health policy is added to the network policy configuration so that
NPS performs client health checks during the authorization process.
You can view network policies as rules; each rule has a set of conditions and settings. NPS compares the
rules conditions with the properties of connection requests. If a match occurs between the rule and the
connection request, the settings that you define in the rule are applied to the connection.
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the lists first rule, then the second, and so on, until a match is found.
Note: After a matching rule is determined, further rules are disregarded. It is important to order your
network policies appropriately.
Each network policy has a Policy State setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate the policy when authorizing connection requests.
Network Policy Properties

Each network policy has four categories of properties:
Overview. These properties allow you to specify whether the policy is enabled; whether the policy
grants or denies access; and whether a specific network connection method, or type of network
access server, is required for connection requests. Overview properties also enable you to specify
whether to ignore the dial-in properties of user accounts in AD DS. If you select this option, NPS uses
only the network policys settings to determine whether to authorize the connection.
Sep 7 2011 9:58PM

Nova 4, LLC
6-19
Conditions. These properties allow you to specify the conditions that the connection request must
have to match the network policy. If the conditions configured in the policy match the connection
request, NPS applies the network-policy settings to the connection. For example, if you specify the
network access server IPv4 address (NAS IPv4 Address) as a condition of the network policy and NPS
receives a connection request from a NAS that has the specified IP address, the condition in the policy
matches the connection request.
Constraints. Constraints are additional parameters of the network policy that are required to match
the connection request. If the connection request does not match a constraint, NPS automatically
rejects the request. Unlike the NPS response to unmatched conditions in the network policy, if a
constraint is not matched, NPS does not evaluate additional network policies. The connection request
is denied.
Settings. These properties allow you to specify the settings that NPS applies to the connection
request if all of the policys network policy conditions are matched.
When you add a new network policy by using the NPS MMC snap-in, you must use the New Network
Policy Wizard. After you have created a network policy by using the wizard, you can customize the policy
by double-clicking it in NPS to obtain the policy properties.
Sep 7 2011 9:58PM

Nova 4, LLC
6-20
Process for Creating and Configuring a Network Policy
Key Points
NPS uses network policies and the dial-in properties of user accounts to determine whether to authorize a
connection request to your network. You can configure a new network policy in either the NPS MMC
snap-in or the Routing and Remote Access Service MMC snap-in.
Creating Your Policy

When you use the New Network Policy Wizard to create a network policy:
The value that you specify as the network connection method is used to configure the Policy Type
condition automatically. If you keep the default value, NPS evaluates the network policy that you
create for all network connection types through any type of network access server. If you specify a
network connection method, NPS evaluates the network policy only if the connection request
originates from the type of network access server that you specify. For example, if you specify Remote
Desktop Gateway, NPS evaluates the network policy only for connection requests that originate from
Remote Desktop Gateway servers.
On the Specify Access Permission page, you must select Access granted if you want the policy to
allow users to connect to your network. If you want the policy to prevent users from connecting to
your network, select Access denied. If you want user account dial-in properties in AD DS to determine
access permission, you can select the Access is determined by User Dial-in properties (which override
NPS policy) check box.
Note: To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group.
Adding a Network Policy by Using the Windows Interface

To add a network policy by using the Windows interface:
1.
Open the NPS console, and expand Policies.
Sep 7 2011 9:58PM

Nova 4, LLC
2.
3.
4.
6-21
In the console tree, right-click Network Policies, and then click New. The New Network Policy
Wizard opens.
Use the New Network Policy Wizard to create a policy.
Configure the Network Policy properties (described in the remainder of this topic).
Configuring Your Policy

After you have created your policy, you can use the properties dialog box for the policy to view or
reconfigure its settings.
Network Policy PropertiesOverview Tab

From the Overview tab of the Properties sheet for a network policy, or while running the New Network
Policy wizard, you can configure the following:
Policy Name. Type a friendly and meaningful name for the network policy.
Policy State. Designate whether to enable the policy.
Access Permission. Designate whether the policy grants or denies access. Also, specify whether NPS
should ignore the dial-in properties of user accounts in AD DS when using the policy to perform the
connection attempts authorization.
The network connection method to use for the connection request:
Unspecified. If you select Unspecified, NPS evaluates the network policy for all connection
requests that originate from any type of network access server and for any connection method.
Remote Desktop Gateway. If you specify Remote Desktop Gateway, NPS evaluates the network
policy for connection requests that originate from servers that are running Remote Desktop
Gateway.
Remote Access Server (VPN-Dial-up). If you specify Remote Access Server (VPN-Dial-up), NPS
evaluates the network policy for connection requests that originate from a computer running
Routing and Remote Access service configured as a dial-up or VPN server. If another dial-up or
VPN server is used, the server must support the RADIUS protocol and the authentication
protocols that NPS provides for dial-up and VPN connections.
DHCP Server. If you specify DHCP Server, NPS evaluates the network policy for connection
requests that originate from servers that are running DHCP.
Health Registration Authority. If you specify Health Registration Authority, NPS evaluates the
network policy for connection requests that originate from servers that are running Health
Registration Authority.
HCAP Server. If you specify HCAP server, NPS evaluates the network policy for connection
requests that originate from servers that are running HCAP.
Network Policy PropertiesConditions Tab

You must configure at least one condition for every network policy. NPS provides many conditions groups
that allow you to define the properties clearly that the connection request that NPS receives must have to
match the policy.
The available condition groups are:
Groups. These specify user or computer groups that you configure in AD DS and to which you want
the other rules of the network policy to apply when group members attempt to connect to the
network.
HCAP. These conditions are used only when you want to integrate your NPS NAP solution with Cisco
Network Admission Control. To use these conditions, you must deploy Cisco Network Admission
Sep 7 2011 9:58PM

Nova 4, LLC
6-22
Control and NAP. You also must deploy an HCAP server running both Internet Information Services
(IIS) and NPS.
Day and Time Restrictions. The Day and Time Restrictions condition allows you to specify, at a
weekly interval, whether to allow connections on a specific set of days and times.
For example, you can configure this condition to allow access to your network only between the
hours of 8 A.M. and 5 P.M., Monday through Thursday. With this condition value, users whose
connection requests match all conditions of the network policy cannot connect to the network on
Fridays, Saturdays, Sundays, and during other weekdays between the hours of 5 P.M. and 8 A.M., but
they can connect between Monday and Thursday between 8 A.M. and 5 P.M.
Conversely, you can specify the days and times during which you want to deny network connections.
If you specify days and times during which to deny connections, users can access your network on the
unspecified days and times. For example, if you configure this condition to deny connections all day
on Sunday, users cannot connect at any time on Sundays, but they can connect Monday through
Saturday at any time.
NAP. Settings include Identity Type, MS-Service Class, NAP-Capable Computers, Operating System,
and Policy Expiration.
Note: The Identity Type condition is for NAP DHCP and IPsec deployments to allow client health
checks when NPS does not receive an Access-Request message that contains a value for the UserName attribute. In these circumstances, client health checks are performed, but authentication and
authorization are not.
Connection Properties. Settings include Access Client IPv4 Address, Access Client IPv6 Address,
Authentication Type, Allowed EAP Types, Framed Protocol, Service Type, and Tunnel Type.
RADIUS Client Properties. Settings include Calling Station ID, Client Friendly Name, Client IPv4
Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.
Important: Client computers, such as wireless laptop computers and other computers running clientoperating systems, are not RADIUS clients. RADIUS clients are network access serverssuch as wireless
access points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-up
serversbecause they use the RADIUS protocol to communicate with RADIUS servers such as NPS
servers.
Gateway. Settings include Called Station ID, NAS Identifier, NAS IPv4 Address, NAS IPv6 Address, and
NAS Port Type.
Network Policy PropertiesConstraints Tab

Constraints are optional additional network policy parameters that differ from network policy conditions
in one substantial way; that is, when a condition does not match a connection request, NPS continues to
evaluate other configured network policies to find a match for the connection request. When a constraint
does not match a connection request, NPS does not evaluate additional network policies, but rejects the
connection request, and the user or computer is denied network access.
The following list describes the constraints that you can configure in network policy:
Authentication Methods. Allows you to specify the authentication methods that are required for the
connection request to match the network policy.
Sep 7 2011 9:58PM

Nova 4, LLC
6-23
Idle Timeout. Allows you to specify the maximum time, in minutes, that the network access server
can remain idle before the connection disconnects.
Session Timeout. Allows you to specify the maximum amount of time, in minutes, that a user can be
connected to the network.
Called Station ID. Allows you to specify the telephone number of the dial-up server that clients use
to access the network.
Day and time restrictions. Allows you to specify when users can connect to the network.
NAS Port Type. Allows you to specify the access media types that are allowed for users to connect to
the network.
Network Policy PropertiesSettings Tab

NPS applies the settings, which you configure in the network policy, to the connection, if all of the
conditions and constraints that you configure in the policy match the connection requests properties.
The available groups of settings that you can configure are:
RADIUS Attributes
Important: If you plan to return to RADIUS clients any additional RADIUS attributes or vendor-specific
attributes (VSAs) with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs
to the appropriate network policy.
RADIUS attributes are described in Request for Comments (RFC) 2865, RFC 2866, RFC 2867, RFC 2868, RFC
2869, and RFC 3162. RFCs and Internet drafts for VSAs define additional RADIUS attributes.
NAP. With NAP Enforcement, you can specify how you want to enforce NAP, remediation server
groups, troubleshooting URL, and auto-remediation.
Routing and Remote Access. Includes Multilink and Bandwidth Allocation Protocol (BAP), IP filters,
encryption, and IP settings.
Sep 7 2011 9:58PM

Nova 4, LLC
6-24
Demonstration: How to Create a Network Policy
Key Points
In this demonstration, you will see how to create a VPN policy and test it.
1.
Create a VPN policy based on Windows Groups condition.
2.
Test the VPN you previously created.
Sep 7 2011 9:58PM

Nova 4, LLC
6-25
How Network Policies Are Processed
Key Points
When NPS performs authorization of a connection request, it compares the request with each network
policy in the ordered list of policies, starting with the policy with the highest processing order and moving
down the list.
If NPS finds a network policy in which the conditions match the connection request, NPS uses the
matching network policy and the dial-in properties of the user account to perform the authorization.
If you configure the dial-in properties of the user account to grant or control access through network
policy, and the connection request is authorized, NPS applies the settings that you configure in the
network policy to the connection.
If NPS does not find a network policy that matches the connection request, NPS rejects the
connection unless the dial-in properties on the user account are set to grant access.
If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.
Sep 7 2011 9:58PM

Nova 4, LLC
6-26
Lab Setup
1.
Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.
Lab Scenario
Contoso, Ltd. would like to implement a remote access solution for its employees, so they can connect to
the corporate network while away from the office. Contoso, Ltd. requires a network policy that mandates
that VPN connections are encrypted for security reasons. You are required to enable and configure the
necessary server services to facilitate this remote access.
For this project, you must complete the following tasks:
Configure Routing and Remote Access as a VPN remote access solution.
Configure a custom Network Policy.
Sep 7 2011 9:58PM

Nova 4, LLC
6-27
Exercise 1: Configuring Routing and Remote Access as a VPN Remote

Access Solution
Scenario
In this exercise, you will install and configure the Network Policy and Access Services role to support the
requirements of the Contoso, Ltd. workforce.
1.
Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.
2.
Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients.
3.
Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTP
connections.
Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.
1.
Switch to the NYC-EDGE1 virtual server.
2.
3.
Add the Network Policy and Access Services role with the following role services:
a.
Network Policy Server
b.
Routing and Remote Access Services
Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for
Remote Access clients.
1.
On NYC-EDGE1, open Routing and Remote Access.
2.
In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable
Routing and Remote Access.
3.
Use the following settings to configure the service:

a.
On the Configuration page, accept the defaults.
b.
On the Remote Access page, select the VPN check box.
c.
On the VPN Connection page, select the Public interface.
d.
On the IP Address Assignment page, select the From a specified range of addresses option.
e.
On the Address Range Assignment page, create an address pool with 75 entries with a start
address of 10.10.0.60.
f.
On the Managing Multiple Remote Access Servers page, accept the defaults.
g.
Accept any messages by clicking OK.
Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25
L2TP connections.
1.
In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then
right-click Ports, and then click Properties.
2.
Use the following information to complete the configuration process:

a.
Number of WAN Miniport (SSTP) ports: 25
b.
Number of WAN Miniport (PPTP) ports: 25
Sep 7 2011 9:58PM

Nova 4, LLC
6-28
c.
Number of WAN Miniport (L2TP) ports: 25
3.
Click OK to confirm any prompts.
4.
Close the Routing and Remote Access tool.
Results: At the end of exercise, you enabled routing and remote access on the NYC-EDGE1 server.
Sep 7 2011 9:58PM

Nova 4, LLC
6-29
Exercise 2: Configuring a Custom Network Policy

Scenario
In this exercise, you will create and verify a custom network policy in accordance with the requirements of
Contoso, Ltd. The requirements for this policy are:
Supported tunnel types: L2TP, PPTP
Supported authentication methods: MS-CHAP-v2 with strongest authentication
Constraints: Connections disallowed between 11P.M. and 6 A.M. Monday through Friday

1.
2.
3.
Open the Network Policy Server management tool on 6419B-NYC-EDGE1

Create a new network policy for RRAS clients
Create and test a VPN Connection.
Task 1: Open the Network Policy Server management tool on 6419B-NYC-EDGE1.

1.
Switch to the NYC-EDGE1 virtual computer.
2.
Open the Network Policy Server tool.
Task 2: Create a new network policy for RRAS clients.

1.
In the Network Policy Server console, create a new policy with the following settings:
a.
Name: Secure VPN.
b.
Type of network access server: Remote Access Server (VPN-Dial up).
c.
Conditions: Tunnel Type = L2TP, PPTP, SSTP.
d.
Access permission: Access granted.
e.
Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAP-v2).
f.
Constraints: Day and time restrictions = 11PM to 6AM Monday thru Friday Denied.
g.
Settings: Encryption = Strongest encryption (MPPE 128-bit).
2.
Ensure that the Secure VPN policy is the first in the list of any policies.
3.
Close the Network Policy Server tool.
Task 3: Create and Test a VPN Connection.

1.
Switch to the NYC-CL1 computer.
2.
Open Network and Sharing Center.
3.
Change the network adapter settings as follows:
4.
5.
a.
IP Address: 131.107.0.20
b.
Subnet mask: 255.255.255.0
c.
Default gateway: 131.107.0.1
Create a VPN with the following settings:

a.
Internet address to connect to: 131.107.0.2.
b.
Name: Contoso VPN.
Connect with the new VPN properties as follows:
Sep 7 2011 9:58PM

Nova 4, LLC
6-30
a.
b.
Password: Pa$$w0rd
c.
Domain: Contoso
Note: The VPN connects successfully.

6.
Disconnect the VPN and close all open windows.
Results: In this exercise, you created and tested a VPN connection.
To prepare for the next lab

following steps:
1.
2.
3.
4.
Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 3
Integrating Network Access Protection with VPNs
NAP enables you to create customized health-requirement policies to validate computer health before
allowing access or communication, as well as automatically update compliant computers to ensure
ongoing compliance and limit the access of noncompliant computers to a restricted network until they
become compliant.
NAP with VPN protection enables you to control access to your organizations private network based
upon the health characteristics of the VPN clients health status. It is important that you can configure
NAP appropriately if you wish to implement this protection.
Objectives
Describe NAP.
Describe the advantages of using Network Access protection with a VPN solution.
Describe the NAP client and server components.
Describe how NAP enforcement works for VPN connections.
Sep 7 2011 9:58PM

6-31
Nova 4, LLC
6-32
What Is Network Access Protection?
Key Points
NAP for Windows Server 2008, Windows Server 2008 R2, Windows 7, and Windows Vista provides
components and an application programming interface (API) that help you enforce compliance with your
organizations health-requirement policies for network access or communication.
NAP enables you to create solutions for validating computers that connect to your networks, as well as
provide needed updates or access to needed health update resources and limit the access or
communication of noncompliant computers.
You can integrate NAPs enforcement features with software from other vendors or with custom
programs. You can customize the health-maintenance solution that developers within your organization
may develop and deploy, whether for monitoring the computers accessing the network for health policy
compliance, automatically updating computers with software updates to meet health policy requirements,
or limiting the access of computers that do not meet health policy requirements to a restricted network.
Remember that NAP does not protect a network from malicious users. Rather, it helps you maintain the
health of your organizations networked computers automatically, which in turn helps maintain your
networks overall integrity. For example, if a computer has all the software and configuration settings that
the health policy requires, the computer is compliant and will have unlimited network access; however.
NAP does not prevent an authorized user with a compliant computer from uploading a malicious
program to the network or engaging in other inappropriate behavior.
Aspects of NAP
NAP has three important and distinct aspects:
Health state validation. When a computer attempts to connect to the network, the computers
health state is validated against the health-requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant. In a monitoring-only environment, all
computers have their health state evaluated and the compliance state of each computer is logged for
analysis. In a limited access environment, computers that comply with the health-requirement policies
Sep 7 2011 9:58PM

Nova 4, LLC
6-33
have unlimited network access. Computers that do not comply with health-requirement policies may
find their access limited to a restricted network.
Health policy compliance. You can help ensure compliance with health-requirement policies by
choosing to update noncompliant computers automatically with missing software updates or
configuration changes through management software, such as Microsoft System Center
Configuration Manager. In a monitoring-only environment, computers will have network access
before they are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically and you can define exceptions for computers that are not NAP compatible.
Limited access. You can protect your networks by limiting the access of noncompliant computers.
You can base limited network access on a specific amount of time or on what the noncompliant
computer can access. In the latter case, you define a restricted network containing health update
resources, and the limited access will last until the noncompliant computer comes into compliance.
You also can configure exceptions so that computers that are not compatible with NAP do not have
their network access limited.
Sep 7 2011 9:58PM

Nova 4, LLC
6-34
Advantages of Implementing VPN Enforcement
Key Points
With NAP with VPN enforcement, a computer must be compliant to obtain unlimited network access
through a remote access VPN connection. For noncompliant computers, network access is limited through
a set of IP packet filters that the VPN server applies to the VPN connection.
VPN enforcement enforces health policy requirements every time a computer attempts to obtain a
remote access VPN connection to the network. VPN enforcement also actively monitors the health status
of the NAP client and applies the restricted networks IP packet filters to the VPN connection if the client
becomes noncompliant.
The components of VPN enforcement consist of NPS in Windows Server 2008 R2 and a VPN EC that is
part of the remote access client in Windows 7, Windows Vista, Windows XP Service Pack 3, and Windows
Server 2008 R2. VPN enforcement provides strong limited network access for all computers accessing the
network through a remote access VPN connection.
Sep 7 2011 9:58PM

Nova 4, LLC
6-35
Components of a VPN Enforcement Solution
Key Points
The components of a VPN enforcement solution consist of the following:
NAP clients. Computers that support the NAP platform for system health-validated network access
or communication.
NAP enforcement points. Computers or network-access devices that use NAP or that you can use
with NAP to require evaluation of a NAP clients health state and provide restricted network access or
communication. NAP enforcement points use a NPS that is acting as a NAP health policy server to
evaluate the health state of NAP clients, whether network access or communication is allowed, and
the set of remediation actions that a noncompliant NAP client must perform. NAP enforcement
points include the following:
VPN server. This is a computer that runs Windows Server 2008 R2 and Routing and Remote
Access, and that enables VPN intranet connections via remote access.
DHCP server. This is a computer that runs Windows Server 2008 R2 and the DHCP Server service,
and that provide automatic IPv4 address configuration to intranet DHCP clients.
NAP health policy servers. These are computers that run Windows Server 2008 R2and the NPS
service, and that store health-requirement policies and provide health-state validation for NAP. NPS is
the replacement for the Internet Authentication Service (IAS) and the RADIUS server and proxy that
Windows Server 2003 provides. NPS also acts as an authentication, authorization, and accounting
(AAA) server for network access. When acting as an AAA server or NAP health policy server, NPS
typically runs on a separate server for centralized configuration of network access and healthrequirement policies. The NPS service also runs on Windows Server 2008 R2based NAP
enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server.
However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS
messages with a NAP health policy server.
Health requirement servers. These are computers providing the current system health state for NAP
health policy servers. An example of these would be a health-requirement server for an antivirus
program that tracks the latest version of the antivirus signature file.
Sep 7 2011 9:58PM

Nova 4, LLC
6-36
AD DS. This Windows directory service stores account credentials and properties and Group Policy
settings. Although not required for health-state validation, Active Directory is required for IPsecprotected communications, 802.1X-authenticated connections, and remote access VPN connections.
Restricted network. This is a separate logical or physical network that contains:
Remediation servers. These are computers that contain health update resources that NAP
clients can access to remediate their noncompliant state. Examples include antivirus signature
distribution servers and software update servers.
NAP clients with limited access. These are computers placed on the restricted network when
they do not comply with health-requirement policies.
Sep 7 2011 9:58PM

Nova 4, LLC
6-37
How VPN Enforcement Determines Remote Access
Key Points
VPN enforcement uses a set of remote-access IP packet filters to limit VPN client traffic so that it can
reach only the resources on the restricted network. The VPN server applies the IP packet filters to the IP
traffic that it receives from the VPN client, and silently discards all packets that do not correspond to a
configured packet filter.
VPN Enforcement Process

The following process occurs when a NAP-capable VPN client connects to a NAP-capable VPN server:
1.
VPN Initiation. The VPN client initiates a connection to the VPN server. The VPN server requests that
the VPN client identify itself. The NAP enforcement client (EC) on the VPN client responds, providing
the VPN clients user name.
2.
Request SSoH. The VPN server sends this response to the NAP health policy server. The NAP health
policy server contacts the VPN client, and the two exchange a series of messages to negotiate a
secure session. Then the NAP health policy sends a System Statement of Health (SSoH) request to the
VPN client.
3.
Generate SSoH. The VPN NAP EC, on the client, queries the local NAP Agent for the SSoH and passes
it to the NAP health policy server.
4.
Authentication. The NAP health policy server requests that the VPN client authenticate itself, and the
VPN client authenticates itself to the NAP health policy server.
5.
Generate SoHR. The NPS service on the NAP health policy server passes the SSoH to the NAP
Administration Server component which in turn passes it to the appropriate System Health Validators
(SHVs). The SHVs analyze their SoH contents and return Statement of Health Response (SoHRs) to the
NAP Administration Server, which in turn passes it to the NPS.
6.
Compare SoHR with health policies. The NPS service compares the SoHRs with the configured
health policies and creates the SSoHR and then sends the SSoHR to the VPN client.
7.
Determine access. The NPS service sends a RADIUS Access-Accept message to the VPN server:
Sep 7 2011 9:58PM

Nova 4, LLC
6-38
8.
If the VPN connection is limited, the RADIUS Access-Accept message also contains a set of IP
packet filters that limit the VPN client to the restricted network.
If the VPN connection is unlimited, the RADIUS Access-Accept message does not contain IP
packet filters to limit network access. After the VPN connection completes, the NAP client will
have unlimited network access.
Complete connection. The VPN client and VPN server complete the VPN connection.
If the VPN client is noncompliant, the VPN connection has the packet filters applied, and the VPN client
only can reach the resources on the restricted network.
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 4
Configuring VPN Enforcement Using NAP
To ensure the correct configuration of VPN enforcement with NAP, you must understand which
components you must deploy and how to configure the required settings.
Objectives
Configure a VPN server to support NAP.
Describe how System Health Validators are used to define requirements.
Describe how Health Policies are used to designate configuration requirements.
Describe the concept of Remediation servers.
Describe general configuration settings for the NAP components.
Configure NAP policies for VPN enforcement.
Configure client settings to support NAP for VPN access.
Sep 7 2011 9:58PM

6-39
Nova 4, LLC
6-40
What Is a System Health Validator?
Key Points
SHAs and SHVs, which are NAP infrastructure components, provide health-state tracking and validation.
Windows 7 includes a Windows Security Health Validator SHA that monitors the Windows Security Center
settings. Windows Server 2008 R2 includes a corresponding Windows Security Health Validator SHV. NAP
is designed to be flexible and extensible, and interoperates with any vendors software that provides SHAs
and SHVs that use the NAP API.
An SHV receives a SoH from the NAP Administration Server and compares the system health status
information in the SoH with the required system health state. For example, if the SoH is from an antivirus
SHA and contains the last virus-signature file version number, the corresponding antivirus SHV can check
with the antivirus health requirement server for the latest version number to validate the NAP clients SoH.
The SHV returns a SoHR to the NAP Administration Server. The SoHR can contain information about how
the corresponding SHA on the NAP client can meet current system-health requirements. For example, the
SoHR that the antivirus SHV sends could instruct the NAP clients antivirus SHA to request the latest
version, by name or IP address, of the antivirus signature file from a specific antivirus signature server.
Sep 7 2011 9:58PM

Nova 4, LLC
6-41
What Is a Health Policy?
Key Points
Health policies consist of one or more SHVs and other settings that allow you to define client-computer
configuration requirements for the NAP-capable computers that attempt to connect to your network.
When NAP-capable clients attempt to connect to the network, the client computer sends a SoH to the
NPS. The SoH is a report of the client configuration state, and NPS compares the SoH with the
requirements that the health policy defines. If the client configuration state does not match the
requirements that the health policy defines, NPS takes one of the following actions, depending on the
NAP configuration:
It rejects the connection request.
It places the NAP client on a restricted network where it can receive updates from remediation servers
that bring the client into compliance with health policy. After the NAP client achieves compliance,
NPS enables it to connect.
It allows the NAP client to connect to the network despite its noncompliance with health policy.
You can define NPS client-health policies by adding one or more SHVs to the health policy.
After you configure a health policy with one or more SHVs, you can add it to the Health Policies condition
of a network policy that you want to use to enforce NAP when client computers attempt connection to
your network.
Sep 7 2011 9:58PM

Nova 4, LLC
6-42
What Is a Remediation Server Group?
Key Points
A remediation server group is a list of restricted network servers that provide resources that bring
noncompliant NAP-capable clients into compliance with your defined client health policy.
A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers
into compliance with health policy, as NPS defines. For example, a remediation server can host antivirus
signatures. If health policy requires that client computers have the latest antivirus definitions, the
following work together to update noncompliant computers: an antivirus SHA, an antivirus SHV, an
antivirus policy server, and the remediation server.
Sep 7 2011 9:58PM

Nova 4, LLC
6-43
Overview of VPN NAP Enforcement Configuration
Key Points
To correctly establish VPN NAP enforcement, you must complete the following high-level configuration
tasks.
NAP Health Policy Server

You must define the following on the NAP health policy server:
RADIUS clients. If you deployed Routing and Remote Access on a separate server computer, you
must configure the NAP VPN server as a RADIUS client in NPS.
Connection request policy. Configure the following settings:
Source is set to remote access server.
Policy is configured to authenticate requests on this server.
Override network policy authentication settings is selected
Protected Extensible Authentication Protocol (PEAP) is configured to enable health checks and
allow secure password or certificate-based authentication.
Network policies. Configure the following settings:
Source is set to remote access server.
Compliant, noncompliant, and non-NAP-capable policies are set to grant access.
Compliant network policy conditions are set to require the client to match compliant health
policy.
Noncompliant network policy conditions are set to require the client to match noncompliant
health policy.
Non-NAP-capable network policy conditions are set to require the client is not NAP-capable.
Sep 7 2011 9:58PM

Nova 4, LLC
6-44
Access settings: Full access is granted for compliant computers. In full enforcement mode, limited
access is granted for noncompliant computers. Either full or limited access is granted for nonNAP-capable computers. If remediation server groups are not used, IP filters are configured in
noncompliant policy settings and optionally, in non-NAP-capable policy settings to provide
restricted access.
Health policies. Configure the following settings:
Compliant health policy is set to pass selected SHVs.
Noncompliant policy is set to fail selected SHVs.
System health validators. Error codes are configured, and depending on the SHV, health checks are
configured on the NAP health policy server or the health requirement server.
Remediation server groups. Remediation server groups are required if IP filters are not used to
configure restricted access settings.
NAP VPN Server

You must define the following on the NAP VPN server:
Authentication provider. If the NAP VPN server and the NAP health policy server are on different
computers, you must configure the NAP VPN server for RADIUS authentication by using the NAP
health policy server.
Authentication methods. Configure the NAP VPN server to allow the PEAP authentication method.
Client address assignment. Choose whether to assign VPN clients an IPv4 address by using DHCP or
a static address pool.
VPN NAP-Enabled Client Computer

You must define the following settings on a VPN NAP-enabled client computer:
NAP Agent service. You can start the NAP Agent service by using either Group Policy or local policy
settings.
VPN connection. You must configure a VPN connection on each client computer. You must
configure logon security settings to use Protected Extensible Authentication Protocol (PEAP) with
either MSCHAP v2 or certificate-based authentication.
Quarantine checks. When configuring client PEAP properties in the advanced security settings of the
VPN connection, you must select the Enable Quarantine checks check box.
Remote access enforcement client. You can enable the remote access enforcement client with
either Group Policy or local policy settings.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: How to Configure NAP for VPN Enforcement
Key Points
Configure the NPS role for NAP.
Create VPN NAP policies.
Configure VPN enforcement on the NPS server.
1.
Install the required certificate on the VPN server.
2.
Configure the NPS server as a health policy server.
3.
Configure System Health Validators.
4.
Configure Health Policies.
5.
Configure Network Policies.
Sep 7 2011 9:58PM

6-45
Nova 4, LLC
6-46
Client Settings to Support NAP
Key Points
You should remember these basic guidelines when you configure NAP clients:
Some NAP deployments that use Windows Security Health Validator require that you enable Security
Center. For example, both Windows Vista and Windows XP with SP3 require Security Center to be
enabled.
The Network Access Protection service is required when you deploy NAP to NAP-capable client
computers. By default, this is not.
You also must configure the NAP enforcement clients on the NAP-capable computers.
Enable Security Center in Group Policy

You can use this procedure to enable Security Center on NAP-capable clients by using Group Policy. Some
NAP deployments that use Windows Security Health Validator require Security Center.
Note: To complete this procedure, you must be a member of the Domain Admins, the Enterprise
Admins group, or the Administrators group on the local computer.
To enable Security Center in Group Policy:
1.
Open the Group Policy Management console, and then click Add.
2.
In the Select Group Policy Object dialog box, click Finish, and then click OK.
3.
In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.
4.
Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
Sep 7 2011 9:58PM

Nova 4, LLC
6-47
Enable the Network Access Protection Service on Clients

You can use this procedure to enable and configure NAP service on NAP-capable client computers. When
you deploy NAP, enabling this service is required.
Note: To complete this procedure, you must be a member of the Domain Admins group, the
Enterprise Admins group, or the Administrators group on the local computer.
To enable the Network Access Protection service on client computers:
1.
Click Start, click Control Panel, click System and Security, click Administrative Tools, and then
double-click Services.
2.
In the services list, scroll down, and double-click Network Access Protection Agent.
3.
In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.
4.
Click Start.
Enable and Disable NAP Enforcement Clients

You can use this procedure to enable or disable on NAP-capable computers, one or more NAP
enforcement clients, including the DHCP Enforcement Client, the Remote Access Enforcement Client, the
EAP Enforcement Client, the IPsec Enforcement Client, and the TS Gateway Enforcement Client.
To enable and disable NAP Enforcement Clients:
1.
Open the NAP client configuration console. To do this, click Start, click All Programs, click
Accessories, click Run, type NAPCLCFG.MSC, and then click OK.
2.
Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to
enable or disable, and then click Enable or Disable.
Note: To perform this procedure, you must be a member of the Administrators group on the local
computer, or you must have been delegated the appropriate authority. If the computer is joined to a
domain, members of the Domain Admins group might be able to perform this procedure. As a security
best practice, consider performing this procedure by using the Run as command.
Sep 7 2011 9:58PM

Nova 4, LLC
6-48
Lab B: Implementing NAP into a VPN Remote Access

Solution
Lab Setup
1.
2.
3.
4.
Log on using the following credentials:
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat the steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.
Lab Scenario
Contoso, Ltd. is required to extend its virtual private network solution to include Network Access
Protection.
There have been a number of problems with users connecting to the Contoso network with a VPN from
their unmanaged home computers. It is important to ensure that these computers are in compliance with
Contoso health policies.
As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers
automatically into compliance. You will do this by using Network Policy Server, creating client compliance
policies, and configuring an NAP server to check the current health of computers.
Sep 7 2011 9:58PM

Nova 4, LLC
Configure NAP Server Components
Configure NAP for VPN clients
Sep 7 2011 9:58PM

6-49
Nova 4, LLC
6-50
Exercise 1: Configuring NAP Components

Scenario
In this exercise, you will configure the required server-side components to support the Contoso, Ltd.
requirement.
1.
Configure a computer certificate.
2.
Configure NYC-EDGE1 with NPS functioning as a health policy server.
3.
Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPN
server.
4.
Allow ping on NYC-EDGE1.
Task 1: Configure a computer certificate

1.
Switch to the NYC-DC1 virtual server.
2.
Open the Certification Authority tool.
3.
From the Certificate Templates console, open the properties of the Computer certificate template.
4.
On the Security tab, grant the Authenticated Users group the AllowEnroll permission.
5.
Close the Certification Authority tool.
Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server

1.
Switch to the NYC-EDGE1 computer Create a management console by running mmc.exe.
2.
Add the Certificates snap-in with the focus on the local computer account.
3.
Navigate to the Personal certificate store and Request New Certificate.
4.
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
5.
Enroll the Computer certificate listed.
6.
Close the console and do not save the console settings.
7.
Using Server Manager, install the NPS Server with the following role services: Network Policy
Server and Remote Access Service.
8.
Open the Network Policy Server tool.
9.
Under Network Access Protection, open Default Configuration for the Windows Security Health
Validator.
10. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all
network connections.
11. Create a health policy with the following settings:
a.
Name: Compliant
b.
Client SHV checks: Client passes all SHV checks
c.
SHVs used in this health policy: Windows Security Health Validator
12. Create a health policy with the following settings:

a.
Name: Noncompliant
Sep 7 2011 9:58PM

Nova 4, LLC
b.
Client SHV checks: Client fails one or more SHV checks
c.
SHVs used in this health policy: Windows Security Health Validator
13. Disable all existing network policies.

14. Configure a new network policy with the following settings:
a.
Name: Compliant-Full-Access
b.
Conditions: Health Policies = Compliant
c.
Access permissions: Access granted
d.
Settings: NAP Enforcement = Allow full network access
15. Configure a new network policy with the following settings:

a.
Name: Noncompliant-Restricted
b.
Conditions: Health Policies = Noncompliant
c.
Access permissions: Access granted
Note: A setting of Access granted does not mean that noncompliant clients are granted full network
access. It specifies that the policy should continue to evaluate the clients matching these conditions.
d.
Settings:
i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of
client computers is not selected.
ii. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and
IPv4 output filter, Source network = 10.10.0.10/255.255.255.255.
16. Disable existing connection request policies.

17. Create a new Connection Request Policy with the following settings:
a.
Policy name: VPN connections
b.
Type of network access server: Remote Access Server (VPN-Dial up)
c.
Conditions: Tunnel type = L2TP, SSTP, and PPTP
d.
Authenticate requests on this server = True
e.
Authentication methods:
i. Select Override network policy authentication settings
ii. Add Microsoft: Protected EAP (PEAP).
iii. Add Microsoft: Secured password (EAP-MSCHAP v2)
f.
Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is
enabled.
18. Close the Network Policy Server console.
Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS)
configured as a VPN server
1.
On NYC-EDGE1, open Routing and Remote Access.
2.
Select Configure and Enable Routing and Remote Access.
Sep 7 2011 9:58PM

6-51
Nova 4, LLC
6-52
3.
Use the following settings to complete configuration:

a.
Select Remote access (dial-up or VPN).
b.
Select the VPN check box.
c.
Choose the interface called Public and clear the Enable security on the selected interface by
setting up static packet filters check box.
d.
IP Address Assignment: From a specified range of addresses:

i. 10.10.0.100 > 10.10.0.110
e.
Complete the process by accepting defaults when prompted and confirming any messages by
clicking OK.
4.
In the Network Policy Server, click the Connection Request Policies node and disable Microsoft
Routing and Remote Access Service Policy. This was created automatically when Routing and
Remote Access was enabled.
5.
Close the Network Policy Server management console and the Routing and Remote Access console.
Task 4: Allow ping on NYC-EDGE1

1.
Open Windows Firewall with Advanced Security.
2.
Create an Inbound Rule with the following properties:

a.
Type: Custom
b.
All programs
c.
Protocol type: Select ICMPv4 and then click Customize

i. Specific ICMP types: Echo Request
3.
d.
Default scope
e.
Action: Allow the connection
f.
Default profile
g.
Name: ICMPv4 echo request
Close the Windows Firewall with Advanced Security console.
Results: In this exercise, you configured and enabled a VPN-enforced NAP scheme.
Sep 7 2011 9:58PM

Nova 4, LLC
6-53
Exercise 2: Configuring Client Settings to support NAP

Scenario
In this exercise, you will implement a VPN on NYC-CL1 and test the computers health against the NAP
configuration you previously created.
1.
Configure Security Center
2.
Enable client NAP enforcement
3.
Move the client to the Internet
4.
Create a VPN on NYC-CL1
Task 1: Configure Security Center.

1.
Switch to the NYC-CL1 computer.
2.
Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer
Configuration/Administrative Templates/Windows Components/Security Center/Turn on
Security Center (Domain PCs only) setting.
3.
Close the Local Group Policy Editor.
Task 2: Enable client NAP enforcement.

1.
Run the NAP Client Configuration tool (napclcfg.msc).
2.
Under Enforcement Clients, enable EAP Quarantine Enforcement Client.
3.
Close the NAP Client Configuration tool.
4.
Run services.msc and configure the Network Access Protection Agent service for automatic startup.
5.
Start the service.
6.
Close the services console.
Task 3: Move the client to the Internet.

1.
2.
Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection
Internet Protocol Version 4 (TCP/IPv4) settings:
a.
IP address: 131.107.0.20
b.
Subnet mask: 255.255.255.0
c.
Default gateway: blank
d.
Preferred DNS server: blank
Verify that you can successfully ping 131.107.0.2
Task 4: Create a VPN on NYC-CL1.

1.
Create a new VPN connection with the following properties:

a.
Internet address to connect to: 131.107.0.2
b.
Destination name: Contoso VPN
c.
Allow other people to use this connection: True
d.
Sep 7 2011 9:58PM

Nova 4, LLC
6-54
2.
e.
Password: Pa$$word
f.
Domain: CONTOSO
After you have created the VPN, modify its settings by viewing the properties of the connection and
then selecting the Security tab. Use the following settings to reconfigure the VPN:
a.
Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled).
b.
Properties of this authentication type:

i. Validate server certificate: true
ii. Connect to these servers: false
iii. Authentication method: Secured password (EAP-MSCHAP v2)
iv. Enable Fast Reconnect: false
v. Enforce Network Access Protection: true
3.
4.
Test the VPN connection:

a.
In the Network Connections window, right-click the Contoso VPN connection, and then click
Connect.
b.
In the Connect Contoso VPN window, click Connect.
c.
View the details of the Windows Security Alert. Ensure that the correct certificate information is
displayed and then click Connect.
Verify that your computer meets the health requirements of the NAP policy:
a.
Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted.
b.
Ping10.10.0.10.
5.
Disconnect the Contoso VPN.
6.
Configure Windows Security Health Validator to require an antivirus application:

a.
Switch to NYC-EDGE1 and open Network Policy Server.
b.
Modify the Default Configuration of the Windows Security Health Validator so that An
antivirus application is application is on check box is enabled on the Windows 7/Windows
Vista selection.
7.
Switch back to NYC-CL1 and reconnect the VPN.
8.
Verify your computer does not meet the health requirements of the NAP policy:
9.
a.
Verify that a message is displayed in the Action Center that states that the computer doesnt
meet security standards.
b.
Use IPCONFIG /all to verify that the System Quarantine State is Restricted.
Disconnect the VPN.

Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement
policy for Contoso.

following steps:
Sep 7 2011 9:58PM

Nova 4, LLC
1.
2.
3.
4.
Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.
Sep 7 2011 9:58PM

6-55
Nova 4, LLC
6-56
Lesson 5
Overview of DirectAccess
Organizations often rely on VPN connections to provide remote users with secure access to data and
resources on the corporate network. VPN connections are easy to configure and are supported by
different clients. However, VPN connections must be first established, and it may require additional
configuration on the corporate firewall. Also, VPN connections usually enable remote access to the entire
corporate network. Moreover, organizations cannot effectively manage remote computers. To overcome
such limitations in VPN connections, organizations can implement DirectAccess, available in Windows
Server 2008 R2 and Windows 7, to provide a seamless connection between the internal network and the
remote computer when there is Internet connectivity. Using DirectAccess, organizations can easily
manage remote computers.
Objectives
Discuss challenges of typical VPN connections.
Describe the features and benefits of DirectAccess.
Describe the components required to implement DirectAccess.
Describe the use of the Name Resolution Policy table.
Describe how DirectAccess Works for internally connected clients.
Describe how DirectAccess Works for externally clients.
Describe how a DirectAccess client determines its location.
Describe how to configure DirectAccess
Sep 7 2011 9:58PM

Nova 4, LLC
Discussion: Challenges of VPN Connections
Key Points
What are some of the challenges you face when implementing VPNs?
Sep 7 2011 9:58PM

6-57
Nova 4, LLC
6-58
What Is DirectAccess?
Key Points
Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamless
remote access to intranet resources without establishing the VPN connection first. The DirectAccess
feature also ensures seamless connectivity on application infrastructure for internal users and remote
users.
Unlike VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables
any application on the client computer to have complete access to intranet resources. DirectAccess also
enables you to specify resources and client-side applications that are restricted for remote access.
Organizations benefit from DirectAccess because remote computers can be managed as if they are local
computersusing the same management and update serversto ensure they are always up to date and
in compliance with security and system health policies. You can also define more detailed access control
policies for remote access when compared with defining access control policies in VPN solutions.
DirectAccess is designed with the following benefits:
Always-on connectivity. Whenever the user connects the client computer to the Internet, the client
computer is connected to the intranet also. This connectivity enables remote client computers to
access and update applications easily. It also makes intranet resources always available and enables
users to connect to the corporate intranet from anywhere and anytime, thereby improving their
productivity and performance.
Seamless connectivity. DirectAccess provides a consistent connectivity experience regardless of

whether the client computer is local or remote. This allows users to focus more on productivity and
less on connectivity options and process. This consistency can reduce training costs for users, and
fewer support incidents.
Bidirectional access. DirectAccess can be configured so that DirectAccess clients not only have
access to intranet resources, but also have access from the intranet to those DirectAccess clients.
Therefore, DirectAccess can be bidirectional so that DirectAccess users have access to intranet
resources, and you can have access to DirectAccess clients when they are connecting over a public
Sep 7 2011 9:58PM

Nova 4, LLC
6-59
network. This ensures that the client computers are always updated with recent security patches, the
domain Group Policy is enforced, and there is no difference whether users are on the corporate
intranet or on the public network.
This bidirectional access also results in:
Decreased update time.
Increased security.
Decreased update miss rate.
Improved compliance monitoring.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This tighter degree of control allows security architects to precisely control remote
users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so
that users can ensure that their communication is safe. You can use a granular policy to define who
can use DirectAccess and from where.
Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and NAP
solutions, resulting in the seamless integration of security, access, and health requirement policies
between the intranet and remote computers.
Sep 7 2011 9:58PM

Nova 4, LLC
6-60
DirectAccess Infrastructure Components
Key Points
To deploy and configure DirectAccess, your organization must support the following infrastructure
components.
DirectAccess Server
The server must be joined to an Active Directory domain.
The server must have Windows Server 2008 R2 running.
The server must have at least two physical network adapters installed, one connected to the Internet
and the other to the intranet.
The server must have at least two consecutive static, public IPv4 addresses assigned to the network
adapter that is connected to the Internet.
The server should not be placed behind a NAT.
On the DirectAccess server, you can install the DirectAccess Management Console feature by using Server
Manager. You can use the DirectAccess Management Console to configure DirectAccess settings for the
DirectAccess server and clients and monitor the status of the DirectAccess server. You may need more
than one DirectAccess server, depending on the deployment and scalability requirements.
DirectAccess Clients
To deploy DirectAccess, you also need to ensure that the client meets certain requirements:
The client should be joined to an Active Directory domain.
The client should be running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows
Server 2008 R2.
The client must have a relevant computer certificate with which to identify itself.
Sep 7 2011 9:58PM

Nova 4, LLC
6-61
Note: You cannot deploy DirectAccess on clients running Windows Vista, Windows Server 2008, or
other earlier versions of Windows operating systems.
DirectAccess Servers
Generally installed in the perimeter network, these servers provide intranet connectivity for DirectAccess
clients on the Internet.
Network Location Server

DirectAccess clients use the NLS server to determine their location. If the client can connect with HTTPS,
then the client assumes it is on the intranet and disables DirectAccess components. If the NLS is not
contactable, the client assumes it is on the Internet. The NLS server is installed with the Web server role.
Active Directory Domain

You must deploy at least one Active Directory domain with at least one Windows Server 2008 R2 or
Windows Server 2008based domain controller, though it is not necessary to raise the domain or forest
functional levels to Windows Server 2008 R2.
PKI
You must implement a PKI to issue computer certificates for authentication, and where desirable, health
certificates when using NAP. You need not implement public certificates.
Group Policy
Although not required, it is easier to use Group Policy to provide for centralized administration and
deployment of DirectAccess settings instead of relying on the Netsh command-line tool. The DirectAccess
Setup Wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
DNS Server
At least one running Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix
(http://go.microsoft.com/fwlink/?LinkID=159951), Windows Server 2008 SP2 or later, or a third-party DNS
server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP).
Sep 7 2011 9:58PM

Nova 4, LLC
6-62
What Is the Name Resolution Policy Table?
Key Points
To separate Internet traffic from Intranet traffic for DirectAccess, Windows Server 2008 R2 and Windows 7
include the Name Resolution Policy Table (NRPT), a feature that allows DNS servers to be defined per DNS
namespace, rather than per interface. The NRPT stores a list of rules. Each rule defines a DNS namespace
and configuration settings that describe the DNS clients behavior for that namespace. When a
DirectAccess client is on the Internet, each name query request is compared with the namespace rules
stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT
rule.
If a name query request does not match a namespace listed in the NRPT, the request is sent to the DNS
servers configured in the TCP/IP settings for the specified network interface. For a remote client, the DNS
servers will typically be the Internet DNS servers configured through the Internet service provider (ISP).
For a DirectAccess client on the intranet, the DNS servers will typically be the intranet DNS servers
configured through Dynamic Host Configuration Protocol (DHCP).
Single-label names, such as http://internal, will typically have configured DNS search suffixes appended to
the name before they are checked against the NRPT.
If no DNS search suffixes are configured and the single-label name does not match any other single-label
name entry in the NRPT, the request will be sent to the DNS servers specified in the clients TCP/IP
settings.
Namespaces, for example, internal.contoso.com, are entered into the NRPT, followed by the DNS servers
to which requests matching that namespace should be directed. If an IP address is entered for the DNS
server, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. You need
not specify any additional security for such configurations. However, if a name is specified for the DNS
server, such as dns.contoso.com in the NRPT, the name must be publicly resolvable when the client
queries the DNS servers specified in its TCP/IP settings.
Sep 7 2011 9:58PM

Nova 4, LLC
6-63
The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resources
and Internet DNS for name resolution of other resources. Dedicated DNS servers are not required for
name resolution. DirectAccess is designed to prevent the exposure of your intranet namespace to the
Internet.
Some names need to be treated differently with regards to name resolution; these names should not be
resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers
specified in the clients TCP/IP settings, you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the name
resolution mechanism first tries to use the local name cache, second the hosts file, then NRPT, and finally
sends the query to the DNS servers specified in the TCP/IP settings.
Sep 7 2011 9:58PM

Nova 4, LLC
6-64
How DirectAccess Works for Internal Clients
Key Points
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
1.
The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the network
location server URL.
Because the FQDN of the network location server URL corresponds to an exemption rule in the NRPT,
the DirectAccess client sends the DNS query to a locally-configured DNS server (an intranet-based
DNS server). The intranet DNS server resolves the name.
2.
The DirectAccess client accesses the HTTPS-based URL of the network location server, during which
process; it obtains the certificate of the network location server.
3.
Based on the Certificate Revocation List (CRL) Distribution Points field of the network location servers
certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to
determine if the network location servers certificate has been revoked.
4.
Based on a HTTP 200 Success of the network location server URL (successful access and certificate
authentication and revocation check), the DirectAccess client removes the DirectAccess rules in the
NRPT.
5.
The DirectAccess client computer attempts to locate and log on to the AD DS domain using its
computer account.
Because there are no longer any DirectAccess rules in the NRPT, all DNS queries are sent via interfaceconfigured DNS servers (intranet DNS servers).
6.
Based on the successful computer logon to the domain, the DirectAccess client assigns the Domain
profile to the attached network.
Because the DirectAccess connection security tunnel rules are scoped for the Public and Private
profiles, they are removed from the list of active Connection Security rules.
Sep 7 2011 9:58PM

Nova 4, LLC
6-65
The DirectAccess client has successfully determined that it is connected to its intranet and does not use
DirectAccess settings (NRPT rules or Connection Security tunnel rules). It can access intranet resources
normally. It can also access Internet resources through normal means, such as a proxy server (not shown).
Sep 7 2011 9:58PM

Nova 4, LLC
6-66
How DirectAccess Works for External Clients
Key Points
When a DirectAccess client starts, it assumes that it is not connected to the intranet. The NRPT has
DirectAccess-based rules, and Connection Security rules for DirectAccess tunnels are active. Internetconnected DirectAccess clients use the following process to connect to intranet resources:
DirectAccess Client Attempts to Access the Network Location Server

1.
The client tries to resolve the FQDN of the network location server URL. Because the FQDN of the
network location server URL corresponds to an exemption rule in the NRPT, the DirectAccess client
sends the DNS query to a locally-configured DNS server (an Internet-based DNS server). The Internet
DNS server cannot resolve the name.
2.
The DirectAccess client keeps the DirectAccess rules in the NRPT.
3.
Because the network location server was not found, the DirectAccess client applies the Public or
Private profile to the attached network.
4.
The Connection Security tunnel rules for DirectAccess, scoped for the Public and Private profiles,
remain.
The DirectAccess client has the NRPT rules and Connection Security rules to access intranet resources
across the Internet through the DirectAccess server.
DirectAccess Client Attempts to Locate a Domain Controller

After starting up and determining its network location, the DirectAccess client attempts to locate and
logon to a domain controller. This process creates the infrastructure tunnel to the DirectAccess server.
1.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query addressed to the IPv6 address of the intranet DNS server and hands it off to the TCP/IP stack
for sending.
Sep 7 2011 9:58PM

Nova 4, LLC
6-67
2.
Before sending the packet, the TCP/IP stack checks to see whether there are Windows Firewall
outgoing rules or Connection Security rules for the packet.
3.
Because the destination IPv6 address in the DNS name query matches a Connection Security rule
corresponding to the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client
authenticates itself with its installed computer certificate and its NTLM credentials.
4.
The DirectAccess client sends the DNS name query through the infrastructure tunnel to the
DirectAccess server.
5.
The DirectAccess server forwards the DNS name query to the intranet DNS server, which responds.
The DNS name query response is sent back to the DirectAccess server and back through the
infrastructure tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the infrastructure tunnel.
DirectAccess Client Attempts to Access Intranet Resources

The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of
destinations for the infrastructure tunnel (such as an email server), the following occurs:
1.
The application or process attempting to communicate constructs a message or payload and hands it
off to the TCP/IP stack for sending.
2.
3.
Because the destination IPv6 address matches the Connection Security rule corresponding to the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4.
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5.
The DirectAccess server forwards the packet to the intranet resources, which responds. The response
is sent back to the DirectAccess server and back through the intranet tunnel to the DirectAccess
client.
Subsequent intranet access traffic, which does not match an intranet destination in the infrastructure
tunnel Connection Security rule, goes through the intranet tunnel.
DirectAccess Client Attempts to Access Internet Resources

When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an
Internet Web server), the following occurs:
1.
The DNS Client service passes the DNS name for the Internet resource through the NRPT. There are
no matches. The DNS Client service constructs the DNS name query addressed to the IP address of an
interface-configured Internet DNS server and hands it off to the TCP/IP stack for sending.
2.
3.
Because the destination IP address in the DNS name query does not match the Connection Security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4.
The Internet DNS server responds with the IP address of the Internet resource.
Sep 7 2011 9:58PM

Nova 4, LLC
6-68
5.
The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to see whether there are Windows Firewall outgoing rules
or Connection Security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the Connection Security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Subsequent Internet resource traffic, which does not match a destination in either the infrastructure
intranet tunnel Connection Security rules, is sent and received normally.
Sep 7 2011 9:58PM

Nova 4, LLC
6-69
How a DirectAccess Client Determines Its Location
Key Points
The following information describes how a DirectAccess client determines its network location.
Network Location Server

A network location server is an internal network server that hosts an HTTPS-based URL. DirectAccess
clients try to access a network location server URL to determine whether they are located on the intranet
or on the public network. The DirectAccess server can be also the network location server. The network
location server should be highly available, and the Web server on the network location server does not
have to be dedicated just for supporting DirectAccess clients.
It is critical that the network location server is available from each company location, because the
behavior of the DirectAccess client depends on the response from the network location server. Branch
locations may need a separate network location server at each branch location to ensure that network
location server remains accessible even when there is a link failure between branches.
Intranet Detection
When a DirectAccess client experiences a significant network change event, such as a change in link status
or a new IP address, the DirectAccess client assumes that it is not on the intranet and uses DirectAccess
rules in the NRPT to determine the location to send DNS name queries. Then, the DirectAccess client
attempts to resolve the fully qualified domain name (FQDN) in the URL for the network location server.
Because the NRPT has active rules for DirectAccess, the FQDN should either match an exemption rule or
no rule in the NRPT so that the DirectAccess client uses interface-configured DNS servers. If a DirectAccess
client is not on the intranet, it will not be able to successfully resolve the FQDN of the network location
server, and the name resolution will fail.
If the FQDN resolution is successful, the DirectAccess client attempts to connect to the network location
server. When the DirectAccess client successfully accesses the HTTPS-based URL of the network location
server, it determines that it is on the intranet. The DirectAccess client then removes the DirectAccess NRPT
rules from the active table and uses interface-configured DNS servers to resolve all names. If the
Sep 7 2011 9:58PM

Nova 4, LLC
6-70
DirectAccess client cannot access the network location server or its FQDN resolution is not successful, the
DirectAccess client assumes that it is on the Internet and establishes a DirectAccess connection.
To reduce the traffic on the corporate network, DirectAccess separates intranet traffic from Internet traffic.
Most VPNs send all traffic, including traffic that is destined for the Internet, through the VPN, which
reduces both intranet and Internet access speed. DirectAccess does not reduce the Internet access speed,
because communications to the Internet do not have to travel to the corporate network and back to the
Internet.
Sep 7 2011 9:58PM

Nova 4, LLC
6-71
Configuring DirectAccess
Key Points
To configure DirectAccess, you need to complete the following tasks.
Configure the AD DS domain controller and DNS

To prepare the AD DS and DNS environment, complete the following tasks:
1.
Create a security group to hold computers that will be DirectAccess clients.
2.
Create a DNS host record for the Network Location Server for intranet DirectAccess clients.
3.
Create a DNS host record for the server that hosts the certificate revocation list in the intranet.
4.
On your public DNS server, create a DNS host record for the host that will provide access to the
certificate revocation list for Internet-based DirectAccess clients.
Configure the PKI environment

To prepare the PKI environment, complete the following tasks:
1.
Add and configure the Certificate Authority server role.
2.
Configure the certificate revocation list distribution settings.
3.
Publish the CRL to the designated intranet location.
4.
Create the certificate template and configure security settings on the template so that Authenticated
Users can Enroll the certificate.
5.
Distribute the computer certificates. You can use Group Policy to do this by enabling autoenrollment.
Configure the DirectAccess clients and test Intranet Access

To prepare the DirectAccess clients and test the DirectAccess environment, complete the following tasks:
Sep 7 2011 9:58PM

Nova 4, LLC
6-72
1.
Verify that DirectAccess clients have the computer certificate required for DirectAccess authentication;
this should have been distributed with Group Policy.
2.
Verify that the client can connect to intranet resources.
Configure the DirectAccess server

To configure the DirectAccess server, complete the following tasks:
1.
Install two network interface cards in the DirectAccess server
2.
Install the Web server role on the DirectAccess server.
3.
Create a virtual directory to host the CRL.
4.
Publish the CRL to the virtual directory.
5.
Install the DirectAccess Management Console feature.
6.
Run the DirectAccess Management wizard to configure DirectAccess.
Verify DirectAccess functionality

To verify the DirectAccess functionality, move DirectAccess clients to the Internet and verify connectivity
to intranet resources.
Sep 7 2011 9:58PM

Nova 4, LLC
6-73
Review Questions
1.
Your organization wishes to implement a cost-effective solution that interconnects two branch offices
with your head offices? How can you use VPNs in this scenario?
2.
The IT manager in your organization is concerned about opening too many firewall ports to facilitate
remote access from users working from home via a VPN. How could you meet the expectations of
your remote users while allaying your managers concerns?
3.
You have a VPN server with two configured network policies. The first has a condition that grants
access to members of the Contoso group, to which everyone in your organization belongs, but has a
constraint of day and time restrictions for office hours only. The second policy has a condition of
membership of the Domain Admins group and no constraints. Why are administrators being refused
connections out of office hours and what can you do about it?
4.
On a client computer, what steps must you perform to ensure that it can be assessed for health?

Description
DirectAccess
DirectAccess is a feature in the Windows 7 and Windows Server

2008 R2 operating systems that provides users with a seamless
connection to their organizations private network from a
computer with an Internet connection.
VPN Reconnect
Although DirectAccess can replace VPN connections as a preferred

remote access solution for many organizations, smaller
organizations may not meet the infrastructure requirements for
DirectAccess. Consequently, Microsoft is improving VPN usability in
Windows 7 with VPN Reconnect.
VPN Reconnect uses IKEv2 technology to provide seamless and
consistent VPN connectivity, automatically re-establishing a VPN
Sep 7 2011 9:58PM

Nova 4, LLC
6-74
Description
when users temporarily lose their Internet connections. This is
particular useful for users who implement wireless broadband
solutions.
Tools
Tool
Use for
Where to find it
Services.msc
Managing Windows
services
Administrative Tools. Otherwise, launch from Run.
Gpedit.msc
Editing the Local Group

Policy
Launch from Run.
Mmc.exe
Management Console
creation and management
Launch from Run.
Gpupdate.exe
Managing group policy

application
Run from command-line.
Napclcfg.msc
Manage client computer

NAP enforcement settings
Launch from Run.
Sep 7 2011 9:58PM

Nova 4, LLC
Managing Active Directory Domain Services
Module 7
Contents:
Lesson 1: Overview of the Active Directory Infrastructure
7-3
Lesson 2: Working with Active Directory Administration Tools
7-17
Lesson 3: Managing User Accounts
7-26
Lesson 4: Managing Computer Accounts
7-36
Lab A: Creating and Managing User and Computer Accounts
7-45
Lesson 5: Managing Groups
7-50
Lesson 6: Using Queries to Locate Objects in AD DS
7-63
Lab B: Managing Groups and Locating Objects in AD DS
7-68
Sep 7 2011 9:58PM

7-1
Nova 4, LLC
7-2
Module Overview
Active Directory Domain Services (AD DS) and its related services form the foundation for enterprise
networks running Windows because they store information about the identities of users, computers, and
services; authenticate a user or computer; and provide a mechanism to access resources.
This module presents an overview of AD DS. You will review key concepts and directory services structure.
You will take a high-level look at the major components of AD DS and how they fit together. You will also
receive hands-on experience working with these components and their associated tools.
Objectives
Understand the Active Directory infrastructure.
Work with Active Directory administration tools.
Manage user accounts.
Manage computer accounts.
Manage groups.
Use queries to locate objects in AD DS.
Sep 7 2011 9:58PM

Nova 4, LLC
7-3
Lesson 1
Overview of the Active Directory Infrastructure
Your Active Directory infrastructure is what ties your entire Windows computing environment together. At
the core of this infrastructure is AD DS. It manages communication and authentication between users and
computers, stores information about who can access information stored on servers, and manages
information about network resources and application-specific data from directory-enabled applications.
Objectives
Describe the components of AD DS.
Describe Active Directory partitions.
Describe Active Directory replication.
Describe Active Directory sites.
Describe domain and forest functional levels.
Describe operations master roles.
Manage operations master roles.
Sep 7 2011 9:58PM

Nova 4, LLC
7-4
Components of Active Directory Domain Services
Key Points
Administrators can use AD DS to organize elements of a network, such as users, computers, and other
devices, into a hierarchical containment structure.
AD DS is not a physical entity in itself. It consists of several key components that work together to provide
Active Directory functionality to a Windows environment. The hierarchical containment structure includes
the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. All this
information is stored in the Active Directory database. A server that maintains a copy of this database for
the domain is called a domain controller.
Domain
Domains are the key building blocks of AD DS. They define boundaries within the Active Directory
infrastructure. A domain is a logical grouping of objects that share a common directory database and
domain namespace. This database contains information about users, groups, and computers that are part
of the domain, and information about shared resources such as printers and shared folders.
A domain namespace is typically defined by a domain name, such as Contoso.com. Any domain objects
such as user, groups or computers created within the Contoso domain reside in the Contoso.com
namespace. For example, the Fully Qualified Domain Name (FQDN) for a server named NYC-SVR1 in the
Contoso domain would be NYC-SVR1.Contoso.com.
Domain Controller
A domain controller is a designated server that holds a copy of the Active Directory database. A computer
running the Windows Server 2008 operating system can be made a domain controller by executing
dcpromo.exe. Dcpromo.exe begins the AD DS installation Wizard and collects the information necessary
to promote the Windows Server 2008 server to a domain controller. After a computer is configured as a
domain controller, it maintains a copy of the Active Directory database and replicates the information in
the database back and forth to the other domain controllers in the domain.
Sep 7 2011 9:58PM

Nova 4, LLC
7-5
Note: A domain should have at least two domain controllers. When a domain has at least two
domain controllers, redundant copies of AD DS are available in case one of the domain controllers
becomes unavailable.
Organizational Unit
OUs are used within AD DS to organize collections of Active Directory objects such as users, groups,
computers, and even other OUs. OUs act like containers within AD DS, allowing you to organize your
Active Directory objects in a logical way that makes it easier to administer and manage those objects.
For example, you may choose to create an OU for each department of your organization and place the
computers, users, groups, and printers belonging to those departments into their respective OUs.
Tree
Although domains are important building blocks for implementing Active Directory structures, only
domain trees bind those blocks together. Domain trees are logical groupings of domains.
Within the directory, the tree structure represents a hierarchy of domain objects, showing parent-child
relationships between the objects. The first domain created in the tree structure, or the root domain,
resides at the top of a logical domain tree diagram, and it is the parent of all other domains for that
particular domain tree. Other domains that you create in the domain tree are child domains.
Domain trees are typically created to reflect your organization's structure. Domains in a tree share a
contiguous namespace. The domain name of a child domain is related to the name of the parent domain.
For example, the Marketing.Contoso.com domain is a child of the Contoso.com domain. They share the
common domain namespace of Contoso.com.
Forest
Domain forests are logical groups of one or more domains or domain trees that are separate and
independent. Forests are used to create boundaries in and between organizations to control security,
replication and configuration of the Active Directory environment. As such, domain trees that are
members of a forest do not share a contiguous namespace. For example, the domain tree with a parent
domain of Contoso.com can be joined in a domain forest with another domain or domain tree,
Adatum.com. In this forest, both domains retain their preexisting domain namespace.
Global Catalog
Information regarding an Active Directory forest is stored in a distributed data repository called the global
catalog. The global catalog is stored on designated domain controllers in the forest and contains a
searchable partial representation of every object in the forest. The global catalog servers distribute the
global catalog data by using multi-master replication, where all global catalog servers are equal partners
in the replication process.
Sep 7 2011 9:58PM

Nova 4, LLC
7-6
What Are Active Directory Partitions?
Key Points
AD DS information is stored within the directory database. This database is divided into a number of
directory partitions that contain AD DS information. Each directory partition, also called a naming context,
contains objects of a particular scope and purpose. There are four AD DS partitions, as follows:
Domain. The Domain partition contains all the objects stored in a domain, including users, groups,
computers, and Group Policy containers (GPCs).
Configuration. The Configuration partition contains objects that represent the logical structure of
the forest, including domains, as well as the physical topology, including sites, subnets, and services.
Schema. The Schema partition defines the object classes and their attributes for the entire directory.
Application. The Application partition is an optional partition that stores information about
applications in Active Directory.
Each domain controller maintains a copy, or replica, of several partitions. The Configuration is replicated
to every domain controller in the forest, as is the Schema. The Domain partition for a domain is replicated
to all domain controllers within a domain but not to domain controllers in other domains, so each domain
controller has at least three replicas: the Domain partition for its domain, Configuration, and Schema.
Sep 7 2011 9:58PM

Nova 4, LLC
7-7
What Is Active Directory Replication?
Key Points
Replication is the transfer of changes between domain controllers. When you add a user or change a
users password, for example, the change you make is committed to the directory by one domain
controller. That change must be communicated to all other domain controllers in the domain.
Replication is designed so that, in the end, each replica of a partition on a domain controller is consistent
with the replicas of that partition hosted on other domain controllers. Not all domain controllers will have
exactly the same information in their replicas at any one moment in time because changes are constantly
being made to the directory. However, Active Directory replication ensures that all changes to a partition
are transferred to all replicas of the partition. Active Directory replication balances accuracy (or integrity)
and consistency (called convergence) with performance (keeping replication traffic to a reasonable level).
This balancing act is described as loose coupling.
The following are the key characteristics of Active Directory replication:
Multimaster replication. Any domain controller can initiate and commit a change to Active
Directory.
Pull replication. A domain controller requests, or "pulls," changes from other domain controllers. As
you learn more about replication, it may become easy to forget this, because a DC notifies its
replication partners that it has changes to the directory, or a DC can poll its partners to see if they
have changes to the directory. But the changes themselves are, in the end, requested or "pulled" by
the target DC.
Store-and-forward replication. A domain controller can pull changes from one partner, and then
make those changes available to another partner. For example, domain controller B can pull changes
initiated by domain controller A. Then, domain controller C can pull the changes from domain
controller B.
Partitioning of the data store. Domain controllers in a domain host only the domain naming
context for their domain, which helps keep replication to a minimum, particularly in multidomain
Sep 7 2011 9:58PM

Nova 4, LLC
7-8
forests. Other data, including application directory partitions and the partial attribute set (global
catalog), are not replicated to every domain controller in the forest, by default.
Automatic generation of an efficient and robust replication topology. By default, Active

Directory will configure an effective, two-way replication topology so that the loss of any one domain
controller does not impede replication. This topology is automatically updated as domain controllers
are added, removed, or moved between sites.
Attribute-level replication. When an attribute of an object is modified, only that attribute, and
minimal metadata that describes that attribute, is replicated. The entire object is not replicated,
except when the object is created.
Distinct control of intrasite replication (within a single site) and intersite replication (between
sites). Replication can be distinctly controlled in both these situations.
Collision detection and management. It is possible, although rare, that an attribute will have been
modified on two different domain controllers during a single replication window. In such an event,
the two changes will have to be reconciled. Active Directory has resolution algorithms that satisfy
almost every such situation.
Sep 7 2011 9:58PM

Nova 4, LLC
7-9
What Are Active Directory Sites?
Key Points
Active Directory sites are used to represent the physical structure of your network. AD DS uses information
about your networks physical structure, or topology, when performing certain processes.
When administrators describe their network infrastructure, they often mention how many sites comprise
their enterprise. To most administrators, a site is a physical location, such as an office or a city. Sites are
connected by links, or network links, that might be as basic as dial-up connections or as sophisticated as
fiber links. Together, the physical locations and links make up the network infrastructure.
AD DS represents the network infrastructure with objects called sites and site links, and although the
words are similar, these objects are not identical to the sites and links described by administrators.
You need to understand the properties and roles of sites in Active Directory to understand the subtle
distinction between Active Directory sites and network sites. Active Directory sites are objects stored in the
directory created by an administrator. An Active Directory site consists of one or more network subnets.
These sites are used to achieve two service management tasks:
Manage replication traffic
Facilitate service localization
Replication Traffic
AD DS assumes there are two types of networks within your enterprise, highly connected and less highly
connected. Conceptually, a change made to AD DS should replicate immediately to other domain
controllers within the highly connected network in which the change was made. However, you might not
want the change to replicate immediately over a slower, more expensive, or less reliable link to another
site. Instead, you might want to manage replication over less highly connected segments of your
enterprise to optimize performance, reduce costs, or manage bandwidth.
Sep 7 2011 9:58PM

Nova 4, LLC
7-10
An Active Directory site represents a highly connected portion of your enterprise. When you define a site,
Active Directory replication within the site happens almost instantly. Replication between sites can be
scheduled and managed.
Service Localization
In a typical Active Directory environment, you have at least two domain controllers. In this configuration,
there are multiple domain controllers providing the same services of authentication and directory access.
If you have more than one network site, and if you place a domain controller in each, you want to
encourage clients to authenticate against the domain controller in their site. This is an example of service
localization.
Active Directory sites help localize services, including those provided by domain controllers. During logon,
Windows clients are automatically directed to a domain controller in their site. If a domain controller is
not available in their site, they are directed to a domain controller in another site, which will be able to
authenticate the client efficiently.
Sep 7 2011 9:58PM

Nova 4, LLC
7-11
Domain and Forest Functional Levels
Key Points
Within an Active Directory infrastructure, it is possible to have different versions of the Windows Server
operating system acting as domain controllers. Previous versions of Windows Server do not support some
of the new Active Directory components or data storage methods available in Windows Server 2008 and
A domain functional level and forest functional level are two separate settings that determine the specific
functional aspects of AD DS that are enabled on domain controllers within the domain or forest.
For example, Windows Server 2008 R2 provides a new feature, the Active Directory Recycle Bin, which
allows for nondestructive deletions of Active Directory objects. However, if any of the domain controllers
in your forest are not running Windows Server 2008 R2, the Active Directory Recycle Bin functionality is
not recognized by any domain controller running a previous version of Windows Server. In this case, the
domain functional level is set to a level compatible with your existing domain controllers, and the Active
Directory Recycle Bin functionality is not available anywhere in the domain.
Domain Functional Levels

There are four domain functional available in Windows Server 2008 R2. The following levels govern the
functionality set on all domain controllers in the domain:
Windows 2000 native
Windows Server 2003
Windows Server 2008
Forest Functional Levels

The following are the four forest functional levels that define the functionality set for all domain
controllers and global catalog servers in the forest:
Sep 7 2011 9:58PM

Nova 4, LLC
7-12
Windows 2000 native
Windows Server 2003
Windows Server 2008

Note: Domain and forest functional levels are only available on Windows Server versions that are at
least as recent as the functional level. For example, the Windows Server 2008 R2 domain functional
level is not available to a domain containing only Windows Server 2008 domain controllers.
Sep 7 2011 9:58PM

Nova 4, LLC
7-13
Operations Master Roles
Key Points
In an Active Directory domain, all domain controllers are equivalent. They are all capable of writing to the
Active Directory database and replicating changes to other domain controllers. However, in AD DSs
multimaster replication topology, certain operations must be performed by only one system. In an Active
Directory domain, operation masters are domain controllers that perform a specific function within the
domain.
Forest-Wide Operations Master Roles

The schema master and the domain-naming master must be unique in the forest. Each role is performed
by only one domain controller in the entire forest.
Domain Naming Master Role

The domain-naming role is used when adding or removing domains in the forest. When you add or
remove a domain, the domain naming master must be accessible, or the operation will fail.
Schema Master Role

The domain controller holding the schema master role is responsible for making any changes to the
forests schema. All other domain controllers hold read-only replicas of the schema. You should modify
the schema or install applications that modify the schema, on the domain controller holding the schema
master role. Otherwise, the changes you request must be sent to the schema master to be written into the
schema.
Domain-Wide Operations Master Roles

Each domain maintains three single master operations: relative identifier (RID), infrastructure, and primary
domain controller (PDC) Emulator. Each role is performed by only one domain controller in the domain.
Sep 7 2011 9:58PM

Nova 4, LLC
7-14
RID Master Role

The RID master plays an integral part in the generation of security identifiers (SIDs) for security principals
such as users, groups, and computers. The SID of a security principal must be unique. Because any domain
controller can create accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs
generated by a DC are unique. Active Directory domain controllers generate SIDs by assigning a unique
RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain
controller in the domain. Therefore, each domain controller can be confident that the SIDs it generates
are unique.
Infrastructure Master Role

In a multi-domain environment, it is common for an object to reference objects in other domains. For
example, a group can include members from another domain. Its multivalued member attribute contains
the distinguished names of each member. If the member in the other domain is moved or renamed, the
infrastructure master of the groups domain updates the groups member attribute accordingly.
PDC Emulator Role

The PDC Emulator role performs multiple, crucial functions for a domain:
Participates in special password update handling for the domain

When a user's password is reset or changed, the domain controller that makes the change replicates
the change immediately to the PDC emulator. This special replication ensures that the domain
controllers know about the new password as quickly as possible.
Manages Group Policy updates within a domain

If a group policy object (GPO) is modified on two domain controllers at approximately the same time,
there could be conflicts between the two versions that could not be reconciled as the GPO replicates.
To avoid this situation, the PDC emulator acts as the focal point for all Group Policy changes.
Provides a master time source for the domain

Many Windows components and technologies rely on time stamps, so synchronizing time across all
systems in a domain is crucial. The PDC emulator in the forest root domain is the time master for the
entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root
PDC emulator. Other domain controllers in the domain synchronize their clocks against that domains
PDC emulator. All other domain members synchronize their time with their preferred domain
controller.
Acts as the domain master browser

When you open network in Windows, you see a list of workgroups and domains, and when you open
a workgroup or domain, you see a list of computers. These two lists, called browse lists, are created by
the Browser service. In each network segment, a master browser creates the browse list: the lists of
workgroups, domains, and servers in that segment. The domain master browser serves to merge the
lists of each master browser so that browse clients can retrieve a comprehensive browse list.
Sep 7 2011 9:58PM

Nova 4, LLC
7-15
Guidelines for Placing Operations Master Roles
Place the domain-level roles on a high-performance domain controller.
Do not place the Infrastructure Master domain-level role on a global catalog server.
Leave the two forest-level roles on a domain controller in the forest root domain.
In the forest root domain, transfer the three domain-level roles from the first domain controller that
you installed in the forest root domain to an additional domain controller that has a highperformance level.
Adjust the workload of the PDC emulator, if necessary by offloading non-AD DS roles to other servers.
Sep 7 2011 9:58PM

Nova 4, LLC
7-16
Demonstration: How to Manage Operations Master Roles
Key Points
Transfer an operations master role to a different domain controller.
Seize an operations master role.
Demonstration Steps
1.
Open Active Directory Users and Computers.
2.
Transfer the PDC Emulator role to NYC-DC2.
3.
Seize the PDC Emulator role from NYC-DC2.
4.
Close Active Directory Users and Computers.
Sep 7 2011 9:58PM

Nova 4, LLC
7-17
Lesson 2
Working with Active Directory Administration Tools
Most administrators first experience AD DS by opening Active Directory Users and Computers and
creating user, computer, or group objects within the OUs of a domain. While Active Directory Users and
Computers is a comprehensive Tool, Windows Server 2008 contains several new tools that can make
administering a Windows Server simpler and more efficient task. This lesson will introduce you to the tools
available to administer AD DS.
Objectives
Describe Active Directory Administration snap-ins.
Describe the Active Directory Administrative Center.
Manage Active Directory using management tools.
Describe the Active Directory module for Windows PowerShell.
Sep 7 2011 9:58PM

Nova 4, LLC
7-18
Overview of Active Directory Administration Snap-ins
Key Points
Most Active Directory administration is performed by using the following snap-ins and consoles:
Active Directory Users and Computers. This snap-in manages most common day-to-day resources,
including users, groups, computers, printers, and shared folders. This is likely to be the most heavily
used snap-in for an Active Directory administrator.
Active Directory Sites and Services. This manages replication, network topology, and related services.
Active Directory Domains and Trusts. This configures and maintains trust relationships and the domain
and forest functional level.
Active Directory Schema. This schema examines and modifies the definition of Active Directory
attributes and object classes. It is the "blueprint" for Active Directory. It is rarely viewed and even
more rarely changed. Therefore, the Active Directory Schema snap-in is not installed by default.
Sep 7 2011 9:58PM

Nova 4, LLC
7-19
Active Directory Administrative Center
Key Points
Note: The content in this topic applies only to Windows Server 2008 R2.
Windows Server 2008 R2 provides another option for managing AD DS objects. The Active Directory
Administrative Center provides a graphical user interface (GUI) built on Windows PowerShell. This
enhanced interface allows you to perform Active Directory object management by using task-oriented
navigation. Tasks that can be performed by using the Active Directory Administrative Center include:
Creating and managing user, computer, and group accounts.
Creating and managing organizational units.
Connecting to and managing multiple domains within a single instance of the Active Directory
Administrative Center.
Searching and filtering Active Directory data by building queries.
Installation Requirements
The Active Directory Administrative Center can only be installed on computers running Windows Server
2008 R2 or Windows 7. You can install the Active Directory Administrative Center by any one of the
following methods:
Install the AD DS server role through Server Manager.
Promote a server to a domain controller by using Dcpromo.exe.
Install the Remote Server Administration Tools (RSAT) on a Windows Serer 2008 R2 server or Windows
7.
Sep 7 2011 9:58PM

Nova 4, LLC
7-20
Note: The Active Directory Administrative Center relies on the Active Directory Web Services (ADWS)
service which must be installed on at least one domain controller in the domain. The service also
requires port 9389 to be open on the domain controller where ADWS is running.
Sep 7 2011 9:58PM

Nova 4, LLC
7-21
Demonstration: How to Manage Active Directory Using Management

Tools
Key Points
Active Directory Users and Computers and the Active Directory Administrative Center can both be used to
perform administrative tasks.
Manage Active Directory by using standard administration snap-ins.
Manage Active Directory by using the Active Directory Administration Center.
Active Directory Users and Computers
Viewing Objects
The Active Directory Users and Computers snap-in displays the objects in the container (domain,
organizational unit, or container) selected in the console tree.
Refreshing the View

The view is not refreshed automatically. If you want to see the latest changes to the view of objects, select
the container in the console tree, and then click the Refresh button on the snap-in toolbar or press F5.
You must select the container in the console tree before clicking Refresh (or pressing F5)clicking in an
empty area of the details pane is not sufficient. This is a quirk of the Active Directory Users and Computers
snap-in.
Sep 7 2011 9:58PM

Nova 4, LLC
7-22
Creating Objects
To create an object in Active Directory Users and Computers, right-click a domain, or a container (such
as Users or Computers), or an organizational unit, point to New, and then click the type of object you
want to create.
When you create an object, you are prompted to configure a few of the most basic properties of the
object, including the properties that are required for that type of object.
Configuring Object Attributes

After an object has been created, you can access its properties by right-clicking the object and then
clicking Properties.
The Properties dialog box that appears displays many of the most common properties of the object.
Properties are grouped on tabs to make it easier to locate a specific property.
You can configure as many properties as you want on as many tabs as you want, and then click Apply or
OK once to save all changes. The difference between Apply and OK is that the OK button saves the
changes and closes the Properties dialog box, whereas Apply saves the changes and keeps the dialog
box open so that you can make additional changes.
Viewing All Object Attributes

A user object has even more properties than are visible in its Properties dialog box. Some of the so-called
hidden properties can be quite useful to your enterprise. To view these hidden user attributes, you must
turn on the Attribute Editor, which is a new feature in Windows Server 2008.
To turn on the Attribute Editor in the Active Directory Users and Computers snap-in, click the View
menu, and then click the Advanced Features option.
To open the Attribute Editor for a specific Active Directory object, you need to perform the following
steps:
1.
2.
Right-click the object and then click Properties.

Click the Attribute Editor tab.
To change the value of an attribute, double-click the value.

The attributes can also be accessed programmatically with Windows PowerShell, Windows Visual Basic
Scripting Edition, or the Microsoft .NET Framework.
Note: Modifying hidden attributes can have adverse effects on your AD DS environment. Do so with
caution and only where specifically required.
Navigation
The Active Directory Administrative Center provides a navigation pane that can be set as a List View and a
Tree View. The List View displays three main nodes: an Overview node, a domain node, and a Global
Search node. The Tree View changes the domain node to provide a view of the entire domain structure.
Performing Administrative Tasks

When the Overview node is selected, you can perform specific tasks such as Reset Password and Global
Search. Reset Password provides the ability to enter a known user name and reset the password, unlock
Sep 7 2011 9:58PM

Nova 4, LLC
7-23
the account, and configure the user to change the password at the next logon. Global Search provides
the ability to search for objects based upon a domain scope or a Global Catalog scope.
Depending on the object selected, you can perform many related tasks. For example, if a user object is
selected, you can perform tasks such as Reset the password, Add to a group, Disable the account, Move
the account, Delete the account, locate the account, or open the Properties of the account.
Sep 7 2011 9:58PM

Nova 4, LLC
7-24
Active Directory Module for Windows PowerShell
Key Points
In the previous versions of Windows Server, administrators used a variety of command-line tools and
Microsoft Management Console (MMC) snap-ins to connect to their Active Directory domains to monitor
and manage their domains. The Active Directory module in Windows Server 2008 R2 now provides a
centralized experience for administering your directory service.
The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows
PowerShell module (named Active Directory) that consolidates a group of cmdlets used to manage your
Active Directory domains in a self-contained package.
The following table lists the various tasks that can be performed by using the Active Directory for
Windows PowerShell module:
Management Category
Task
User Management
Creating a user
Modifying an attribute for multiple users
Setting profile attributes
Renaming a user
Finding and unlocking user accounts
Enabling or disabling user accounts
Computer Management
Joining a computer to a domain

Adding or removing a computer account
Resetting a computer account
Modifying attributes of computer accounts
Group Management
Creating a group
Adding and removing members of a group
Sep 7 2011 9:58PM

Nova 4, LLC
Management Category
Task
Viewing the members of a group
Changing the group scope or type
Organizational Unit
Management
Password Policy
Management
Creating and managing Fine-Grained Password policies

Modifying the default domain password policy
Get resultant password policy for a user
Searching and
modifying objects
Forest and Domain

Management
Finding the domains in a Forest

Raising the functional level of the domain or Forest
Viewing the trusts for a domain
Domain Controller and

Operations Master
Management
Managed Service
Account Management
Create or remove a managed service account

Associate a managed service account with a computer
Reset the password of a managed service account
Creating or deleting an OU
Listing objects in an OU
Assigning or removing a manager of an OU
Moving the objects in an OU
Searching the Global Catalog

Importing objects by using a CSV file
Exporting objects to a CSV file
Searching for and restoring deleted objects
Finding the domain controllers for a domain

Moving the domain controller to a different site
Enabling and disabling the Global Catalog
Managing operations master roles
Cmdlet Examples
New-ADComputer creates a new computer object in AD DS.
Remove-ADGroup removes an Active Directory group.
Set-ADDomainMode sets the domain functional level for an Active Directory domain.
Installation
You can install the Active Directory module by using any of the following methods:
By default, on a Windows Server 2008 R2 server, when you install the AD DS or Active Directory
Lightweight Directory Services (AD LDS) server roles
By default, when you make a Windows Server 2008 R2 server a domain controller by running
Dcpromo.exe
As part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2
server
As part of the RSAT feature on a Windows 7 computer
Sep 7 2011 9:58PM

7-25
Nova 4, LLC
7-26
Note: While the Active Directory module for Windows Powershell must run from a Windows Server
2008 R2 or Windows 7 computer, the actual PowerShell cmdlets can be run against servers that run
Windows Server 2003 or Windows Server 2008, provided you have installed the Active Directory
Gateway Service on those servers. Active Directory Gateway Service can be downloaded from the
following web page:
Sep 7 2011 9:58PM

Nova 4, LLC
7-27
Lesson 3
Managing User Accounts
In AD DS for Windows Server 2008 and Windows Server 2008 R2, all users who require access to network
resources must be configured with a user account. With this user account, users can be authenticated to
the AD DS domain and granted access to network resources. As the AD DS administrator, you will need to
know how to create and configure user accounts.
Objectives
Describe a user account object.
Describe user account password options.
Describe user account attributes.
Create and configure user accounts.
Describe a user account template.
Sep 7 2011 9:58PM

Nova 4, LLC
7-28
What Is a User Account?
Key Points
A user account is an object that contains all of the information that defines a user on a local Windows
Server 2008 machine or in an Active Directory domain. A user account includes the user name and
password as well as group memberships. A user account also contains many other settings, which can be
configured based on your organizational requirements.
Usage
With a user account, you can perform the following tasks:
Allow or deny users to log on to a computer based on user account identity.
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
User Accounts and SIDs

From the information provided at the time a security principal (such as a user account) is created,
Windows Server 2008 generates an SID and a globally unique identifier (GUID) for the security principal.
The internal processes in Windows Server 2008 refer to the SID when a user tries to authenticate in AD DS
and when the user tries to access network resources.
Local and Domain User Accounts

As a systems administrator, you must create user accounts to manage your network environment. Domain
user accounts enable users to log on to a domain and access resources anywhere on the network. Local
user accounts enable users to log on and access resources only on the computer on which you create the
local user account.
The following table describes some differences between a local account and an AD DS account:
Sep 7 2011 9:58PM

Nova 4, LLC
Local User Accounts
7-29
AD DS User Accounts
Can be used to log on only to the

computer where the account is
created
Can be used to log on to AD DS from any client computer

in the forest
Provide access to files only on the

local computer
Provide access to shared network resources
Stored locally in the local computers

SAM database
Stored on domain controllers in the AD DS database
Question: List at least one advantage of creating local accounts. List at least one advantage of creating
domain accounts.
Sep 7 2011 9:58PM

Nova 4, LLC
7-30
User Account Password Options
Key Points
User accounts are typically protected and authorized by a password. User accounts have options that
dictate how passwords are managed. You can help protect your server environment by customizing
password policy settings, including requiring users to change their password regularly, specifying a
minimum length for passwords, and requiring passwords to meet certain complexity requirements.
the following table describes domains password policy settings that are controlled by a number of GPO
settings related to accounts and passwords.
Policy
What it does
Best practice
Password must meet

complexity
requirements
Requires passwords to:
Contain a combination of at least
Enable this setting. These

complexity requirements can help
ensure a strong password. Strong
passwords are more difficult to
crack than those containing simple
letters or numbers.
Enforce password
history
three of the following characters:

uppercase letters, lowercase letters,
numbers, symbols (punctuation
marks).
Do not contain the user's user name
or screen name.
Prevents users from creating a new
password that is the same as their
current password or a recently used
password. To specify how many
passwords are remembered, provide a
value. For example, a value of 1 means
that only the last password will be
remembered, and a value of 5 means
that the previous five passwords will be
remembered.
Use a number that is greater than 1.

Enforcing password history ensures
that passwords that have been
compromised are not used
repeatedly.
Sep 7 2011 9:58PM

Nova 4, LLC
7-31
Policy
What it does
Best practice
Maximum password
age
Sets the maximum number of days that a

password is valid. After this number of
days, the user will have to change the
password.
Set a maximum password age of

3070 days. Setting the number of
days too high provides hackers with
an extended window of opportunity
to crack the password. Setting the
number of days too low might be
frustrating for users who have to
change their passwords too
frequently.
Minimum password
age
Sets the minimum number of days that

must pass before a password can be
changed.
Set the minimum password age to

at least
1 day. By doing so, you require that
the user can only change their
password once a day. This will help
enforce other settings. For example,
if the past five passwords are
remembered, this will ensure that at
least five days must pass before the
user can reuse the original
password. If the minimum password
age is set to 0, the user can change
their password six times on the
same day and begin reusing the
original password on the same day.
Minimum password
length
Specifies the fewest number of

characters a password can have.
Set the length between 8 and 12

characters (provided that they also
meet complexity requirements). A
longer password is more difficult to
crack than a shorter password,
assuming the password is not a
word or a common phrase.
Store passwords by
using reversible
encryption
Stores the password by using encryption Do not use this setting unless you
that can be reversed in order for certain use a program that requires it,
applications to verify the password.
enabling this setting decreases the
security of stored passwords.
In addition, another group of GPO settings governing account lockout policies are available to control
what actions are taken by the operating system if a user repeatedly fails to enter a valid password when
logging on to the system. These are known as Account Lockout Policy settings. The following table
describes various Account Lockout policies:
Policy
What it does
Best practice
Account lockout
threshold
Specifies the number of failed

A setting between 3 and 5 allows for reasonable
login attempts allowed before
user error as well as limits repeated login attempts
the account is locked out. For
for malicious purposes.
example, if the threshold is set to
3, the account will be locked out
after a user enters incorrect login
information three times.
Account lockout
Allows you to specify a time
After the threshold has been reached and the
Sep 7 2011 9:58PM

Nova 4, LLC
7-32
Policy
What it does
Best practice
duration
frame, in minutes, after which

the account will automatically
unlock and resume normal
operation. If you specify 0, the
account will be locked out
indefinitely until an
administrator manually unlocks
it.
account is locked out, the account should remain

locked long enough to block or deter any
potential attacks, but short enough not to
interfere with productivity of legitimate users.
Duration of 30 to 90 minutes should work well in
most situations.
Reset account
lockout counter
after
Determines the number of

minutes that must elapse after a
failed logon attempt before the
bad logon attempt counter is
reset to 0 bad logons. This policy
only has an effect when the
Account lockout threshold
setting is defined.
Using a time frame between 30 and 60 minutes is

sufficient to deter automated attacks as well as
manual attempts by an attacker to guess a
password.
Note: To access Account Policy settings, click Start, click Run, and type secpol.msc in the Open
dialog box. This must be performed on a domain controller to access domain Account Policy settings.
Following these steps on a computer that is not configured as a domain controller will open the local
security policy for that computer.
Question: What would be the effect on a users account if the user enters the password incorrectly five
times between 10:00 A.M. and 10:25 A.M. with the following settings applied to the account?
Account lockout threshold: 4
Account lockout duration: 60 minutes
Reset account lockout after: 30 minutes
Sep 7 2011 9:58PM

Nova 4, LLC
7-33
User Account Attributes
Key Points
User account attributes contain the functional details of a user account, and they control how the user
interacts with the environment. User account attributes include organizational information about the user
such as job title, department, or company; environment-related information like account profile and
logon script location; and access and privilege-related information like group membership, remote
control and dial-in access information. User account attributes can be accessed within Active Directory
Users and Computers by double-clicking a user account object or right-clicking the object and clicking
Properties.
The following lists the most commonly used user account sections:
General. The General tab contains personal information about the user, such as the name,
description, office location, and other contact information.
Account. The Account tab contains the user account information such as logon name, logon hours,
password, and account expiration information.
Profile. The Profile tab contains information regarding the user accounts profile location, logon
script, and home folder.
Organization. The Organization tab contains information regarding a users organizational

information like job title, department, and company. You can also set the users manager by linking to
the managers user account. This page also contains a list of other user accounts that have selected
the current user account as their manager.
Member Of. The Member Of tab contains a list of the groups to which the user account belongs.
Dial-in. The Dial-in tab allows you to set information related to dial-in network access.
Sep 7 2011 9:58PM

Nova 4, LLC
7-34
Demonstration: Configuring User Accounts
Key Points
Create and configure an AD DS user account by using Active Directory Users and Computers.
Configure an AD DS user account by using Active Directory Administrative Center.
Create and configure an AD DS user account by using Windows PowerShell.
Create and configure an AD DS user account by using Active Directory Users and Computers
1.
2.
Create a new user account for David Jones and move the account to Marketing OU.
3.
Make David Jones a member of the Contoso\Marketing group.
Configure an AD DS user account by using Active Directory Administrative Center

1.
Open Active Directory Administration Center.
2.
Navigate to Marketing OU.
3.
Make David Jones a member of the Contoso\Research group.
Create and configure an AD DS user account by using Windows PowerShell

1.
On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Module
for Windows PowerShell.
2.
To create a new user, type the following (Note: By default, the user will be created in the Users
container, if no other option is specified):
New-ADUser -name TestUser1 -department IT -city "New York" -organization "Contoso"
Sep 7 2011 9:58PM

Nova 4, LLC
3.
7-35
To move the user to another organizational unit, type the following:
get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath

"ou=IT,dc=contoso,dc=com"
4.
To set the password and enable testuer1, type the following:
Set-ADAccountPassword testuser1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText

"Pa$$w0rd" -Force)
get-aduser -filter 'Name -eq "TestUser1"' | enable-adaccount
Sep 7 2011 9:58PM

Nova 4, LLC
7-36
What Is User Account Template?
Key Points
A user account template is a user account that has commonly used settings and properties already
configured. You can use user account templates to simplify the process of creating domain user accounts,
as in the following bullets:
To perform this procedure, you must be a member of the Account Operators group, Domain Admins
group, or the Enterprise Admins group in Active Directory, or you must have been delegated the
appropriate authority.
To prevent a particular user from logging on for security reasons, you can disable user accounts
rather than deleting user accounts.
By creating disabled user accounts with common group memberships, you can use disabled user
accounts as account templates to simplify and secure user account creation.
Information such as logon hours and groups are retained when a new user is created from a
template, but the Description and Office attributes are not replicated.
Additional attributes can be viewed and modified in the Active Directory Schema MMC snap-in.
Sep 7 2011 9:58PM

Nova 4, LLC
7-37
Lesson 4
Managing Computer Accounts
In AD DS, computers are security principals just like users and groups. This means that computers must
have accounts and passwords. To be fully authenticated by AD DS, a user must have a valid user account,
and the user must also log on to the domain from a computer that has a valid computer account. All
computers must have computer accounts created in AD DS to be an active, fully functional member of the
domain.
Objectives
Describe requirements for joining a computer to the domain.
Perform an offline domain join.
Describe the tools used to automate computer account creation.
Perform computer account management tasks.
Sep 7 2011 9:58PM

Nova 4, LLC
7-38
Considerations for Joining a Computer to a Domain
Key Points
There are three key points to consider when joining a computer to an Active Directory domain:
A computer object is created in AD DS. This object can be created ahead of time, or if no matching
account has been created in AD DS, the account will be created automatically by the domain join
process.
You must have appropriate permissions in the domain to create computer objects in AD DS.
Only members of the local Administrators group can change a computers domain or workgroup
membership.
A Computer Object Must Be Created in the Directory Service

When a computer is joined to the domain, a computer object is created in the Active Directory database
and assigned a unique SID. It is extremely important to consider where you will store this computer within
your domain, including the following locations:
The Default Computers Container

When you create a domain, the Computers container is created by default (CN=Computers). This
container is not an OU; it is an object belonging to the container class. There are subtle but important
differences between a container and an OU; You cannot create an OU within a container, so you
cannot subdivide the Computers OU;. Moreover, you cannot link a Group Policy object to a container.
Therefore, it is create custom OUs to host computer objects instead of using the Computers
container.
OUs for Computers

Most organizations create at least two OUs for computer objects: one to host computer accounts for
client computersdesktops, laptops, and other user systemsand another for servers. These two
OUs are in addition to the Domain Controllers OU created by default during the installation of Active
Directory. In each of these OUs, computer objects would be created prior to a computer joining the
Sep 7 2011 9:58PM

Nova 4, LLC
7-39
domain. When the computer joins the domain, the computer is associated with the pre-created
account. There is no technical difference between a computer object in a client's OU and a computer
object in a server's or domain controller's OU. But, separate OUs are typically created to provide
unique scopes of management so that you can delegate management of client objects to one team
and management of server objects to another.
You Must Have Appropriate Permissions in the Domain to Create Computer Objects
in AD DS
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have
permission to create computer objects in any new OU. However, tightly restrict membership in the first
three groups.
You should delegate the permission to create computer objects to appropriate administrators or support
personnel. The permission required to create a computer object is Create Computer Objects. This
permission, assigned to a group for an OU, allows members of the group to create computer objects in
that OU. For example, you might allow your desktop support team to create computer objects in the
clients OU and allow your file server administrators to create computer objects in the file servers OU.
Only Members of the Local Administrators Group Can Change a Computers Domain
or Workgroup Membership
When the domain join process is initiated, the user initiating the join must be a member of the
Administrators group on the computer that is being joined to the domain to modify the computers
domain or workgroup membership.
Sep 7 2011 9:58PM

Nova 4, LLC
7-40
What Is Offline Domain Join?
Key Points
Offline domain join is a new process that can be used by computers running Windows7 or Windows
Server2008 R2 to join a domain without contacting a domain controller. This makes it possible to join
computers to a domain in locations where there is no connectivity to a domain controller.
A domain join establishes a trust relationship between a Windows computer and Active Directory domain.
This operation requires state changes to both AD DS and the computer that is joining the domain. In the
past, a computer had to be able to establish network connectivity with a domain controller for the
domain before initiating the join process. Offline domain join provides the following advantages over the
previous requirements:
The Active Directory state changes are completed without any network traffic to the computer or
domain controller.
Each set of changes (computer and domain controller) can be completed at a different time.
Requirements for Offline Domain Join

You perform an offline domain join by using a new tool named Djoin.exe. You use Djoin.exe to provision
computer account data into AD DS. You also use it to insert the computer account data into the Windows
directory of the destination computer, which is the computer that you want to join to the domain. The
following sections explain operating system requirements and credential requirements for performing an
offline domain join.
The offline domain join does not have to be completed within a specific time period. The computer
account that is provisioned remains in AD DS unless an administrator intervenes. However, many
organizations run scripts every 30 to 60 days to clean up stale or unused computer accounts.
Operating System Requirements

You can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer
on which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7
Sep 7 2011 9:58PM

Nova 4, LLC
7-41
or Windows Server 2008 R2. The computer that you want to join to the domain must also be running
Windows 7 or Windows Server 2008 R2.
Note: It is important to note that the computer being provisioned and the computer from where
Djoin.exe is being executed do not have to be the same computer. In most cases, offline domain join
is done from a server or an administrative workstation prior to computers being ready to join the
domain.
By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2.
However, you can specify an optional /downlevel parameter if you want to target a domain controller that
is running a version of Windows Server that is earlier than Windows Server 2008 R2.
To perform an offline domain join, you must have the rights that are necessary to join workstations to the
domain. Members of the Domain Admins group have these rights by default. If you are not a member of
the Domain Admins group, a member of the Domain Admins group must complete one of the following
actions to enable you to join workstations to the domain.
Using Djoin.exe to Perform an Offline Domain Join

To perform an offline domain join for a computer named NYC-CL1 to the Contoso domain, perform the
following steps:
1.
On a Windows Server 2008 R2 or Windows 7 machine that is connected to the Contoso domain,
execute the following command from an administrative command prompt.:
Djoin /provision /domain Contoso /machine NYC-CL1 /savefile blob.txt
2.
Copy the blob.txt file to the NYC-CL1 client computer.
3.
On the NYC-CL1 client computer, execute the following command from an administrative command
prompt in the same folder where blob.txt is stored:
Djoin /requestODJ /loadfile blob.txt /windowspath %systemroot% /localos
After this command, the offline domain join process is complete. The computer name configuration for
NYC-CL1 will show that is a member of the Contoso domain. The next time when NYC-CL1 contacts a
domain controller from the Contoso domain, the domain join process will be complete, and NYC-CL1 will
become a fully functioning member of the domain.
Sep 7 2011 9:58PM

Nova 4, LLC
7-42
Tools Used to Automate Computer Account Creation
Key Points
While the Active Directory Administrative snap-ins and the Active Directory Administrative Center provide
convenient, easy-to-use tools for managing Active Directory infrastructure, there are certain tasks for
which a point and click GUI is too cumbersome or tedious.
Windows Server 2008 provides a number of tools that you can use to create or modify multiple computer
accounts automatically in AD DS. Some of these tools require that you use a text file containing
information about the computer accounts that you want to create. You also can create Windows
PowerShell scripts to add objects or make changes to Active Directory objects.
DSAdd.exe
The DSAdd command is used to create objects in AD DS. To create computer objects, simply type:
dsaddcomputerComputerDN
where ComputerDN is the distinguished name (DN) of the computer, such as CN=NYC-CL2, OU=NYC,
OU=Client Computers, DC=contoso, DC=com.
The DSAdd Computer command can take the following optional options after the DN option:
-samidComputerName
-desc Description
-loc Location
NetDom.exe
The NetDom command can also perform a variety of domain account and security tasks from the
command prompt, including creating a computer account by typing the following command:
Sep 7 2011 9:58PM

Nova 4, LLC
7-43
netdom add ComputerName /domain:DomainName [/ou:"OUDN"]

[/UserD:DomainUsername /PasswordD:DomainPassword]
This command creates the computer account for ComputerName in the domain indicated by the
/domainoption by using the credentials specified by /UserD and /PasswordD. The /ou option causes the
object to be created in the OU specified by the organizational unit distinguished name (OUDN)
distinguished name following the option. If no OUDN is supplied, the computer account is created in the
default computer container.
CSVDE and LDIFDE

Both CSVDE and LDIFDE allow you to import data from flat files into your Active Directory domain. CVSDE
import data contained in Comma Separated Value format and LDIFDE uses the Lightweight Directory
Access Protocol Data Interchange Format.
The basic syntax of the CSVDE command is:
csvde [-i] [-f "Filename"] [-k]
The basic syntax of the LDIFDE command is similar to that of the CSVDE command:
ldifde [-i] [-f "Filename"] [-k]
Windows PowerShell
As previously discussed in this lesson, the new Active Directory module for Windows PowerShell provides
a large number of cmdlets used for administering Active Directory.
The Add-Computer cmdlet and the New-ADComputer cmdlets are the two most commonly used
cmdlets for new computers to the domain.
Add-Computer
The Add-Computer cmdlets is used to join a computer to a domain. The following command will join the
local computer to the Contoso.com domain and place the computer in the Production OU.
Add-Computer -DomainOrWorkgroupNameContoso -OUPathOU=Production,DC=Contoso,DC=COM
New-ADComputer
The New-ADComputer cmdlets simply creates a computer account in the domain just like you would if
you were prestaging computer accounts. The following command will add the computer account named
NYC-CL1 to the Marketing OU in the Contoso.com domain.
New-ADComputer -SamAccountName NYC-CL1 Path OU=Marketing,DC=Contoso,DC=COM
Note: Remember, the Active Directory module for Windows PowerShell is available on Windows
Server 2008 R2 and Windows 7 computers.
Windows System Image Manager (SIM)

Windows SIM allows you to facilitate the automation process when deploying computers on your domain.
One of the functions of Windows SIM is to generate unattend.xml automated installation files, which can
be used to include information relevant to the domain join process, thereby including the domain-join
process in your automated deployment.
Sep 7 2011 9:58PM

Nova 4, LLC
7-44
Managing Computer Accounts
Key Points
After a computer account is created in AD DS, there are several management tasks that may need to be
performed on the computer account during its membership in the domain.
Adding Computer Accounts

You have already learned about several ways to add or create computer accounts within a domain.
Creating a computer account object in a domain allows you to administer the computer attached to that
account within AD DS. Tasks like assigning domain-based group policy settings, controlling access to
computers, and delegating other administrative tasks require the computer to have an account registered
in the domain.
Modifying Computer Account Attributes

The most commonly used properties for computer accounts in AD DS are the Location and Managed by
properties. To maintain computers, you must find the physical location of the computers. The following is
a description of the Location and Managed by properties:
The Location property can be used to document the computers physical location in your network.
The Managed By property lists the individual responsible for the computer. This information can be
useful when you have a data center with servers for different departments, and you need to perform
maintenance on the server. You can call or send an email message to the person who is responsible
for the server before you perform maintenance on the server.
Deleting Computer Accounts

As your computing environments change, old computers are replaced by new computers and no longer
used in the domain environment. Even though these computers may be decommissioned and
disconnected from the network, their computer accounts still remain in the Active Directory database and
will remain there until deleted. Although deleting a computer account as soon as the decommissioned
computer is disconnected from AD DS is a best practice, it is sometimes forgotten or not done properly.
Sep 7 2011 9:58PM

Nova 4, LLC
7-45
As a result, deletion of computer accounts is typically a regular or scheduled maintenance task performed
within a domain.
Disabling Computer Accounts

After an account has been created for a computer and that computer has joined to the domain and
registered with AD DS, the physical computer and the account are connected. The computer account will
be assigned permissions and privileges and placed in an appropriate OU.
Disabling a computer account prevents that computer from authenticating to the domain. If you have
computers in your environment that are disconnecting from the network for an extended amount of time,
disabling their computer accounts prevents the account from being misused for unauthorized access, and
it preserves any modifications to the computer account within AD DSlike permissions, location, and other
properties. When the computer is reconnected to the network, the account can be enabled, and the
computer will operate exactly like it did prior to disconnecting from the domain.
Resetting Computer Accounts

When a computer is joined to a domain, the computer and domain establish a shared, secret password
used to authenticate the computer to the domain. This password is stored by both the computer and the
domain controllers for the domain. Each time the computer attempts to connect to the domain, the
password is exchanged between the computer and the domain. Under certain circumstances, the
passwords stored in the two locations may conflict, resulting in the computer being unable to
authenticate to the domain.
Resetting a computer account resets this password and forces the computer to rejoin the domain,
resynchronizing the password between the computer and the domain in the process.
Sep 7 2011 9:58PM

Nova 4, LLC
7-46
Lab A: Creating and Managing User and Computer

Accounts
Lab Setup
1.
2.
3.
4.
5.
Manager.
In Hyper-V Manager, click 6419B-NYC-DC1, and in the actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. is expanding its operations and creating a new Finance department. You have been asked to
create the appropriate objects in AD DS, so the Finance department can begin operation as scheduled
next month.
Sep 7 2011 9:58PM

Nova 4, LLC
7-47
Exercise 1: Creating and Configuring User Accounts

The Finance department has two new users, Eva Corets and Mark Steele. You have been asked to create
an OU for the Finance department in the root of the Contoso.com domain where the user accounts will
be stored and create user account objects for Eva and Mark configured as follows:
User account name: Users first name
Password: Pa$$w0rd
Do not prompt for password change at next logon
Department: Finance
After the accounts are properly set up, you have been asked to test them to ensure that the users can log
on and then disable the accounts until Eva and Mark begin their jobs next month.
1.
Create the Finance OU.
2.
Create a user account template for the Finance users.
3.
Create new accounts for Eva and Mark.
4.
Confirm the functionality of user accounts.
5.
Disable the new user accounts.
Task 1: Create the Finance OU

1.
On NYC-DC1, from Administrative Tools, open Active Directory Module for Windows
PowerShell.
2.
Create a new Finance OU in the root of the Contoso domain by using the NewADOrganizationalUnit cmdlet.
New-ADOrganizationalUnit -Name Finance -Path "DC=CONTOSO,DC=COM"
3.
Close the command prompt.
Task 2: Create a user template account for the Finance users

1.
On NYC-DC1, open Active Directory Users and Computers.
2.
Create a user account in the Finance OU with the following properties

Property
Value
First name
Finance
Last name
Template
Full name
Finance Template
User logon name
Finance Template
Password
Pa$$w0rd
User must change password at Not Selected

next logon
Sep 7 2011 9:58PM

Nova 4, LLC
7-48
Property
Value
Account is disabled
Selected
Department
Finance
Task 3: Create new accounts for Eva and Mark

1.
2.
3.
Create an account for Eva Corets by copying the Finance template and using the following account
properties.
Property
Value
First name
Eva
Last name
Corets
Full name
Eva Corets
User logon name
Eva
Password
Pa$$w0rd
Account is disabled
Not Selected
Create an account for Mark Steele by copying the Finance template and using the following account
properties.
Property
Value
First name
Mark
Last name
Steele
Full name
Mark Steele
User logon name
Mark
Password
Pa$$w0rd
Account is disabled
Not Selected
Close the Active Directory Users and Computers window.
Task 4: Confirm the functionality of user accounts

1.
Switch to the 6149B-NYC-CL1 virtual machine.
2.
On NYC-CL1, log on as Contoso\Eva with a password of Pa$$w0rd.
3.
Log off of NYC-CL1.
4.
On NYC-CL1, log on as Contoso\Mark with a password of Pa$$w0rd.
5.
Log off of NYC-CL1.
Sep 7 2011 9:58PM

Nova 4, LLC
7-49
Task 5: Disable the new user accounts

1.
Switch to the 6149B-NYC-DC1 virtual machine.
2.
On NYC-DC1, open Active Directory Administrative Center.
3.
In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, and
then double-click Finance OU in the middle pane.
4.
Disable the accounts for Eva Corets and Mark Steele.

Results: At the end of the exercise, you created and configured user accounts.
Sep 7 2011 9:58PM

Nova 4, LLC
7-50
Exercise 2: Creating and Configuring Computer Accounts

The Finance department will also be using the two computers, NYC-CL5 and NYC-CL6. Both computers
will be arriving with Eva and Mark in New York when they begin their jobs. You need to prestage the
computer accounts into the Finance OU, so the desktop support team can join the computers to the
domain after they are configured.
1.
Create computer accounts by using Active Directory management tools.
2.
Configure computer account attributes.
Task 1: Create computer accounts by using Active Directory management tools

1.
2.
In the Computers container, create a new computer object named NYC-CL5.
3.
Close the Active Directory Users and Computers window.
4.
On NYC-DC1, open Active Directory Module for Windows PowerShell.
5.
At the command prompt, type the following command:
New-ADComputer Name NYC-CL6 SamAccountName NYC-CL6 -Path

CN=Computers,DC=CONTOSO,DC=COM'
6.
Close the command prompt window.
Task 2: Configure computer accounts attributes

1.
Open Active Directory Administrative Center.
2.
then double-click the Computers container in the middle pane.
3.
Move NYC-CL5 and NYC-CL6 to the Finance OU.
4.
Close the Active Directory Administrative Center window.

Results: In this exercise, you configured computer account attributes.
Sep 7 2011 9:58PM

Nova 4, LLC
7-51
Lesson 5
Managing Groups
Groups allow you to collect items and manage them as a single entity. The implementation of group
management in Active Directory is designed to support large, distributed environments, so it includes
different types of groups to allow for grouping Active Directory objects. In this lesson, you will learn the
purpose that each of these groups plays, and you will learn to leverage the capabilities of these groups in
structuring your Active Directory objects.
Objectives
Describe the importance of using groups for managing object access.
Describe how role groups and rule groups can solve manageability and scalability issues.
Describe Active Directory group types and scope.
Describe Global Groups.
Describe Universal Groups.
Describe Domain Local Groups.
Identify appropriate group usage.
Describe group nesting.
Sep 7 2011 9:58PM

Nova 4, LLC
7-52
Importance of Groups
Key Points
Groups play an important role in the organization of objects within your Active Directory environment
and the assignment of permissions and privileges to those objects.
Access Management without Groups

To better understand groups, their purpose, and their benefits, let us first look at an example of access
management without using groups. Imagine that all of the 100 users in the Production department
require Read-level access to a shared folder called Production on a file server. It is very time-consuming to
assign permissions to each user individually. When new Production people are hired, you must add the
new accounts to the access control list (ACL) of the folder. When the accounts are deleted, you must
remove the permissions from the ACL to avoid leaving orphaned SIDs in the ACL
Note: An orphaned SID occurs when an account is deleted, but references to the account still exist
within the Active Directory database, like when an accounts SID is listed on an ACL and the account is
deleted. This SID listed in the ACL remains in the ACL but no longer points to a valid Active Directory
object.
Imagine now that all of the 100 users in the Production department require Read access to three shared
folders, with each on different servers. This can cause significant management issues. You would need to
apply permissions 300 times to grant appropriate access to the shared folders.
Benefits of Using Groups

The example of the Production department may seem extreme, because you have no doubt learned that
although assigning permissions to a resource for an individual identityuser or computeris possible,
the best practice is to assign a single permission to a group and manage access to the resource by
changing the membership of the group.
Sep 7 2011 9:58PM

Nova 4, LLC
7-53
In our example, a group named ProductionDept could be created and assigned Allow Read permission on
the Production folder. All of the users from the Production department are placed in this group. Then, you
will have a single point of management for the users. You can add new users to the group, and they will
gain access to the shared folder. When you delete an account, it is automatically deleted from the group.
This method also avoids orphaned SIDs on the folders ACL, because deleted users are automatically
removed from groups.
Groups Add Scalability

If the Production department users require Read access to three folders on three separate servers, you
could assign the ProcuctionDept group Allow Read permission on each of the three folders. After you
assign the three permissions, the ProductionDept group still provides a single point of management for
access to all three shared folders. You can add new Production users to the group, and they will gain
access to the three shared folders on the three servers. As previously mentioned, when you delete an
account, it is automatically deleted from the group, so you will not have orphaned SIDs on your ACLs.
Sep 7 2011 9:58PM

Nova 4, LLC
7-54
Understanding Role-Based Management Using Groups
Key Points
Role-based management is an important concept to understand if you want to effectively and efficiently
manage your groups.
One Type of Group Is Not Enough

Continuing our example, imagine next that it is not only the Production department who require Read
access to the folders. The Executive and Marketing department employees and the production consultant
hired by your organization also require Read permission to the same folders.
You could add those groups to the ACL of the folders, granting each of them Allow Read permission. But,
you will soon end up with an ACL with multiple permissions; this time assigning the Allow Read
permission to multiple groups instead of multiple users. To give the three groups and one user permission
to the three folders on the three servers, you will have to add twelve permissions. The next group that
requires access will require three more changes to grant permissions to the ACLs of the three shared
folders.
What if eight users who are not production employees, marketing employees, or executives have a
business need for Read access to the three folders? Do you add their individual user accounts to the ACLs?
If so, that is 24 more permissions to add and manage.
You can see that using only one type of groupa group that defines the business roles of usersquickly
becomes an ineffective way of enabling management of access to the three folders. If the management
rule suggests that three roles and nine additional users require access to the resource, you are assigning a
total of 36 permissions on ACLs. It becomes very difficult to maintain compliance and audit. Even simple
questions such as, "Can you list the users who can read the Production folders?" become difficult to
answer.
Sep 7 2011 9:58PM

Nova 4, LLC
7-55
Role-Based Management: Role Groups and Rule Groups

The solution is to recognize that there are two types of management that must take place to effectively
manage this scenario. You must manage the users as collections based on their business roles. And,
separately, you must manage access to the three folders.
The three folders are also a collection of items; they are a single resourcea collection of
Productionfoldersthat just happens to be distributed across three folders on three servers. And, you are
trying to manage Read access to that resource. You need a single point of management with which to
manage access to the resource.
This requires another groupa group that represents Read access to the three folders on the three
servers. Imagine that you create a group called ACL_ProductionFolders_Read. This group will be assigned
the Allow Read permission on the three folders. The Production, Marketing, and Executives groups, along
with individual users, will all be members of the ACL_ProductionFolders_Read group. You assign only
three permissionsone on each folder, granting Read access to the ACL_ProductionFolders_Read group.
The ACL_ProductionFolders_Read group becomes the focus of access management. As additional groups
or users require access to the folders, they will be added to that group. It also becomes much easier to
report who has access to the folders. Instead of having to examine the ACLs on each of the ten folders,
you simply examine the membership of the ACL_ProductionFolders_Read group.
To effectively manage even a slightly complex enterprise, you need two "types" of groups that perform
two distinct purposes:
Groups that define roles. These groups, referred to as role groups, contain users, computers, and other
role groups based on common business characteristics, such as location, job type, etc.
Groups that define management rules. These groups, referred to as rule groups, define how an
enterprise resource is being managed.
This approach to managing the enterprise with groups is called role-based management. You define roles
of users based on business characteristicsfor example, department or division affiliation such as
Production, Marketing, and Executives, and you define management rulesfor example, the rule that
manages which roles and individuals can access the three folders.
You can achieve both management tasks by using groups in a directory. Roles are represented by groups
that contain users, computers, and other roles. Roles can include other roles, such as a Managers role
might include the Production Managers, Finance Managers, and Research Managers roles. Management
rules, such as the rule that defines and manages Read access to the three folders, are represented by
groups as well. Rule groups contain roles and, occasionally, individual users or computers such as the
Production consultant and eight other users in the example.
The key takeaway is that there are two types of groups: one that defines the role and the other that
defines how a resource is managed.
Sep 7 2011 9:58PM

Nova 4, LLC
7-56
Group Type and Scope
Key Points
Groups in Windows Server 2008 have two unique properties. Group type defines what a group can be
used for and group scope defines how the group interacts with other objects in the domain.
Group Type
A Windows Server 2008 groups type setting defines what the group can be used for within the domain.
Security groups are used to assign permissions on resources within the domain. Security groups can
be attached to the DACL of an object in the domain such as a shared folder and given specific access
permissions for the resource.
Distribution groups are used exclusively with email applications like Microsoft Exchange to send
email messages to collections of users. Distributions groups cannot be attached to a DACL. Therefore,
they cannot be used to control access to resources.
Note: Security groups can also be used with email applications to group users in the same way that
distribution groups can.
Group Scope
Group scope impacts each of these characteristics of a group: what it can contain, what it can belong to,
and where it can be used.
There are three group scopes available:
Domain Local
Global
Universal
The characteristics that define each scope fall into these categories:
Sep 7 2011 9:58PM

Nova 4, LLC
Replication. Where is the group defined and to what systems is the group replicated?
Membership. What types of security principals can the group contain as members? Can the group
include security principals from trusted domains?
Availability. Where can the group be used? Is the group available to add to another group? Is the
group available to add to an ACL?
Sep 7 2011 9:58PM

7-57
Nova 4, LLC
7-58
What Are Global Groups?
Key Points
A global group is a security or distribution group that can contain users, groups, and computers that are
from the same domain as the global group. You can use global security groups to assign user rights,
delegate authority to AD DS objects or assign permissions to resources in any domain in the forest or any
other trusting domain in another forest.
Use groups with global scope to manage directory objects that require daily maintenance, such as user
and computer accounts. Because groups with global scope are not replicated outside their own domain,
you can change accounts in a group having global scope frequently without generating replication traffic
to the global catalog.
The domain functional level must be Windows 2000 native, Windows Server 2003, or Windows Server
2008 to create global groups.
Sep 7 2011 9:58PM

Nova 4, LLC
7-59
What Are Universal Groups?
Key Points
A universal group is a security or distribution group that can contain users, groups, and computers from
any domain in its forest. You can use universal security groups to assign user rights and permissions to
resources in any domain in the forest.
Changes to the universal groups are registered in the Global Catalog. Therefore, you should not change
the membership of a group with universal scope frequently. Any changes to the membership of this type
of group are replicated to every global catalog server in the forest.
At the Windows 2000 native domain functional level and later, universal groups are available for both
distribution and security groups.
Sep 7 2011 9:58PM

Nova 4, LLC
7-60
What Are Domain Local Groups?
Key Points
A domain local group is a security or distribution group that can contain user accounts from the local
domain, any domain in the forest, or any trusted domain. Domain local groups also can contain universal
or global groups from any domain in the forest or any trusted domain and domain local groups from the
local domain.
The domain functional level must be Windows 2000 native or later to create domain local groups.
Use a domain local group to assign permissions to resources that are located in the same domain as
the domain local group. You can put all global groups that have to share the same resources into the
appropriate domain local group.
Note: Domain local groups have no link to the local group on Windows computers. Local groups are
groups that are created on the local computer and are stored in the local SAM database and have no
direct connection to AD DS.
Question: How could you provide members of a Sales department who travel frequently between
domains in a multi-city company with access to printers on various domains that are managed by domain
local groups?
Sep 7 2011 9:58PM

Nova 4, LLC
7-61
Discussion: Identifying Group Usage
Key Points
Discuss these scenarios with the classroom, led by your instructor.
Scenario 1: A. Datum Corporation has human resources users spread throughout the domain in several
different geographic locations, but they require access to the same resources.
Scenario 2: Tailspin Toys has two domains, one for the United States and one for Europe. You want to
create a group that enables the centralized help desk to manage resources in both domains.
Scenario 3: A. Datum has users in Sales that are geographically dispersed. They have requested a single
unified group that will allow for all Sales users to access resources. Membership of the Sales group
frequently changes.
Scenario 4: Trey Research has a single domain. They want to create groups for the users in Sales, IT, and
Research departments, so they can easily send email messages to these groups instead of individual users.
Sep 7 2011 9:58PM

Nova 4, LLC
7-62
What Is Group Nesting?
Key Points
When you use nesting, you add a group as a member of another group. You can use nesting to combine
group management. Nesting increases the member accounts that are affected by a single action and
reduces replication traffic caused by the replication of changes in group membership.
AGDLP and AGUDLP Best Practices

Best practices for group nesting can be defined by using the AGDLP acronym:
Accounts
Global
Domain Local
Permissions
In this method, accounts are placed inside of global groups for grouping based on organization roles,
such as job function, department, or location (role groups).
These global groups are then placed inside of domain local groups, defined by the type of access being
given and the object that permission is being configured for (rule groups). These domain local groups are
then assigned the appropriate permissions on the appropriate resources.
The AGUDLP method follows the same guidelines, but is used when universal groups are used to contain
AD DS objects from multiple domains or assign permissions to objects across multiple domains. When
using AGUDLP, global groups are nested within universal groups to provide for cross-domain usage.
Domain Functional Levels

Group nesting is available when the domain functional level is Windows 2000 native, Windows Server
2003, or Windows Server 2008.
Sep 7 2011 9:58PM

Nova 4, LLC
7-63
Question: A. Datum has HR users spread throughout the domain in several different geographic
locations, but requires access to the same resources. How can nested groups be used to simplify
management?
Question: Tailspin Toys has two domains, the United States and Europe. You want to create a group for
the centralized Help Desk to manage resources in both domains and reduce the replication traffic
between the domains.
Question: At A. Datum, you have to assign permissions to a folder on a member server for a project
between Sales, Marketing, and Finance. All users are geographically dispersed. How would you use
nesting groups in this scenario?
Question: Trey Research wants to give the HR department permissions to a file share. The user GSmith
needs to be added to the HR group. How would you use AGDLP in the scenario?
Sep 7 2011 9:58PM

Nova 4, LLC
7-64
Lesson 6
Using Queries to Locate Objects in AD DS
Some large organizations have thousands of user accounts in an AD DS domain. Even if these accounts
are grouped into different OUs, it can still take some time to find a specific user in the domain. Windows
Server 2008 provides several features that allow you to quickly and effectively locate domain objects.
Objectives
Describe options for locating objects in AD DS.
Describe how to run and save a query.
Describe how to use DSQuery and PowerShell to find objects in Active Directory.
Sep 7 2011 9:58PM

Nova 4, LLC
7-65
Options for Locating Objects in AD DS
Key Points
There are several options available in the Windows Server 2008 administration tools that can increase the
efficiency of looking for user accounts in domains with many users.
Sorting
To sort the order of objects in Active Directory Users and Computers, perform the following steps:
1.
2.
View the user accounts in their container in Active Directory Users and Computers.
Click any of the column headings to sort the order of the objects (either ascending or descending).
You can also add more columns to the display and then sort the display based on the additional column.
Searching
The Active Directory Users and Computers management tool has a Saved Queries folder in which you can
create, edit, save, and organize saved queries. Saved queries use predefined Lightweight Directory Access
Protocol (LDAP) strings to search only the specified domain partition, allowing you to focus searches to a
single container object. You can also create a customized saved query that contains an LDAP search filter.
Queries are specific to the domain controller on which they were created. After you successfully create
your customized set of queries, you can copy the .msc file to other Windows Server 2008 domain
controllers that are in the same domain and reuse the same set of saved queries. Queries can also be
shared throughout the domain by exporting them to XML files and then importing those files to other
domain controllers.
Command -line
If you need to include AD DS searching as part of a script or need to locate an AD DS object on a
ServerCore installation of Windows Server 2008, dsquery is a command-line tool that can be used to
Sep 7 2011 9:58PM

Nova 4, LLC
7-66
locate AD DS objects. For example, dsquery user would be entered to look for a user, whereas dsquery
computer, dsquery group, and dsqueryou would query for their respective object types.
The following command searches for users whose names begin with Dan, but only in the Marketing OU:
dsquery user "ou=Marketing,dc=Contoso,dc=com" -name "Dan*"
Locating Objects in Windows Server 2008 R2

Windows Server 2008 R2 provides two more tools that can be used to locate AD DS objects

The Active Directory Administrative Center provides a user-friendly and powerful search interface called
Global Search. You can choose the search term, the scope of the search, and add common criteria from a
drop-down list of common search scenarios and commonly searched fields.
Windows PowerShell
The Active Directory module for Windows Powershell includes options for locating AD DS objects.
The Get-ADObject cmdlet is the most commonly used cmdlet for locating AD DS resources. It allows for
robust and powerful searching throughout the Active Directory environment.
The following example demonstrates how to search for all the computer objects in the Contoso.com
domain:
Get-ADObject -Filter 'ObjectClass -eq "computer"' -SearchBase 'DC=Contoso,DC=com' Properties Name,sAMAccountName | FT Name,sAMAccountName
The Get-ADDomainController: can also be used to locate AD DS objects, it searches for domain
controllers based on criteria provided.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: Searching AD DS Using GUI-Based Tools
Key Points
Use sorting in Active Directory Users and Computers to locate AD DS objects.
Use saved queries in Active Directory Users and Computers to locate AD DS objects.
Use sorting in Active Directory Users and Computers to locate AD DS objects
1.
2.
View the contents of the IT OU.
3.
Add the First Name column to the view and place it second on the list.
4.
Sort the IT OU contents by First Name, both ascending and descending.
Use sorting in Active Directory Users and Computers to locate AD DS objects

1.
Create a new saved query named Starts with C.
2.
Define the query to include users whose Name field starts with the letter c.
3.
View the results of the query.
Sep 7 2011 9:58PM

7-67
Nova 4, LLC
7-68
Demonstration: Searching AD DS Using Command-Line Tools
Key Points
Use dsquery to locate AD DS objects.
Use Windows PowerShell to locate AD DS objects.
1.
Open a command prompt.
2.
Run the following command:

dsquery user "ou=Marketing,dc=Contoso,dc=com" -name "M*"
3.
Open Active Directory Module for Windows PowerShell.
4.
Run the following command
Get-ADObject -Filter 'ObjectClass -eq "computer"' -SearchBase 'DC=Contoso,DC=com' Properties Name,sAMAccountName | FT Name,sAMAccountName
Sep 7 2011 9:58PM

Nova 4, LLC
7-69
Lab B: Managing Groups and Locating Objects in AD

DS
Lab Setup
1.
2.
3.
4.
5.
Manager.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The Finance department requires access to several folders containing financial documents on several
different servers within the Contoso.com domain.
You have been asked to create a group structure that will do the following:
1.
Group the Finance department users together in one AD DS group.
2.
Allow the Finance group to obtain change access to several folders on company servers. You should
be able easily add to this group other users or groups from the organization. You do not have to
configure the actual access; just create the group that will be assigned access.
Sep 7 2011 9:58PM

Nova 4, LLC
7-70
Also, you have been asked to confirm the following properties of the new AD DS objects created for the
Finance department:
1. The Finance OU should contain:
Eva Corets (user)
Mark Steele (user)
Finance Template (user)
NYC-CL5 (computer)
NYC-CL6 (computer)
Finance (group)
2.
Eva Corets and Mark Steeles user accounts should be disabled.
3.
Eva Corets and Mark Steele should be members of the Finance Group.
Sep 7 2011 9:58PM

Nova 4, LLC
7-71
Exercise 1: Implement Role-Based Management Using Groups

You must create a group structure that groups the Finance department users together and allows them to
be assigned Change permissions on a number of shared folders located on different servers in the
domain. Other users and groups should also be able to assign Change permissions on the folders as well.
1.
Determine group requirements
2.
Use management tools to create AD DS groups
3.
Modify group attributes
Task 1: Determine group requirements

1.
Answer the questions below to determine how the group structure should be created.
Question: What type of group would you create to group the Finance users together?
Question: How can you create a group structure that allows the Finance department members
change permissions and also allows other users and groups from the organization to easily be
assigned these permissions as well?
Task 2: Use management tools to create AD DS groups

1.
On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for
Windows PowerShell.
2.
At the command prompt, type the following and press ENTER.
New-ADGroup Name Finance SAMAccountName Finance GroupCategory Security GroupScope

Global DisplayName Finance Department Path OU=Finance,DC=CONTOSO,DC=COM
3.
At the command prompt, type the following and press ENTER.
New-ADGroup Name Finance_Folders_Change SAMAccountName FinanceFoldersChange

GroupCategory Security GroupScope DomainLocal DisplayName Change Access to Finance
Folders Path OU=Finance,DC=CONTOSO,DC=COM
4.
Close the Active Directory Module for Windows PowerShell window.
Task 3: Modify group attributes

1.
Click Start, click Administrative Tools, and then click Active Directory Administrative Center.
2.
then double-click the Finance OU in the middle pane.
3.
Click Eva Corets, press and hold the Ctrl key, and then click Mark Steele. Release the Ctrl key, rightclick Mark Steele, and then click Add to group.
4.
In the Enter the object name to select field, type Finance, and then click Check Names.
5.
In the Multiple Names Found window, click Finance, and then click OK.
6.
In the Select Groups window, click OK.
7.
Close the Active Directory Administrative Center window.
8.
On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Users and
Computers.
9.
In the Active Directory Users and Computers window, click the Finance OU in the left pane, rightclick the Finance_Folders_Change group in the right pane, and then click Properties.
Sep 7 2011 9:58PM

Nova 4, LLC
7-72
10. In the Finance_Folders_Change Properties window, click the Members tab, and then click the Add
button.
11. In the Enter the object name to select field, type Finance, and then click Check Names.
12. In the Multiple Names Found window, click Finance, and then click OK.
13. In the Select Users, Contacts, Computers, Service Accounts or Groups window, click OK.
14. In the Finance_Folders_Change Properties window, click OK.
15. Close the Active Directory Users and Computers window.
Results: In this exercise, you implemented role-based management using groups.
Sep 7 2011 9:58PM

Nova 4, LLC
Exercise 2: Finding Objects in Active Directory

You must confirm the following by examining the Contoso.com AD DS domain.
The only Finance-related groups are:
Finance
Finance_Folders_Change
Eva Corets and Mark Steeles user accounts should be disabled.
Eva Corets and Mark Steele should be members of the Finance group.

1.
Create and save an AD DS query
2.
Use dsquery to locate AD DS objects.
3.
Use Windows PowerShell to locate AD DS objects.
Task 1: Create and save an AD DS query

1.
2.
Right-click Saved queries and create a new query.
3.
Configure the query to find all groups starting with Finance.
4.
Expand Saved Queries, and then click the Finance Groups query to confirm the result.
Task 2: Use dsquery to locate AD DS objects

1.
2.
At the command prompt, type the following command, and then press ENTER.
dsquery user "ou=Finance,dc=Contoso,dc=com" disabled
3.
View the results and confirm that Eva Corets and Mark Steele are listed.
Task 3: Use Windows PowerShell to locate AD DS objects

1.
On NYC-DC1, click Start, click Administrative Tools, and then click Active Directory Module for
Windows PowerShell.
2.
At the command prompt, type the following command and then press ENTER.
Get-ADGroupMember Finance
3.
View the results and confirm that Eva Corets and Mark Steele are listed.
Results: In this exercise, you located objects in Active Directory.
Sep 7 2011 9:58PM

7-73
Nova 4, LLC
7-74

following steps:
1.
2.
3.
4.

Repeat these steps for 6419B-NYC-CL1.
Sep 7 2011 9:58PM

Nova 4, LLC
7-75
Review Questions
1.
You have two locations connected to each other by a very limited bandwidth network connection.
You have domain controllers in both locations and youre finding that traffic generated between the
two domain controllers is causing performance issues on you network connection. What AD DS
component that we discussed in this module could be used to alleviate the problem?
2.
What tool does Active Directory Administration Center use in the background to carry out its
commands?
3.
What are the advantages of using role-based groups and rule-based groups in the same domain
environment?

feature
Description
New Domain and Forest

functional levels
There are new domain and forest functional levels for Windows
Server 2008 R2 that introduce new features to the AD DS
infrastructure.
Active Directory Administrative

Center
A web-based administrative GUI console that uses Windows

PowerShell.
Active Directory Module for

Windows PowerShell
A new set of Active Directoryrelated cmdlets that allow robust

interaction with AD DS.
Offline domain join (Djoin.exe)
Allows a Windows 7 or Windows Server 2008 R2 computer to join a

domain without contacting a domain controller.
Sep 7 2011 9:58PM

Nova 4, LLC
7-76
Tools
Tool
Use for
Where to find it
Active Directory
Users and
Computers
Managing AD DS
objects
On the Start button under Administrative Tools
Active Directory
Administrative
Center
Managing AD DS
objects
Active Directory
Module for
Windows
PowerShell
Managing AD DS
objects using Windows
PowerShell cmdlets
Djoin.exe
Performing an offline
domain join for
Windows 7 or Windows
Server 2008 R2
computers.
Run from the command prompt
DSAdd.exe
Add AD DS objects
DSQuery.exe
Locate AD DS objects
Netdom.exe
Perform a variety of
tasks on AD DS objects
CSVDE and LDIFDE
Perform bulk imports

and exports of AD DS
data using flat files
Sep 7 2011 9:58PM

Nova 4, LLC
Configuring Active Directory Object Administration and Domain Trust
Module 8
Configuring Active Directory Object Administration and
Domain Trust
Contents:
Lesson 1: Configuring Active Directory Object Administration
8-3
8-15
Lesson 2: Configuring Active Directory Trusts
8-20
Lab B: Administering Trust Relationships
8-29
Sep 7 2011 9:58PM

8-1
Nova 4, LLC
8-2
Module Overview
Many organizations have a number of administrators that manage various levels of the Active Directory
Domain Services (AD DS) infrastructure. For example, in addition to typical Enterprise and Domain
administrators, your organization may have organizational unit (OU) administrators, security group
administrators, or users that have rights to perform specific tasks, such as resetting passwords. To ensure a
secure and efficient administrative model, it is important to understand how to effectively delegate
permissions and rights within the AD DS structure.
A single Active Directory domain may be adequate for many organizations. However, larger organizations
typically incorporate multiple domains, or collaborate between multiple Active Directory forests.
This module describes how to configure permissions and delegate administration for Active Directory
objects. This module also describes how to configure and manage Active Directory trusts.
Objectives
Configure Active Directory object administration.
Configure Active Directory trusts.
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 1
Configuring Active Directory Object Administration
To effectively manage AD DS, you may need to delegate administrative tasks to specific individuals. By
delegating control, you enable these users to perform specific Active Directory management tasks,
without granting them more permissions than they need.
This lesson describes how permissions are applied to AD DS objects. This lesson also describes how to
delegate permissions to users responsible for managing specific objects within the AD DS structure.
Objectives
Describe Active Directory object permissions.
Describe how to determine effective permissions.
Modify permissions inheritance.
Delegate AD DS permissions.
Describe managed service accounts.
Configure managed service accounts.
Sep 7 2011 9:58PM

8-3
Nova 4, LLC
8-4
Active Directory Object Permissions
Key Points
In Module 3: Configuring Access to File Services, you were introduced to how NTFS file system and shared
folder permissions provide access control to secure network resources.
Every container and object within AD DS also has a set of access control information used to control
which administrators or users can manage the object. For example, you use permissions to assign
privileges for managing an organizational unit or a hierarchy of organizational units, and the objects
contained within those organizational units.
To modify permissions for AD DS objects, you use either the Active Directory Users and Computers
console, or ADSI Edit. To use the Active Directory Users and Computers console, ensure that you have
enabled the Advanced Features option found on the View menu.
Note: ADSI Edit should only be used for specific and unique permission modification requirements.
Most permission settings should be performed by using Active Directory Users and Computers.
Standard and Advanced Permissions

You can use standard permissions to configure most Active Directory object permissions tasks. Standard
permissions are the most commonly used and include permissions such as:
Full control.
Read.
Write.
Create all child objects.
Delete all child objects.
Generate resultant set of policy (logging).
Sep 7 2011 9:58PM

Nova 4, LLC
8-5
Generate resultant set of policy (planning).
However, if you need to grant a finer level of permissions, use advanced permissions or special
permissions. Use special permissions to set permissions on a particular class of object or individual
attributes of an object class. For example, you could grant a user Full Control over the group object class
in a container, just grant the user the ability to modify group memberships in a container, or just grant
the user the permissions needed to change a single attribute, such as the phone number, on all user
accounts.
When you configure permissions on an AD DS object, consider the following.
Action
Description
Configure allow or
deny permissions.
Selecting the Allow permission enables the security principal to perform the
specific action.
Selecting the Deny permission prohibits the security principal from
performing a specific action.
Denied permissions take precedence over any permission that you otherwise
allow to user accounts and groups. You should use Deny permissions only
when it is necessary to remove a permission that a user is granted by being a
particular groups member. For example, it might be necessary to prevent a
user named Don from viewing the properties of a user object. However, Don
is a member of the Marketing group, which has permissions to view the
properties of the user object. You can prevent Don from viewing the
properties of the user object by explicitly denying Read permission to him.
When permission to
perform an operation
is not allowed, it is
implicitly denied.
For example, if the Marketing group is granted Read permission for an OU,
and no other security principal is listed in the discretionary access control list
(DACL) for that object, users who are not members of the Marketing group
are implicitly denied access. The operating system does not allow users who
are not members of the Marketing group to read the properties of the OU
object.
By default, permission
inheritance is enabled
for AD DS objects.
Inherited permissions are those that are propagated to an object from a

parent object. Inherited permissions ease the task of managing permissions
and ensure consistency of permissions among all objects within a given
container. For example, if you assign permissions at an OU level, by default,
all of those permissions are inherited by objects inside the OU.
You can modify or remove inherited permissions for a specific object from
the Advanced Security Settings dialog box. When you explicitly assign
permissions to a child object, you must first break the permission
inheritance, and then assign the required permissions. The child objects
automatically inherit those changes.
If the Allow and Deny permission check boxes in the various parts of the
access control user interface are shaded when you view the permissions of
an object, the object has inherited permissions from a parent object. The
only exception to this is the Special permissions entry. If this entry is shaded
and checked, this means that a special permission has been configured.
Moving an AD DS
object may change
permissions.
An object inherits permissions from the organizational unit to which it is

moved. An object no longer inherits permissions from the organizational
unit from which it was moved.
When you move an object between organizational units, permissions that
are set explicitly on the object remain the same.
Sep 7 2011 9:58PM

Nova 4, LLC
8-6
Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit
Allow permission entry. Explicit permissions take precedence over inherited permissions, even
inherited Deny permissions.
Question: What are the risks with using special permissions to assign AD DS permissions?
Question: What permissions would a user have on an object if you granted them full control permission,
and denied the user write access?
Sep 7 2011 9:58PM

Nova 4, LLC
8-7
Determining Effective Permissions
Key Points
Accessible from an object's advanced properties settings, the Effective Permissions tool helps you to
determine the permissions applied to an Active Directory object. This tool calculates the permissions that
are applied to the specified user or group, and takes into account the permissions that are in effect from
group memberships and any permission inherited from parent objects.
Effective permissions for Active Directory objects have the following characteristics:
Cumulative permissions are the combination of Active Directory permissions that are applied to both
the user and group accounts.
Deny permissions override the same level of inherited permissions. Explicitly assigned permissions
take priority.
An explicit Allow permission set on an object class or attribute will override an inherited Deny
permission.
Object owners can always change permissions. The owner controls how permissions are set on the
object, and to whom permissions are granted. The person who creates an Active Directory object is its
owner. The Administrators group owns objects that are created during Active Directory installation or
by any member of the built-in Administrators group. The owner can always change permissions for an
object, even when the owner is denied all access to the object.
Note: The current owner can grant Take Ownership permission to another user, which enables that
user to take ownership of that object at any time. The user must actually take ownership to complete
the ownership transfer.
To retrieve information about effective permissions in AD DS, use the Effective Permissions tool. If the
specified user or group is a domain object, you must have permission to read the objects membership
information on the domain.
Sep 7 2011 9:58PM

Nova 4, LLC
8-8
Special identities are not used when calculating the effective permissions. This means that if you assign
permissions to any special identities, they will not be included in the effective permissions list.
More Information: Special identities are used to assign permissions for specific situations for both
Active Directory permissions and for network resources. For example, the Everyone identity includes
all authenticated, dial-up, network, and interactive users and is used to provide permissions to
resources. Other common special identities include Authenticated Users, Interactive, and the
Creator Owner identity. For more information on special identities refer to
http://technet.microsoft.com/en-us/magazine/dd637754.aspx.
Question: When retrieving effective permissions, accurate retrieval of information requires permission to
read the membership information. If the specified user or group is a domain object, what type of
permissions does a Domain Administrator need to have to read the object's group information on the
domain? What about a Local administrator?
Sep 7 2011 9:58PM

Nova 4, LLC
8-9
Demonstration: AD DS Object Permission Inheritance
Key Points
Verify permission inheritance for AD DS objects.
Modify permission inheritance.
View effective permissions on an AD DS object.
1.
2.
Enable the Advanced Features option from the View menu.
3.
Open the Properties dialog box for an AD DS object and then click the Security tab.
4.
To modify standard permissions, click Add or Remove.
5.
To modify advanced permissions, click the Advanced button.
6.
To modify permission inheritance, modify the check box next to Include inheritable permissions
from this objects parent.
7.
To determine effective permissions for a user or group, click the Effective Permissions tab and then
select the user or group name.
Sep 7 2011 9:58PM

Nova 4, LLC
8-10
What Is Delegation of Control?
Key Points
Delegation of control is the ability to assign the management responsibility of Active Directory objects to
another user or group without the need to add the user or group to the Domain Admins group.
Delegated administration helps to ease the administrative burden of managing your network by
distributing routine administrative tasks. With delegated administration, you can assign basic
administrative tasks to regular users or groups. For example, you could give OU administrators the right to
add or remove user or computer objects, or an administrative assistant the right to reset passwords.
By delegating administration, you give groups in your organization more control of their local network
resources. You also help secure your network from accidental or malicious damage by limiting the
membership of the standard administrator groups.
Options for Delegating Control

You can define the delegation of administrative control in the following four ways:
Grant permissions to create or modify all objects in a specific organizational unit or in the domain.
Grant permissions to create or modify some types of objects in a specific organizational unit or at the
domain level.
Grant permissions to create or modify a specific object in a specific organizational unit or at the
domain level.
Grant permissions to modify specific attributes of an object, (such as granting the permission to reset
passwords on a user account,) in a specific organizational unit or at the domain level.
The Delegation of Control Wizard allows you to delegate administrative tasks to users or groups within a
specific administrative scope. This tool is driven by a customizable text file and ships with a base set of
common administrative tasks. You can modify the tasks available for delegation by editing Delegwiz.inf,
a file stored in the C:\Windows\System32 folder on the domain controller. The Delegation of Control
Wizard also allows you to delegate a custom task.
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: Configuring Delegation of Control
Key Points
Delegate administration to manage user accounts.
Review custom delegation permissions.
Review permissions on a child OU.
1.
2.
Right-click the domain or an organizational unit, and then click Delegate Control.
3.
Complete the Delegation of Control Wizard steps.
Sep 7 2011 9:58PM

8-11
Nova 4, LLC
8-12
What Are Managed Service Accounts?
Key Points
Microsoft Windows Server 2008 R2 introduces a new type of account called the managed service
account. The following section describes this new type of account.
Note: The content in this section only applies to Windows Server 2008 R2.
Managed Service Accounts

Many network-based applications use an account to run services or provide authentication. For example,
an application on a local computer might use the Local Service, Network Service, or Local System
accounts. These service accounts may work fine; however, these are typically shared among multiple
applications and services, making it difficult to manage for a specific application. These local service
accounts also cannot be managed at the domain level.
Alternatively, an application might use a standard domain account that is configured specifically for the
application. This is quite common; however, the main drawback is that you need to manually manage
passwords, which increases administration effort.
A managed service account can provide an application with its own unique account, while eliminating the
need for an administrator to manually administer the credentials for this account.
Managed service accounts provide the following benefits to simplify administration:
Automatic password management. A managed service account automatically maintains its own
password, including password changes.
Simplified Service Principal Name (SPN) management. SPN management can be automatically
managed if your domain is configured at the Windows Server 2008 R2 domain functional level.
Sep 7 2011 9:58PM

Nova 4, LLC
8-13
Requirements for Using Managed Service Accounts

To use a managed service account, the server that runs the service or application must be running
Windows Server 2008 R2. You also must ensure that .NET Framework 3.5.x and the Active Directory
module for Windows PowerShell are both installed on the server.
Note: A managed service account cannot be shared between multiple computers or be used in server
clusters where the service is replicated between nodes.
To simplify and provide full automatic password and SPN management, we strongly recommend that the
AD DS domain be at the Windows Server 2008 R2 functional level. However, if you have a domain
controller running Windows Server 2008 or Windows Server 2003, you can update the Active Directory
schema to Windows Server 2008 R2 to support this feature. The only disadvantage is that the domain
administrator must manually still configure SPN data for the managed service accounts.
To update the schema in Windows Server 2008, Windows Server 2003, or native-mode environments, you
must perform the following tasks:
1.
Run adprep/forestprep at the forest level and run adprep/domainprep at the domain level.
2.
Deploy a domain controller running Windows Server 2008 R2, Windows Server 2008 with the Active
Directory Management Gateway Service, or Windows Server 2003 with the Active Directory
Management Gateway Service.
Note: The Active Directory Management Gateway Service allows administrators with domain
controllers running Windows Server 2003 or Windows Server 2008 to use Windows PowerShell
cmdlets to manage managed service accounts.
After the domain and server prerequisites have been addressed, you can use the following process to
create a managed service account:
1.
On the domain controller, use the Active Directory module for Windows PowerShell to create a new
managed service account in Active Directory. The following command can be used as an example of
the base command.
New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>]
2.
Install the managed service account on the server that contains the service or application. The
following command is run on the local server.
Install-ADServiceAccount -Identity <ADServiceAccount>
3.
Configure the service or application to use the managed service account.
Windows PowerShell provides a number of cmdlets that can be used to administer managed service
accounts. Management tasks include:
Finding managed service accounts.
Associating or removing management service accounts on a computer.
Installing a managed service account on a computer.
Deleting a managed service account.
Resetting the password of a managed service account.
Sep 7 2011 9:58PM

Nova 4, LLC
8-14
Demonstration: Configuring a Managed Service Account
Key Points
In this demonstration, you will see how to
Create and associate a managed service account
Install a managed service account.
1.
Open Active Directory Module for Windows PowerShell.
2.
Use Windows PowerShell to create the managed service account.
3.
Use Windows PowerShell to associate the managed service account to a specific server.
4.
Use Windows PowerShell to install the managed service account on a specific server.
Sep 7 2011 9:58PM

Nova 4, LLC
8-15
Lab Setup
1.
Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-SVR1. Do not log on to this virtual machine until instructed to
do so.
Sep 7 2011 9:58PM

Nova 4, LLC
8-16
Lab Scenario
You are a network administrator for Contoso, Ltd. Each department in Contoso, Ltd. has its own
Organizational Unit in the AD DS infrastructure. You need to delegate Organizational Unit administrative
tasks to the managers of each department.
You have also been asked to implement a managed service account for an application that will be
installed on NYC-SVR1. For this project, you must complete the following tasks:
Delegate the Marketing Managers security group the right to manage user accounts in the Marketing
Organizational Unit.
Create a managed service account called, App1_SVR1, and assign it to NYC-SVR1.
Install the App1_SRV1 service account on NYC-SVR1.
Sep 7 2011 9:58PM

Nova 4, LLC
8-17
Exercise 1: Delegating Control of AD DS Objects

Scenario
In this exercise, you will delegate control of the Marketing Organizational Unit to the Marketing Managers
security group. All Marketing Managers should be able to fully manage user accounts in the OU.
1.
Delegate management tasks for the Marketing OU.
2.
Verify effective permissions assigned for the Marketing OU.
3.
Test delegated permissions.
Task 1: Delegate management tasks for the Marketing OU.

1.
2.
Use the Delegation of Control Wizard to configure the following:
Organizational Unit: Marketing
Users or Groups: Marketing_Managers
Tasks to Delegate: Create, delete, and manage user accounts
Task 2: Verify effective permissions assigned for the Marketing OU.

1.
On NYC-DC1, open the properties of the Marketing Organizational Unit.
2.
Verify the effective permissions for Don Roessler on the Marketing OU.
Task 3: Test delegated permissions.

1.
Log on to NYC-SVR1 as Contoso\Don, with the password, Pa$$w0rd.
2.
Open Active Directory Users and Computers and verify that Don can create new user accounts.
3.
Log off from NYC-SVR1.

Results: After completing this exercise, you will have delegated the right to manage user accounts to
the Marketing Managers.
Sep 7 2011 9:58PM

Nova 4, LLC
8-18
Exercise 2: Creating Managed Service Accounts in AD DS

Scenario
You have been asked to create a managed service account called, App1_SVR1, to be used by an
application located on NYC-SVR1.
1.
Use Windows PowerShell to create and associate a managed service account.
2.
Install a managed service account on a server.

Note: Because of the complexity of the PowerShell commands, these steps are the same as the Lab
Answer key.
Task 1: Use Windows PowerShell to create and associate a managed service account.
1.
On NYC-DC1, open the Active Directory Module for Windows PowerShell console.
2.
At the prompt, type the following command, and then press ENTER.
New-ADServiceAccount Name App1_SVR1
3.
At the prompt type the following command and then press ENTER:
Add-ADComputerServiceAccount identity NYC-SVR1 ServiceAccount App1_SVR1
4.
Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name,HostComputers A
5.
Verify that the App1_SVR1 service account is associated with NYC-SVR1.
6.
Close all open windows on NYC-DC1.
Task 2: Install a managed service account on a server.

1.
2.
Log on to NYC-SVR1 as Contoso\Administrator, with the password, Pa$$w0rd.
3.
Click Start, point to Administrative Tools, and then click Active Directory Module for Windows
PowerShell. The Administrator: Active Directory Module for Windows PowerShell console
opens.
4.
Install-ADServiceAccount -Identity App1_SVR1
5.
Click Start, point to Administrative Tools, and then click Services.
6.
In the Services console, right-click Disk Defragmenter, and then click Properties.
Note: The Disk Defragmenter service is just used as an example for this lab. In a production
environment, you would use the actual service that should be assigned the managed service account.
7.
In the Disk Defragmenter Properties dialog box, click the Log On tab.
8.
On the Log On tab, click This account, and then type Contoso\App1_SVR1$.
Sep 7 2011 9:58PM

Nova 4, LLC
9.
Clear the password for both the Password and Confirm password boxes. Click OK.
10. Click OK at all prompts.

11. Close the Services console.
12. Close all open windows on NYC-SVR1.
Results: After completing this exercise, you will have created and installed a managed service
account.
To prepare for the next lab.

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:
1.
2.
3.
4.
Sep 7 2011 9:58PM

8-19
Nova 4, LLC
8-20
Lesson 2
Configuring Active Directory Trusts
Many organizations might only deploy a single AD DS domain. However, larger organizations, or
organizations that need to enable access to resources in other organizations or business units, may deploy
several domains in the same Active Directory forest or a separate forest. For users to access resources
between the domains in the same forest, two-way transitive trusts are automatically established. To access
resources in a different forest, you need to configure explicit trusts between the forests. This lesson
describes how to configure and manage trusts in an Active Directory environment.
Objectives
Describe trust options.
Describe how trusts work within a forest.
Describe how trusts work between forests.
Configure a forest trust.
Configure resource access for users from a trusted domain.
Sep 7 2011 9:58PM

Nova 4, LLC
8-21
Overview of AD DS Trust Options
Key Points
Trusts allow security principals to traverse their credentials from one domain or forest to another, and are
necessary to allow resource access between domains. Within a Forest, two-way transitive trusts are created
automatically between domains. Between Forests, you have to create an explicit trust relationship to share
resources. When you configure a trust, a user can be authenticated in their domain, and their security
credentials can then be used to access resources in a different domain.
All trusts have the following characteristics:
Trusts can be defined as transitive or non-transitive. A transitive trust is one in which the trust
relationship that is extended to one domain is automatically extended to all domains in the domain
tree that trusts that domain. For example, as illustrated above, if the Forest (root) domain and Domain
A have a transitive trust with each other, as do the Forest (root) and Domain B, then Domain A and
Domain B will also trust each other. If the trusts are non-transitive, then the trust is established only
between the two domains.
The trust direction defines where the user accounts and resources are located. The user accounts are
located in the trusted domain, while the resources are located in the trusting domain. The trust
direction flows from the trusted domain to the trusting domain. In Windows Server 2008, there are
three trust options: one-way incoming, one-way outgoing, and two-way trusts.
Trusts can also have different protocols that you use to establish the trust. The two protocol options
for configuring trusts are the Kerberos protocol version 5, and Microsoft Windows NT Local Area
Network (LAN) Manager (NTLM). In most cases, Windows Server 2008 will use Kerberos to establish
and maintain a trust.+
All trusts in Microsoft Windows 2000 Server, Microsoft Windows Server 2003, and Microsoft Windows
Server 2008 forests are transitive, two-way trusts. Therefore, both domains in a trust relationship are
trusted; however, one-way trusts can be configured. The diagram above illustrates a two-way trust
between Forests 1 and 2, and a one-way trust between domains E and A, (also called a shortcut trust) and
domains B and Q (called an external trust).
Sep 7 2011 9:58PM

Nova 4, LLC
8-22
The following table outlines the types of trusts that can exist in an AD DS environment.
Trust Type
Description
Parent-child
Exists between parent and child domains in the same domain tree. This two-way
transitive trust allows security principals to be authenticated in any domain in the
forest. These trusts are created by default, and cannot be removed. Parent-child
trusts always use the Kerberos protocol.
Tree-root
Exists between all domain trees in the forest. This two-way transitive trust allows
security principals to be authenticated in any domain in the forest. These trusts are
created automatically, and cannot be removed. Tree-root trusts always use the
Kerberos protocol.
External
Can be created between domains that are not part of the same forest. These trusts
can be one-way or two-way, and are non-transitive. External trusts always use the
NTLM protocol.
Realm
Can be created between a non-Windows operating system domain (referred to as a

Kerberos realm,) and a Windows Server 2008 domain. These trusts can be one-way
or two-way, and can be transitive or non-transitive. Realm trusts always use the
Kerberos protocol.
Forest
Can be created between forests that are at the Windows Server 2003 forest
functional level, or higher. These trusts can be one-way or two-way, and can be
transitive or non-transitive. Forest trusts always use the Kerberos protocol.
Question: If you need to share resources between domains, but do not want to configure a trust, how will
you provide access to the shared resources?
Sep 7 2011 9:58PM

Nova 4, LLC
8-23
How Trusts Work Within a Forest
Key Points
When you set up trusts between domains, either within the same forest, across forests, or with an external
realm, information about these trusts is stored in the System container in the originating AD DS domain. A
trusted domain object (TDO) stores information about the trust, including the direction of trust,
transitivity of trust, and type of trust.
How Trusts Enable Users to Access Resources in a Forest

When a user attempts to access a resource in another domain, the Kerberos authentication protocol must
determine whether the trusting domain has a trust relationship with the trusted domain.
To determine this relationship, the authentication process travels the trust path, utilizing the TDO to
obtain a referral to the target domains domain controller. The target domain controller issues a service
ticket for the requested service. The trust path is the shortest path in the trust hierarchy.
When the user in the trusted domain attempts to access the resource in the other domain, the users
computer first contacts the domain controller in its domain to get authentication to the resource. If the
resource is not in the users domain, the domain controller uses the trust relationship with its parent, and
refers the users computer to a domain controller in its parent domain.
This attempt to locate a resource continues up the trust hierarchy, possibly to the forest root domain, and
down the trust hierarchy, until contact occurs with a domain controller in the domain where the resource
is located.
Question: In this slide, what type of trust do Domain B and Domain C have, in this forest? What are the
limitations?
Sep 7 2011 9:58PM

Nova 4, LLC
8-24
How Trusts Work Between Forests
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest to access resources in
another forest. When a user attempts to access a resource in a trusted forest, AD DS must first locate the
resource. After the resource is located, the user can be authenticated and allowed to access the resource.
How a Resource Is Accessed
The following is a description of how a client computer locates and accesses a resource in another forest
that has Windows Server 2008 servers:
1.
A user who is logged on to the domain, EMEA.WoodgroveBank.com, attempts to access a shared

folder in the Contoso.com forest. The users computer contacts the domain controller in
EMEA.WoodgroveBank.com and requests a service ticket by using the SPN of the computer on which
the resource resides. An SPN can be the Domain Name System (DNS) name of a host or domain, or it
can be the distinguished name of a service connection point object.
2.
The resource is not located in EMEA.WoodgroveBank.com, so the domain controller for

EMEA.WoodgroveBank.com queries the global catalog to see if the resource is located in another
domain in the forest. Because a global catalog only contains information about its own forest, it does
not find the SPN. The global catalog then checks its database for information about any forest trusts
that are established with its forest. If the global catalog finds one, it compares the name suffixes that
are listed in the forest trust TDO to the suffix of the target SPN. After it finds a match, the global
catalog provides routing information about how to locate the resource to the domain controller in
EMEA.WoodgroveBank.com.
3.
The domain controller in EMEA.WoodgroveBank.com sends a referral for its parent domain,
WoodgroveBank.com, to the users computer.
4.
The users computer contacts a domain controller in WoodgroveBank.com for a referral to a domain
controller in the forest root domain of the Contoso.com forest.
Sep 7 2011 9:58PM

Nova 4, LLC
8-25
5.
Using the referral that the domain controller in the WoodgroveBank.com domain returns, the users
computer contacts a domain controller in the Contoso.com forest for a service ticket to the requested
service.
6.
The resource is not located in the forest root domain of the Contoso.com forest, so the domain
controller contacts its global catalog to find the SPN. The global catalog finds a match for the SPN,
and then sends it to the domain controller.
7.
The domain controller sends the users computer a referral to NA.contoso.com.
8.
The users computer contacts the Key Distribution Center (KDC) on the domain controller in
NA.contoso.com, and negotiates a ticket for the user to gain access to the resource in the
NA.contoso.com domain.
9.
The users computer sends the server service ticket to the computer on which the shared resource is
located, which reads the users security credentials, and then constructs an access token, which gives
the user access to the resource.
Question: Why would clients not be able to access resources in a domain outside the forest?
Sep 7 2011 9:58PM

Nova 4, LLC
8-26
Demonstration: Configuring a Forest Trust
Key Points
In this demonstration, you will see how to configure a forest trust.
1.
Open Active Directory Domains and Trusts.
2.
From the Properties dialog box of the domain, click the Trusts tab.
3.
Click New Trust to start the New Trust Wizard. Complete the required steps.
4.
Use the New Trust Wizard or Windows PowerShell to verify the trust relationship.
Sep 7 2011 9:58PM

Nova 4, LLC
8-27
Resource Access for Users from Trusted Domains
Key Points
When you configure a trust relationship that enables your domain to trust another domain, you open up
the possibility for users in the trusted domain to gain access to resources in your domain. The following
sections examine components related to the security of a trusting domains resources.
Authenticated Users
A trust relationship itself does not grant access to any resources; however, it is likely that by creating a
trust relationship, users in the trusted domain will have immediate access to a number of your domains
resources. This is because many resources are secured with access control lists (ACLs) that give permissions
to the Authenticated Users group.
Membership in Domain Local Groups

The best practice for managing access to a resource is to assign permissions to a domain local group. You
can then nest users and groups from your domain into the domain local group, and thereby, grant them
access to the resource. Domain local security groups can also include users and global groups from
trusted domains as members. Therefore, the most manageable way to assign permissions to users in a
trusted domain is to make them, or their global groups, members of a domain local group in your
domain.
Add trusted Identities to ACLs

You can also add users and global groups from a trusted domain directly to the ACLs of resources in a
trusting domain. This approach is not as manageable as the previous method of using a domain local
group, but it is possible.
Selective Authentication
When you create an external trust or a forest trust, you can control the scope of authentication of trusted
security principals. There are two modes of authentication for an external or forest trust:
Sep 7 2011 9:58PM

Nova 4, LLC
8-28
Selective authentication
Domain-wide authentication (for an external trust) or forest-wide authentication (for a forest trust)
If you choose domain-wide or forest-wide authentication, all trusted users can be authenticated for access
to services on all computers in the trusting domain. Trusted users can, therefore, be given permission to
access resources anywhere in the trusting domain. With this authentication mode, you must have
confidence in the security procedures of your enterprise and in the administrators who implement those
procedures, so that inappropriate access is not assigned to trusted users. Remember, for example, that
users from a trusted domain or forest are considered Authenticated Users in the trusting domain, so any
resource with permissions granted to Authenticated Users will be immediately accessible to trusted
domain users, if you choose domain-wide or forest-wide authentication.
If, however, you choose selective authentication, all users in the trusted domain are trusted identities;
however, they are allowed to authenticate only for services on computers that you have specified. For
example, imagine that you have an external trust with a partner organizations domain. You want to
ensure that only users from the marketing group in the partner organization can access shared folders on
only one of your many file servers. You can configure selective authentication for the trust relationship,
and then give the trusted users the right to authenticate only for that one file server.
To configure the authentication mode for a new outgoing trust, use the Outgoing Trust Authentication
Level page of the New Trust Wizard. Configure the authentication level for an existing trust, open the
properties of the trusting domain in Active Directory Domains and Trusts, select the trust relationship,
click Properties, and then click the Authentication tab.
After you have selected Selective Authentication for the trust, by default, no trusted users will be able to
access resources in the trusting domain, even if those users have been given permissions.
To gain access, the users must also be assigned the Allowed to authenticate permission on the
computer object in the domain.
To assign this permission:
1.
Open the Active Directory Users and Computers snap-in and make sure that Advanced Features
is selected in the View menu.
2.
Open the properties of the computer to which trusted users should be allowed to authenticatethat
is, the computer that trusted users will log on to or that contains resources to which trusted users
have been given permissions.
3.
On the Security tab, add the trusted users or a group that contains them, and select the Allow check
box for the Allowed to authenticate permission.
Sep 7 2011 9:58PM

Nova 4, LLC
8-29
Lab B: Administer Trust Relationships
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and3 for 6419B-VAN-DC1. Log on to VAN-DC1 as Adatum\Administrator, with the
password, Pa$$w0rd.
Lab Scenario
Contoso, Ltd. has initiated a strategic partnership with A. Datum Corporation. Users from the Contoso.com
domain will need to have access to file shares located at Adatum.com. You need to perform the following
tasks:
Configure name resolution between the two forests.
Configure a forest trust relationship between Contoso.com and Adatum.com.
Configure Selective Authentication to only allow Adatum.com domain users to access NYC-SVR1.
Sep 7 2011 9:58PM

Nova 4, LLC
8-30
Exercise 1: Configuring Name Resolution between Contoso.com and

Adatum.com
Scenario
In this exercise, you will configure conditional forwarding to provide name resolution between the
Contoso.com domain and the Adatum.com domain.
1.
Configure DNS conditional forwarding on NYC-DC1.
2.
Configure DNS conditional forwarding on VAN-DC1.

Note: Conditional Forwarding is covered in detail in Module 2: Managing Windows Server 2008
Infrastructure Roles.
Task 1: Configure DNS conditional forwarding on NYC-DC1.

1.
On NYC-DC1, open DNS Manager.
2.
Configure a Conditional Forwarder with the following settings:
DNS Domain: Adatum.com.
IP address of master servers: 10.10.0.100
Task 2: Configure DNS conditional forwarding on VAN-DC1.

1.
On VAN-DC1, open DNS Manager.
2.
Configure a Conditional Forwarder with the following settings:
DNS Domain: Contoso.com.
IP address of master servers: 10.10.0.10
Results: After completing this exercise, you will have configured name resolution between the
Contoso.com domain and the Adatum.com domain.
Sep 7 2011 9:58PM

Nova 4, LLC
8-31
Exercise 2: Configuring a Forest Trust

Scenario
You need to configure a forest trust between Contoso.com and Adatum.com.
1.
Use the New Trust Wizard to create a Forest Trust.
2.
Configure Selective Authentication.
Task 1: Use the New Trust Wizard to create a Forest Trust.

1.
On NYC-DC1, open the Active Directory Domains and Trusts console.
2.
Start the New Trust Wizard and configure the following:
3.
Trust Name: Adatum.com
Trust Type: Forest Trust
Direction of Trust: Two-way
Sides of Trust: Both this domain and the specified domain
User Name: Administrator
Password: Pa$$w0rd
Outgoing Trust Authentication Level Local Forest: Forest-wide authentication
Outgoing Trust Authentication Level Specified Forest: Forest-wide authentication
Confirm both the outgoing and incoming trust
On NYC-DC1 configure Selective Authentication to only allow Adatum.com domain users to

authenticate to NYC-SVR1.
Task 2: Configure Selective Authentication

1.
On NYC-DC1, open the Active Directory Domains and Trusts console.
2.
Open the Properties pane for the Contoso.com domain and enable Selective Authentication for
the Adatum.com domain.
3.
Close Active Directory Domains and Trusts.
4.
Open the Active Directory Users and Computers console.
5.
Using the Advanced Features, configure NYC-SVR1 to allow the ADATUM\Domain Users group to
authenticate.
6.
Close Active Directory Users and Computers.

Results: After completing this exercise, you will have created a Forest Trust and configured Selective
Authentication.
Sep 7 2011 9:58PM

Nova 4, LLC
8-32

following steps:
1.
2.
3.
4.
Repeat these steps for 6419B-VAN-DC1.
Sep 7 2011 9:58PM

Nova 4, LLC
8-33
Review Questions
1.
If a there is a trust within a forest, and the resource is not in the users domain, how will the domain
controller use the trust relationship to access the resource?
2.
The BranchOffice_Admins group has been granted full control of all user accounts in the
BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was
moved from the BranchOffice_OU to the HeadOffice_OU?
3.
Your organization has a Windows Server 2008 forest environment, but it has just acquired another
organization with a Windows 2000 forest environment that contains a single domain. Users in both
organizations must be able to access resources in each others forest. What type of trust will you create
between the forest root domains of each forest?

Windows Server 2008 R2 Feature Description
Managed service accounts
Used to automate password and SPN management for service

accounts used by applications and services
Sep 7 2011 9:58PM

Nova 4, LLC
8-34
Sep 7 2011 9:58PM

Nova 4, LLC
Creating and Managing Group Policy Objects
Module 9
Contents:
Lesson 1: Overview of Group Policy
9-3
Lesson 2: Configuring the Scope of Group Policy Objects
9-14
9-22
Lesson 3: Managing Group Policy Objects
9-26
Lab B: Creating and Configuring GPOs
9-35
Lesson 4: Evaluating and Troubleshooting Group Policy Processing
9-39
9-53
Sep 7 2011 9:58PM

9-1
Nova 4, LLC
9-2
Module Overview
Administrators face increasingly complex challenges in managing the information technology (IT)
infrastructure of their organizations. They must deliver and maintain customized desktop configurations,
ensure the security of a geographically and logistically dispersed collection of computers, and provide
administration and management for an increasingly complex and growing computing environment.
Group Policy and the Active Directory Domain Services (AD DS) infrastructure in Microsoft Windows
Server 2008 enable IT administrators to automate user and computer management in many areas,
simplifying administrative tasks, and reducing IT costs. With Group Policy and AD DS, administrators can
efficiently distribute software, implement security settings, and enforce IT policies consistently across a
given site, domain, or range of organizational units (OUs).
Objectives
Explain Group Policy.
Configure the scope of Group Policy objects (GPOs).
Manage GPOs.
Evaluate and troubleshoot Group Policy processing.
Sep 7 2011 9:58PM

Nova 4, LLC
9-3
Lesson 1
Overview of Group Policy
This lesson shows you to how to use Group Policy to simplify managing your Active Directory
environment. You will learn how GPOs are structured and applied, and how to control the scope and
application of GPOs. In addition, you will gain experience with tools that aid in implementing Group
Policy in your environment
This lesson also discusses Group Policy features that are included with Windows Server 2008 and Windows
Server 2008 R2, and which help simplify computer and user management.
Objectives
Describe configuration management and how Group Policy helps to automate the management of
users and computers.
Describe the concept of GPOs and Group Policy settings.
Describe how Group Policy is applied to computers and users.
Describe exceptions to Group Policy processing.
Describe the Group Policy components.
Create a GPO.
Sep 7 2011 9:58PM

Nova 4, LLC
9-4
What Is Configuration Management?
Key Points
If you have only one computer in your environmentat home, for exampleand you need to make a
changemodify the desktop background, for examplethere are several ways to do that. Most people
would probably access Personalization in Control Panel and make the change by using the Windows
interface. That works well for one user, but becomes tedious if you want to make the change across
multiple usersfor example, if you want the same background for yourself and your family. You have to
make the change multiple times, and then, if you ever change your mind and want to change the
background yet again, you have to return to each user's profile and make the change. Implementing the
change and maintaining a consistent environment becomes even more difficult across multiple
computers.
In the end, configuration management is a centralized approach to applying one or more changes to one
or more users, computers or both. The key elements of configuration management are:
A centralized definition of a change, which we will also call a setting. The setting brings a user or a
computer to a desired state of configuration.
A definition of the user(s) or computer(s) to whom the change applies, which we will call the scope of
the change.
A mechanism that ensures that the setting is applied to users and computers within the scope. We
will call this process the application.
Group Policy is a framework within Windowswith components that reside in Active Directory, on
domain controllers, and on each Windows server and clientthat enables you to manage configuration in
an AD DS domain.
Sep 7 2011 9:58PM

Nova 4, LLC
9-5
What Are Group Policy Objects and Settings?
Key Points
Group Policy management in an AD DS domain is implemented on the server side by two primary
components, Group Policy settings and GPOs.
Group Policy Settings

A Group Policy setting is the most granular component of Group Policy. It defines a specific configuration
change to apply to an object within AD DS, either a computer or a user or both. Group Policy has
thousands of configurable settings. These settings can affect nearly every area of the computing
environment. You cannot apply all the settings to all versions of Microsoft Windows operating systems.
For example, many of the new settings that came with the Microsoft Windows XP Professional operating
system, Service Pack (SP) 2, such as software restriction policies, only applied to that operating system.
Equally, many of the hundreds of new settings only apply to Microsoft Windows 7 and Microsoft
Windows Server 2008 R2. If a computer has a setting applied that it cannot process, it simply ignores it.
Most policy settings can have three states:
Not Configured
Enabled
Disabled.
By default, GPO policy settings are set to Not Configured. This means that the GPO will not modify the
existing configuration of that particular setting for a user, computer, or both. If you enable a policy
setting, it makes that policy setting active. Likewise, if you disable a policy setting, the policy setting is
made inactive.
Note: Multi-valued Group Policy settings contain more configuration options than the typical Not
Configured, Enabled, and Disabled options. They are typically used to provide specific configuration
details to applications or operating system components.
Sep 7 2011 9:58PM

Nova 4, LLC
9-6
The effect of the change depends on the policy setting. For example, if you enable the Prevent Access to
Registry Editing Tools policy setting, users will be unable to start the Regedit.exe Registry Editor. If you
disable the policy setting, you ensure that users can start the Registry Editor. Notice the double negative
in this policy setting: You disable a policy that prevents an action, so you allow the action.
Note: Many policy settings are complex, and the effect of enabling or disabling them might not be
immediately clear. Always test the effects of a policy setting and its interactions with other policy
settings before deploying a change in the production environment.
Group Policy Settings Structure

The structure of Group Policy settings is split into two distinct areas.
Group Policy Area
What It Does
Computer configuration Affects the HKEY_Local_Machine registry hive

User configuration
Affects the HKEY_Current_User registry hive
Configuring Group Policy Settings

Each area has three sections.
Section
Description
Software settings
Software can be deployed to either the user or the computer. Software

deployed to a user is specific to that user. Software deployed to the computer
is available to all users of that computer.
Windows settings
Contain script settings and security settings for both user and computer, and
Internet Explorer maintenance for the user configuration.
Administrative
templates
Contain hundreds of settings that modify the registry to control various

aspects of the user and computer environment.
Group Policy Preferences

In addition to the Group Policy structure above, an additional component has been added to the Group
Policy structure for Windows Server 2008 R2 and Windows 7. A Preferences node is present under the
Computer Configuration and User Configuration nodes in the Group Policy Editor for these operating
systems. Group Policy Preferences and their impact on your organization will be discussed in further detail
later in this course.
Group Policy Objects

Group Policy settings are defined and exist within a GPO. A GPO is an object that contains one or more
policy settings and thereby applies one or more configuration settings for a user, computer, or both.
GPOs can be managed in Active Directory by using the Group Policy Management Console (GPMC).
Within the GMPC, a GPO is opened and edited by using the Group Policy Object Editor (GPO Editor).
Sep 7 2011 9:58PM

Nova 4, LLC
9-7
The GPO Editor displays the individual Group Policy settings available in a GPO in an organized hierarchy
that begins with the division between computer settings and user settings, the Computer Configuration
node and the User Configuration node. Computer configuration settings are applied to computer objects
in AD DS and User configuration settings are applied to user objects within AD DS.
The GPO must be applied to a domain, site, or OU in the AD DS hierarchy for the settings within the
object to take effect.
Sep 7 2011 9:58PM

Nova 4, LLC
9-8
How Group Policy Is Applied
Key Points
In the previous topic, we established that a group policy setting cannot be applied to a user or computer
unless that Group Policy setting is contained in a Group Policy object. In the same manner, a Group Policy
object (and the Group Policy settings contained within) has no effect on user and computer objects until it
is applied to a domain, site, or OU within AD DS.
Group Policy Application Scope

The first step of Group Policy application is the attaching or linking of a GPO to an AD DS domain, site, or
OU. After a GPO is linked, the domain, site, or OU that it is linked to defines the GPO scope. The scope of a
GPO is the collection of users and computers that will apply the Group Policy settings contained in the
GPO. Where a GPO is linked determines its top-level scope. For example, the settings in a GPO applied at
the domain level of the Contoso domain will affect all users and computers within the domain. However, if
that same GPO is applied to the Research OU, the settings in that GPO will affect only the users and
computers contained in the Research OU.
Group Policy Application Processing

Clients initiate Group Policy application by requesting GPOs from AD DS. When Group Policy is applied to
a user, computer, or both, the client component interprets the policy, and then makes the appropriate
environment changes. These components are known as Group Policy client-side extensions. As GPOs are
processed, the Group Policy Client service passes the list of GPOs that must be processed to each Group
Policy client-side extension. The extension then uses the list to process the appropriate policy, when
applicable. The Group Policy Client Services runs on Windows Vista and later only.
Computer Configuration and User Configuration settings are processed and applied
separately by the client side extensions.Applying Computer Configuration
The Group Policy settings in a GPO that are contained in the Computer Configuration portion are applied
when the physical computer starts.
Sep 7 2011 9:58PM

Nova 4, LLC
9-9
Applying User Configuration

The Group Policy settings in a GPO that are contained in the User Configuration portion are applied when
the user logs on to Windows.
Note: Many Group Policy settings can be applied without having to restart the computer or log off by
running gpupdate /force from the command prompt.
Sep 7 2011 9:58PM

Nova 4, LLC
9-10
Exceptions to Group Policy Processing
Key Points
Different factors can change the normal Group Policy processing behavior, such the way that client
computers handle domain authentication, logging on by using a slow connection, accessing a domain
environment remotely, and the movement of user and computer objects within the AD DS structure. Also,
different types of operating systems handle Group Policy processing differently.
Cached Credentials
By default, Windows client operating systems will maintain a cache for the credentials of the last ten
domain accounts that were used to log on to the system. These cached credentials can cause the client
computer not to request an immediate refresh of Group Policy settings during the logon process. As a
result, some changes made to Group Policy settings may take two logons to be properly applied.
Slow Link Detection

When a Windows computer connects to the network, part of the connection process is detecting the
robustness of the link from the client to the closest domain controller. By default, if the measurement of
this links bandwidth is less than 500 Kbps, Windows flags it as a slow link. This value is configurable within
Group Policy to best suit your organizations network environment.
When a slow link is detected, Group Policy processes operate differently. Certain client side extensions
the component responsible for enacting Group Policy changes on client computersare not processed
over a slow link by default. This results in a different set of policy settings applied to clients connecting
over a slow link.
The following table lists the Group Policy client side extensions that are disabled by default when a slow
link is detected.
Setting
Default Slow Link Behavior
Software Installation
OFF
Sep 7 2011 9:58PM

Nova 4, LLC
Setting
Default Slow Link Behavior
Scripts
OFF
Folder Redirection
OFF
Deployed Printer Connections
OFF
Disk Quota
OFF
Registry Security Settings
OFF
9-11
Certain remote access connections detected over dial-up or ISDN connections also present themselves as
slow connections and apply Group Policy settings accordingly
Moving Objects in AD DS
When a user or computer object is moved to a new location within the AD DS structure, like a different
OU, the client computer does not become aware of the changes until the computer and user
authentication process is completed after the move. As a result, Group Policy settings applied to the new
OU does not take effect until a restart/logon has taken place.
Sep 7 2011 9:58PM

Nova 4, LLC
9-12
Group Policy Components
Key Points
You can use Group Policy templates to create and configure Group Policy settings, which are stored by
the GPOs. The GPOs in turn are stored in the System Volume (SYSVOL) container in AD DS. The SYSVOL
container acts as a central repository for the GPOs. In this way, one policy may be associated with multiple
Active Directory containers through linking. Conversely, multiple policies may link to one container.
Along with the GPO, Group Policy has two more major components:
Group Policy templates
Group Policy container
Group Policy Templates

A Group Policy Template (GPT) is the collection of settings contained within a GPO. Group Policy
Templates are stored as folders on the SYSVOL folder of AD DS domain controllers. The GPT contains
most of the configurable policy settings specified within a GPO.
Group Policy Container

The Group Policy container (GPC) is the logical representation of a GPO stored in AD DS, which resides on
each of a domains controllers. The GPC is responsible for keeping references to client-side extensions,
version information, path information to the Group Policy templates, paths to software installation
packages, and GPO properties.
Sep 7 2011 9:58PM

Nova 4, LLC
9-13
Demonstration: Configuring Group Policy Objects
Key Points
Use the GPMC to create a new GPO.
Configure Group Policy settings.
1.
Open the Group Policy Management console.
2.
Create a new Group Policy Object named, Desktop, in the Group Policy container.
3.
In the computer configuration, prevent the last logon name from displaying, and prevent Windows
Installer from running.
4.
In the user configuration, remove the Search link from the Start menu, and hide the display settings
tab.
Sep 7 2011 9:58PM

Nova 4, LLC
9-14
Lesson 2
Configuring the Scope of Group Policy Objects
There are several techniques in Group Policy that allow administrators to manipulate how Group Policy is
applied. You can control the default processing order of policy through enforcement, blocking
inheritance, security filtering, Windows Management Instrumentation (WMI) filters, or by using the
loopback processing feature. In this lesson, you will learn about these techniques.
Objectives
Describe the Group Policy processing order (Local, Site, Domain, and OU).
Create and manage processing order by using GPO.
Describe the options for modifying Group Policy processing.
Describe how to modify the scope of Group Policy by using Security and WMI filtering.
Describe Loopback processing.
Sep 7 2011 9:58PM

Nova 4, LLC
9-15
Group Policy Processing Order
Key Points
The GPOs that apply to a user, computer, or both do not all apply at once. GPOs are applied in a
particular order. This order means that settings that are processed first may be overwritten by conflicting
settings that are processed later.
Group Policy follows the following hierarchical processing order:
1.
Local group policies. Each computer running Windows 2000 or later has at least one local group
policy. The local policies are applied first.
2.
Site group policies. Policies linked to sites are processed second. If there are multiple site policies,
they are processed synchronously in the listed preference order.
3.
Domain group policies. Policies linked to domains are processed third. If there are multiple domain
policies, they are processed synchronously in the listed preference order.
4.
OU group policies. Policies linked to top-level OUs are processed fourth. If there are multiple toplevel OU policies, they are processed synchronously in the listed preference order.
5.
Child OU group policies. Policies linked to child OUs are processed fifth. If there are multiple child
OU policies, they are processed synchronously in the listed preference order. When there are multiple
levels of child OUs, policies for higher-level OUs are applied first and policies for the lower-level OUs
are applied next.
In Group Policy application, the general rule is that the last policy applied wins. For example, a policy that
restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the
OU level for the objects contained in that particular OU.
If you link several GPOs to an organizational unit, their processing occurs in the order that the
administrator specifies on the Linked Group Policy Objects tab for the organizational unit in the Group
Policy Management Console (GPMC).
Sep 7 2011 9:58PM

Nova 4, LLC
9-16
Disabling GPOs
By default, processing is enabled for all GPO links. You can completely block the application of a GPO for
a given site, domain, or organizational unit by disabling that containers GPO link. Note that if the GPO is
linked to other containers, they will continue to process the GPO if their links are enabled.
You can also disable the user or computer configuration of a particular GPO independent of either the
user or computer. If one section of a policy is known to be empty, disabling the other side speeds up
policy processing. For example, if you have a policy that only delivers user desktop configuration, you
could disable the computer side of the policy.
Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group
Policy to all users in two different domains. What is the best way to accomplish this?
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: How to Manage Processing Order by Using GPO Links
Key Points
Create and link GPOs to different locations.
Disable a GPO link.
Delete a GPO link.
Demonstration Steps
1.
2.
Create two new GPOs.
3.
Link the first GPO to the domain.
4.
Link the second GPO to the IT OU.
5.
Disable the first GPOs link.
6.
Delete the second GPO.
7.
Re-enable the first GPOs link.
Sep 7 2011 9:58PM

9-17
Nova 4, LLC
9-18
Options for Modifying Group Policy Processing
Key Points
There may be occasions when the normal behavior of Group Policy is not desirable. For example, certain
users or groups may need to be exempt from restrictive Group Policy settings, or a GPO should be applied
only to computers with certain hardware or software characteristics. By default, all Group Policy settings
apply to the Authenticated Users group in a given container. However, you can modify that behavior
through various methods.
Block Inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents the
child level from automatically inheriting GPOs linked to higher sites, domains, or organizational units. By
default, children inherit all GPOs from the parent. You cannot block individual high-level policies. In other
words, you must block inheritance of all higher level policies, or none of them.
Enforcement of GPO Links

You can specify that the settings in a GPO link should take precedence over the settings of any child
object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent
container. Without enforcement from above, if GPOs contain conflicting settings, then the settings of GPO
links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units.
This prevents OU administrators from blocking inheritance on higher level policies. Security group filtering
will override enforcement.
Filtering Using Security Groups

Security filtering is based on the fact that GPOs have access control lists (ACLs) associated with them.
These ACLs contain access entries for different security principals. For a GPO to be applied to a security
principal in an OU, the security principal requires, at a minimum, the following permissions set to Allow:
Read
Apply Group Policy
Sep 7 2011 9:58PM

Nova 4, LLC
9-19
By default, the Authenticated Users group has these permissions. By denying or granting the Apply Group
Policy permission, you can control which users, groups, or computers actually receive the GPO settings.
Filtering by using WMI Filters

WMI is a set of technologies for managing Windows-based environments. WMI provides access to
properties of almost every hardware and software object in the computing environment. Through WMI
scripts, these properties can be evaluated, and decisions about the application of Group Policy are made
based on the results. For example, a WMI query could check for a minimum amount of random access
memory (RAM), or a specific service pack, to determine if a Group Policy should be applied. You must be a
member of Domain Administrators, Enterprise Administrators, or Group Policy Creator Owners groups to
create WMI filters in the domain.
Loopback Processing
In some cases, users may need policies applied to them, based on the computers location in AD DS, and
not the users identity. You can use the Group Policy loopback feature in any situation where you want to
apply GPOs based solely on the computer object in AD DS. Loopback is discussed in more detail later in
this lesson.
Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU
has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would
you ensure that all users in the Finance department receive your desktop policy?
Sep 7 2011 9:58PM

Nova 4, LLC
9-20
Demonstration: Filtering Group Policy Processing
Key Points
Filter group policy application by using security group filtering.
Filter group policy application by using WMI filtering.
Demonstration Steps
Use Security Group Filtering
1.
Create a GPO that removes the Help menu link from the Start menu and link it to the IT OU.
2.
Use security filtering to exempt a user from the GPO.
3.
Test Group Policy application.
Use WMI Filtering

1.
Use the GPMC to create a new WMI filter that targets only XP Professional clients. (See the following
syntax.)
Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP

Professional.
2.
Use the GPMC to create a new GPO named, Software.
3.
Assign the WMI to the Software GPO.
Sep 7 2011 9:58PM

Nova 4, LLC
9-21
How Does Loopback Processing Work?
Key Points
User policy settings are normally derived entirely from the GPOs associated with the user account, based
on its AD DS location. However, loopback processing directs the system to apply an alternate set of user
settings for the computer to any user who logs on to a computer affected by this policy. Loopback
processing is intended for special-use computers where you must modify the user policy based on the
computer being used, such as the computers in public areas or classrooms. When you apply loopback, it
will affect all users, except local ones.
Both the user objects and the computer objects can potentially have different group policy settings
applied (depending upon where each object resides in AD). Loopback processing ensures that the
computer objects policy takes precedence over the user objects group policy settings.
Loopback processing operates by using the following two modes:
Merge mode applies the users normal Group Policy settings and then applies the settings based on
the computers location in AD DS. This results in both sets of policy settings being processed, but any
conflicting settings are determined by the list of GPOs for the computer, which was applied last.
Replace mode ignores the users normal Group Policy settings, and instead applies the user settings
associated with the policy that delivered the loopback settings.
For example, a public access computer in the lobby may have a user policy that locks down the desktop
completely, and allows access only to certain software. Loopback processing in replace mode would
ensure that whoever logged on to the computer would be subject to those restrictions.
Note: You can find the loopback setting by pointing to Computer Configuration, pointing to
Administrative Templates, pointing to System, and then pointing to Group Policy.
Sep 7 2011 9:58PM

Nova 4, LLC
9-22
Lab Setup
1.
Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.
Scenario
Contoso, Ltd. has decided to implement Group Policy to manage user desktops and to configure
computer security. The organization has already implemented an OU configuration that includes top-level
OUs by different departments. User accounts are in the same container as their workstation computer
accounts. Server computer accounts are spread throughout various OUs.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings
and may not always follow best practices.
Sep 7 2011 9:58PM

Nova 4, LLC
9-23
Group Policy Requirements
Domain users will not have access to the Run menu. The policy will apply to all users, except users in
the IT OU.
All domain computers will have a mandatory baseline security policy applied that does not display
the name of the last logged on user.
Computers running Windows 7 or Windows Vista will have additional settings applied to wait for the
network at startup.
Users in the IT OU will have the URL for Microsoft support added to their Favorites.
Sep 7 2011 9:58PM

Nova 4, LLC
9-24
Exercise 1: Creating and Configuring Group Policy Objects

You will create and link the GPOs that the enterprise administrators design specifies. Tasks include
modifying the default domain policy and creating policy settings linked to specific OUs and sites.
1.
Create the GPOs.
2.
Configure the GPO settings.
3.
Link the GPOs to the appropriate containers.
Task 1: Create the GPOs.
On NYC-DC1, open the Group Policy Management console, browse to the Group Policy Objects
container and then perform the following:
Create a GPO named, Restrict Run Command.
Create a GPO named, Baseline Security.
Create a GPO named, Windows 7 and Windows Vista Security.
Create a GPO named, IT Favorites.
Task 2: Configure the GPO settings.

1.
Edit the Restrict Run Command GPO (User Configuration\Policies

\Administrative Templates\Start Menu and Taskbar\Remove Run Menu from the Start Menu) to
prevent access to the Run menu.
2.
Edit the Baseline Security GPO (Computer Configuration\Policies\Windows Settings\Security

Settings\Local Policies\Security Options\ Interactive logon: Do not display last user name) so that the
name of the last logged on user is not displayed.
3.
Edit the Windows 7 and Windows Vista Security GPO (Computer Configuration\Policies
\Administrative Templates\System\Logon\Always wait for the network at computer startup and
logon) to ensure that computers wait for the network at startup.
4.
Edit the IT Favorites GPO (User Configuration\Policies\Windows Settings\Internet Explorer

Maintenance\URLs\Favorites and Links) to include the URL for Microsoft tech support
(http://support.microsoft.com) in the Internet Favorites.
Task 3: Link the GPOs to the appropriate containers.
Use the GPMC to perform the following:
Link the Restrict Run Command GPO to the domain container.
Link the Baseline Security GPO to the domain container.
Link the Windows 7 and Windows Vista Security GPO to the domain container
Link the IT Favorites GPO to the IT OU.
Sep 7 2011 9:58PM

Nova 4, LLC
9-25
Exercise 2: Managing the Scope of GPO Application

In this exercise, you will configure the scope of GPO settings based on the enterprise administrators
design. Tasks include blocking and enforcing inheritance, and applying filtering based on security groups
and WMI filters.
1.
Configure Group Policy management for the domain container.
2.
Configure Group Policy management for the IT Admin OU.
3.
Create and apply a WMI filter for the Windows 7 and Windows Vista Security GPO.
Task 1: Configure Group Policy management for the domain container.

1.
Configure the Baseline Security link to be Enforced.
2.
Configure the Windows 7 and Windows Vista Security link to be Enforced.
Task 2: Configure Group Policy management for the IT OU.
Block inheritance at the IT OU, to exempt the IT OU users from the Restrict Run Command GPO.
Task 3: Create and apply a WMI filter for the Windows Vista and Windows 7 Security
GPO.
1.
2.
Create a new WMI filter called Windows 7 or Windows Vista Operating Systems configured to find
only Windows 7 and Windows Vista operating systems.
Hint:
Select * from Win32OperatingSystem where Caption = Microsoft Windows 7 Enterprise OR
Caption = Microsoft Windows Vista Enterprise
Assign the WMI filter to the Windows 7 and Windows Vista Security GPO.
Result: At the end of this exercise, you will have configured the scope of GPO settings.
Sep 7 2011 9:58PM

Nova 4, LLC
9-26
Lesson 3:
Managing Group Policy Objects
GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very
important for maintaining your Group Policy deployments in the event of error or disaster. It helps avoid
manually re-creating lost or damaged GPOs, and having to again go through the planning, testing, and
deployment phases. Part of your ongoing Group Policy operations plan should include regular backups of
all GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
Objectives
Describe various GPO management tasks.
Describe the use of Starter GPOs.
Use Windows PowerShell to manage GPOs.
Describe how to delegate GPO administration.
Sep 7 2011 9:58PM

Nova 4, LLC
9-27
GPO Management Tasks
Key Points
Like critical data and Active Directory-related resources, you must back up GPOs to protect the integrity
of AD DS and GPOs. GPMC not only provides the basic backup and restore options, but also provides
additional control over GPOs for administrative purposes. Options for managing GPOs include the
following:
Backing Up GPOs
You can back up GPOs individually or as a whole with GPMC. You must provide only a backup location,
which can be any valid local or shared folder. You must have Read permission on the GPO to back it up.
Every time you perform a backup, a new backup version of the GPO is created, which provides a historical
record.
Scripting Backups
GPMC includes a number of built-in scripts to assist in automating many routine administration tasks. You
can find them in the Program Files\GPMC\Scripts folder, and can use the BackupAllGPOs.wsf script to
automate GPO backups.
Restoring Backed Up GPOs

You can restore any version of a GPO. If one has become corrupt or deleted, you can restore any of the
historical versions of that GPO. The restore interface provides the ability for you to view the settings
stored in the backed-up version before restoring it.
Importing GPO Settings from a Backed Up GPO

You can import policy settings from one GPO into another. Importing a GPO allows you to transfer
settings from a backed up GPO to an existing GPO. Importing a GPO transfers only the GPO settings. The
import process does not import GPO links. Security principals defined in the source may need to be
migrated to target.
Sep 7 2011 9:58PM

Nova 4, LLC
9-28
Note: It is not possible to merge imported settings with the current target GPO settings; the imported
settings will overwrite all existing settings.
Copying GPOs
You can copy GPOs by using GPMC, both in the same domain and across domains. A copy operation
copies an existing, live GPO to the desired destination domain. A new GPO always gets created during this
process. The new GPO is named copy of OldGPOName. For example, if you copied a GPO named
Desktop, the new version would be named Copy of Desktop. After the file is copied and pasted into
the Group Policy Objects container, you can rename the policy. The destination domain can be any
trusted domain in which you have the rights to create new GPOs. When copying between domains,
security principals defined in the source may need to be migrated to target.
Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Migration Tables
When importing GPOs or copying them between domains, you can use migration tables to modify
references in the GPO that need to be adjusted for the new location. For example, you may need to
replace the UNC path for folder redirection with a UNC path that is appropriate for the new user group to
which the GPO will be applied. You can create migration tables ahead of time, or during the import or
cross-domain copy operation.
Sep 7 2011 9:58PM

Nova 4, LLC
9-29
What Is a Starter GPO?
Key Points
A Starter GPO is used as a template from which to create other GPOs within GPMC. Starter GPOs only
contain Administrative Template settings. You may use a Starter GPO to provide a starting point for new
GPOs created in your domain. The Starter GPO may already contain specific settings that are
recommended best practices for your environment. Starter GPOs can be exported to and imported from
cabinet (.cab) files to make distribution to other environments simple and efficient.
GPMC stores Starter GPOs in a folder named, StarterGPOs, which is located in SYSVOL.
Preconfigured Starter GPOs from Microsoft are available for Windows client operating systems. These
Starter GPOs contain Administrative Template settings that reflect Microsoft recommended best practices
for the configuration of the client environment.
Note: Windows Server 2008 R2 comes pre-loaded with client operating system GPOs for Windows XP
and Windows Vista. If you are using the initial release of Windows Server 2008, you will have to
download the Starter GPOs from the Microsoft website.
Sep 7 2011 9:58PM

Nova 4, LLC
9-30
Using Windows PowerShell to Manage GPOs
Key Points
Group Policy in Windows Server 2008 R2 provides support for Windows PowerShell. You can use the
Windows PowerShell Group Policy cmdlets to automate many of the same tasks for domain-based GPOs
that you perform in the user interface by using GPMC.
To help you complete these tasks, 25 Group Policy cmdlets are provided in Windows Server 2008 R2. Each
cmdlet is a simple, single-function command-line tool. By using combinations of cmdlets, you can
automate more complex tasks. You can also combine actions with scheduled tasks to ensure that specific
Group Policy management tasks occur when you want them to. For example, you can back up a GPO,
output the result to a file, and then append the file every time you perform a backup. This creates a report
for every scheduled backup.
Note: To use the Windows PowerShell Group Policy cmdlets, you must be running Windows Server
2008 R2 either on a domain controller or on a member server that has the GPMC installed, or Windows
7 with Remote Server Administration Tools (RSAT) installed. RSAT includes GPMC. You must also import
the Group Policy module before you use the cmdlets, at the beginning of every script that uses them,
and at the beginning of every Windows PowerShell session.
To import the Group Policy Module for Windows Powershell, run the following cmdlet from the Windows
PowerShell prompt.
Import-Module GroupPolicy verbose
The Group Policy Module for Windows PowerShell includes the following cmdlets.
Cmdlet Name
Description
Backup-GPO
Backs up one GPO or all the GPOs in a domain
Sep 7 2011 9:58PM

Nova 4, LLC
9-31
Cmdlet Name
Description
Copy-GPO
Copies a GPO
Get-GPInheritance
Retrieves Group Policy inheritance information for a specified domain

or OU
Get-GPO
Gets one GPO or all the GPOs in a domain
Get-GPOReport
Generates a report in either XML or HTML format for a specified GPO

or for all GPOs in a domain
Get-GPPermissions
Gets the permission level for one or more security principals on a

specified GPO
Get-GPPrefRegistryValue
Retrieves one or more registry preference items under either Computer

Configuration or User Configuration in a GPO
Get-GPRegistryValue
Retrieves one or more registry-based policy settings under either

Computer Configuration or User Configuration in a GPO
Get-GPResultantSetOfPolicy
Outputs the Resultant Set of Policy (RSoP) information to a file, for a

user, a computer, or both
Get-GPStarterGPO
Gets one Starter GPO or all Starter GPOs in a domain
Import-GPO
Imports the Group Policy settings from a backed up GPO into a

specified GPO
New-GPLink
Links a GPO to a site, domain, or OU
New-GPO
Creates a new GPO
New-GPStarterGPO
Creates a new Starter GPO
Remove-GPLink
Removes a GPO link from a site, domain, or OU
Remove-GPO
Deletes a GPO
Remove-GPPrefRegistryValue
Removes one or more registry preference items from either Computer

Remove-GPRegistryValue
Removes one or more registry-based policy settings from either

Rename-GPO
Assigns a new display name to a GPO
Restore-GPO
Restores one GPO or all GPOs in a domain from one or more GPO
backup files
Set-GPInheritance
Blocks or unblocks inheritance for a specified domain or OU
Set-GPLink
Sets the properties of the specified GPO link
Set-GPPermissions
Grants a level of permissions to a security principal for one GPO or for

all the GPOs in a domain
Set-GPPrefRegistryValue
Configures a registry preference item under either Computer

Sep 7 2011 9:58PM

Nova 4, LLC
9-32
Cmdlet Name
Description
Set-GPRegistryValue
Configures one or more registry-based policy settings under either

Sep 7 2011 9:58PM

Nova 4, LLC
9-33
Options for Delegating Control of GPOs
Key Points
Delegation of GPO-related tasks allows the administrative workload to be distributed across the
enterprise. One group can be tasked with creating and editing GPOs, while another group performs
reporting and analysis duties. A third group might be in charge of creating WMI filters.
The following Group Policy tasks can be independently delegated:
Creating GPOs
Editing GPOs
Managing Group Policy links for a site, domain, or OU
Performing Group Policy Modeling analyses on a given domain or OU
Reading Group Policy Results data for objects in a given domain or OU
Creating WMI filters in a domain
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that
they have created.
Group Policy default permissions

By default, the following user and groups have Full Control over GPO management:
Domain Admins
Enterprise Admins
Creator Owner
Local System
The Authenticated User group has Read and Apply Group Policy permissions.
Sep 7 2011 9:58PM

Nova 4, LLC
9-34
Creating GPOs
By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create new
GPOs. You can use two methods to grant a group or user this right:
Add the user or group to the Group Policy Creator Owners group.
Explicitly grant the group or user permission to create GPOs by using GPMC.
Editing GPOs
To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permission
by using the GPMC.
Managing GPO Links

The ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you can
manage this permission by using the Delegation tab on the container. You can also delegate it through
the Delegation of Control Wizard in Active Directory Users and Computers.
Group Policy Modeling and Group Policy Results

You can delegate the ability to use the reporting tools in the same fashion, through GPMC or the
Delegation of Control Wizard in Active Directory Users and Computers.
Create WMI Filters

You can delegate the ability to create and manage WMI filters in the same fashion, through GPMC or the
Delegation of Control Wizard in Active Directory Users and Computers.
Sep 7 2011 9:58PM

Nova 4, LLC
9-35
Lab B: Managing Group Policy Objects
Lab Scenario
The enterprise administrator has created a GPO deployment plan. You have been asked to create GPOs so
that certain policies can be applied to all domain objects. Some policies are considered mandatory.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings
and may not always follow best practices.
Group Policy Requirements
Domain users will not have access to the Run menu. The policy will apply to all users, except users in
the IT OU.
All domain computers will have a mandatory baseline security policy applied that does not display
the name of the last logged on user.
Computers running Windows 7 or Windows Vista will have additional settings applied to wait for the
network at startup.
Users in the IT OU will have the URL for Microsoft support added to their Favorites.
Sep 7 2011 9:58PM

Nova 4, LLC
9-36
Exercise 1: Verifying GPO Application

In this exercise, you will test the application of GPOs to ensure that the GPOs are being applied as the
design specifies. Students will log on as specific users, to verify that GPOs are being applied correctly.
1.
Verify that a user in the domain has the Run command removed from the Start menu.
2.
Verify that a user in the IT Admin OU is receiving the correct policy.
3.
Verify that the user name does not appear.
Task 1: Verify that a user in the domain has the Run command removed from the Start
menu.
1.
Log on to NYC-CL1 as CONTOSO\Max, with the password, Pa$$w0rd.
2.
Ensure that a link to the Run menu does not appear in the Accessories folder on the Start menu.
3.
Log off of NYC-CL1.
Task 2: Verify that a user in the IT OU is receiving the correct policy.

1.
Log on to NYC-CL1 as CONTOSO\Ed, with the password, Pa$$w0rd.
2.
Ensure that a link to the Run menu appears in the Accessories folder on the Start menu.
3.
Start Internet Explorer, open the Favorites pane, and then ensure that the link to Tech Support
appears. If the Set Up Windows Internet Explorer 8 dialog box opens, click Ask me later.
4.
Restart NYC-CL1.
Task 3: Verify that the last logged on user name does not appear.
After NYC-CL1 is restarted, verify that the last logged on user name does not appear.
Note: To see this information, press CTRL-ALT-DEL to see the logon screen.
Result: After completing this exercise, you will have tested and verified a GPO application.
Sep 7 2011 9:58PM

Nova 4, LLC
Exercise 2: Managing GPOs

In this exercise, you will use GPMC to back up, restore, and import GPOs.
1.
Back up an individual policy.
2.
Back up all GPOs.
3.
Delete and restore an individual GPO.
4.
Import a GPO.
Task 1: Back up an individual policy.

1.
On NYC-DC1, open Windows Explorer and create a folder named,

C:\GPO Backup.
2.
In GPMC, browse to the Group Policy Objects folder.
3.
Right-click the Restrict Run Command policy, and then click Backup.
4.
Browse to C:\GPO Backup.
5.
Click Backup, and then click OK after the backup succeeds.
Task 2: Back up all GPOs.

1.
Right-click the Group Policy Objects folder, and then click Back Up All.
2.
Ensure that C:\GPOBackup is the backup location. Click OK.
3.
Click OK after the backup succeeds.
Task 3: Delete and restore an individual GPO.

1.
Right-click the IT Favorites policy, and then click Delete. Click Yes, and then click OK when the
deletion succeeds.
2.
Right-click the Group Policy Objects folder, and then click Manage Backups.
3.
Restore the IT Favorites GPO.
4.
Confirm that the IT Favorites policy appears in the Group Policy Objects folder.
Task 4: Import a GPO.

1.
Create a new GPO named, Import, in the Group Policy Objects folder.
2.
Right-click the Import GPO, and then click Import Settings.
3.
In the Import Settings Wizard, click Next.
4.
On the Backup GPO window, click Next.
5.
Ensure the Backup folder location is C:\GPOBackup.
6.
On the Source GPO screen, click Restrict Run Command, and then click Next.
Note: If more than one copy of the Restrict Run Command GPO appears, choose the newer one.
Sep 7 2011 9:58PM

9-37
Nova 4, LLC
9-38
7.
Finish the Import Settings wizard.
8.
Click Import GPO, click the Settings tab, and then ensure that the Remove Run menu from Start
Menu setting is Enabled.
Result: After completing this exercise, you will have backed up, restored, and imported GPOs.
Sep 7 2011 9:58PM

Nova 4, LLC
9-39
Lesson 4
Evaluating and Troubleshooting Group Policy

Processing
System administrators need to know how Group Policy settings affect computers and users in a managed
environment. This information is essential when planning Group Policy for a domain, and when
debugging existing GPOs. Obtaining the information can be a complex task when you consider the many
combinations of sites, domains, and organizational units that are possible, and the many types of Group
Policy settings that can exist. Further complicating the task are security-group filtering, and GPO
inheritance, blocking, and enforcement. The Group Policy Results (GPResult.exe) command-line tool and
GPMC provide reporting features to simplify these tasks.
Troubleshooting the unexpected or undesired application of GPOs can be an equally difficult task.
Windows Server 2008 provides several tools to assist in the troubleshooting of GPO application.
Objectives
Describe Group Policy reporting.
Determine GPO processing by using Group Policy modeling.
Evaluate Group Policy processing.
Describe common scenarios for troubleshooting Group Policy processing.
Describe a general process for troubleshooting Group Policy.
List the tools used for troubleshooting Group Policy.
Troubleshoot Group Policy by using diagnostic tools.
Sep 7 2011 9:58PM

Nova 4, LLC
9-40
What Is Group Policy Reporting?
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting
easier. Two main reporting tools are the GPResult.exe command-line tool, and the Group Policy Results
Wizard in GPMC. The Group Policy Results feature allows administrators to determine the resultant policy
set that was applied to a given computer or user or to the computer and user who logged on to that
computer. Although these tools are similar, each provides different information.
GPResult.exe
Intended for administrators, the GPResult.exe command-line tool verifies all policy settings in effect for a
specific user, computer or user and computer combination. Administrators can run GPResult on any
remote computer within their management scope.
Syntax
gpresult;[/s ;Computer [/u ;Domain\User ;/p ;Password]] ;[/user ;TargetUserName]
;[/scope {user|computer}] ;[/v] ;[/z]
Parameters
/s ; Computer ; : Specifies the name or IP address of a remote computer. (Do not use backslashes.) The
default is the local computer.
/u ; Domain \ User ; : Runs the command with the account permissions of the user that is specified by User
or Domain\User. The default is the permissions of the current logged-on user on the computer that issues
the command.
/p ; Password ; : Specifies the password of the user account that is specified in the /u parameter.
/user ; TargetUserName ; : Specifies the user name of the user whose Resultant Set of Policy (RSoP) data is
to be displayed.
Sep 7 2011 9:58PM

Nova 4, LLC
9-41
/scope { user | computer } : Displays either user or computer results. Valid values for the /scope parameter
are user or computer. If you omit the /scope parameter, gpresult displays both user and computer
settings.
/v ; : Specifies that the output display verbose policy information.
/z ; : Specifies that the output displays all available information about Group Policy. Because this
parameter produces more information than the /v parameter, you should redirect the output to a text file
when you use this parameter (for example, gpresult /z >policy.txt).
/? : Displays help at the command prompt.
GPResult Output
When you run the GPResult /r command from the command prompt, Windows displays three different
categories of information: operating system information, computer settings, and user settings.
By default, GPResult returns settings in effect on the computer on which GPResult is run. In the operating
system section, GPResult provides:
Version information.
Domain and site information.
User profile information.
Slow link status.
In the computer and user sections, GPResult provides:
Information about the last time policies were applied.
Group Policy source.
Slow link thresholds.
GPOs that are applied, and their application order.
GPOs that were not applied.
Security group membership of users and computers.
GPResult has various switches available to refine the command for specific information. For example, it
can be run for a specific user, computer, or both. It can also be run in verbose mode to provide more
information.
Group Policy Results

The Group Policy Results tool is useful for troubleshooting Group Policy or verifying that all of the
expected settings were applied. You can use the Group Policy Results Wizard in GPMC to get detailed
reports of which policies are applied to users and computers, and you can then print these reports or save
them as HTML files to provide documentation. The results are gathered by querying the WMIinstrumented Group Policy logging facility on a computer that processed Group Policy. The wizard returns
the settings that were actually applied, including local Group Policy settings.
Requirements for Group Policy Results

You must meet the following requirements to use the Group Policy Results Wizard:
If testing a particular users settings on a particular computer, that user must have logged on to that
computer at least once. If the user has not logged on to the computer since Group Policy settings have
changed, you will see only the settings that were in effect the last time the user logged on.
Sep 7 2011 9:58PM

Nova 4, LLC
9-42
If connecting to a remote computer, the remote procedure call (RPC) port (135) must be open on the
remote computer. You can accomplish this with a Group Policy setting that allows remote administration.
Sep 7 2011 9:58PM

Nova 4, LLC
9-43
What Is Group Policy Modeling?
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling Wizard in GPMC to model
environment changes before you actually make them. The Group Policy Modeling Wizard calculates the
simulated net effect of GPOs. Group Policy Modeling also simulates such things as security group
membership, WMI filter evaluation, and the effects of moving user or computer objects to a different OU
or site. You can also specify slow-link detection, loopback processing, or both when using the Group
Policy Modeling Wizard.
The Group Policy Modeling process actually runs on a domain controller in your Active Directory domain.
Because the wizard never queries the client computer, it cannot take local policies into account.
Sep 7 2011 9:58PM

Nova 4, LLC
9-44
Demonstration: How to Evaluate Group Policy Processing
Key Points
Use GPResult.exe and the Group Policy Reporting Wizard.
Use the Group Policy Modeling Wizard.
1.
Run GPResult.exe from the command prompt.
2.
Run GPResult.exe from the command prompt and output the results to an HTML file.
3.
Open GPMC.
4.
Run the Group Policy Reporting Wizard and view the results.
5.
Run the Group Policy Modeling Wizard and view the results.
Sep 7 2011 9:58PM

Nova 4, LLC
9-45
Scenarios for Group Policy Troubleshooting
Key Points
The two main issues with Group Policy processing are.
Policies are not applied to the client.
Policies are applied, but the results are inconsistent or incorrect.
There may be many reasons why policies are not applied or are applied incorrectly, including the
following:
AD DS replication issues may be preventing all domain controllers from receiving policies or policy
updates.
GPOs may be linked incorrectly to containers.
Slow network conditions may exist.
Policy filtering may be set.
Inheritance or enforcement settings may be applied.
The loopback setting may be turned on.
Local computer policies may be affecting the results.
Group Policy Phases

Group Policy has two distinct phases:
Core Group Policy Processing

When a client begins to process Group Policy, it must determine whether it can reach a domain controller,
whether any GPOs changed, and what policy settings (based on client side extension) to process. The core
Group Policy engine performs this processing during the initial phase.
Sep 7 2011 9:58PM

Nova 4, LLC
9-46
Client Side Extension (CSE) Processing

The core Group Policy engine calls the required CSEs to process the settings that apply to the client. The
exception is security policies, which are refreshed every 16 hours, regardless of whether they have
changed.
Note: It is important to understand that Group Policy is normally a client-side event. The client pulls
policies; the server does not push them. However, there are methods by which you can force the client
to pull the policies.
Sep 7 2011 9:58PM

Nova 4, LLC
9-47
Troubleshooting Group Policy
Key Points
Group Policy issues may be symptoms of unrelated issues, such as network connectivity, authentication
problems, domain controller availability, or Domain Name Service (DNS) configuration errors.
Preparing for Troubleshooting

You should begin the troubleshooting process by determining the scope of the issue. For example, is the
issue widespread, or affecting a single client only? If the issue affects a single client, you should check for
physical issues, such as incorrect configurations, or hardware or operating system failures. These issues are
usually easy to diagnose.
After you eliminate these causes, your first real troubleshooting step is to check Event Viewer entries,
Windows logs, and application and service logs, which can provide valuable information about the root
cause of issues. Log entries often direct you to the area in which to begin your investigation. After you
narrow down your problem area, you can use other diagnostic tools to pursue the issue.
Troubleshooting Inheritance
The following four settings can be used to alter the default inheritance of GPO processing:
Block policy inheritance
GPO enforcement
GPO filtering of the ACL
Windows WMI filters
If none of the users or computers in an OU or entire subtree of OUs are receiving policies that were linked
to higher levels, it may be because of inheritance blocking.
GPMC interface provides a visual indicator of a blue exclamation mark when inheritance is blocked.
Sep 7 2011 9:58PM

Nova 4, LLC
9-48
Group Policy results reporting (RSoP) lists the GPOs that are being applied, and the GPOs that are being
blocked.
You can run the Gpresult command from the target computer to assess whether any of these settings are
prohibiting the policies from applying.
If inheritance is blocked incorrectly, removing the setting returns Group Policy processing to normal.
Troubleshooting Filtering
Group Policy filtering determines which users and computers will receive the GPO settings. Group Policy
object (GPO) filtering is based on two factors:
Security filtering on the GPO
WMI filters on the GPO
Group Policy filtering may appear to look like inconsistent application of policies in an OU. If some users,
groups, or computers have filtering applied, they will not receive policies that other users in the same OU
receive.
The following steps can be taken to troubleshoot potential filtering-related issues.
To check filtering on a GPO, in GPMC, open the Group Policy Objects node, select the GPO you are
troubleshooting, and then, in the right pane, select the Scope tab. The Security Filtering and WMI
Filtering panels show the current filtering configuration.
To see the exact set of permissions for users, groups, and computers, select the Delegation tab, and
then click Advanced. Select the security group, user, or computer you want to review.
If the policy object should be applied to the security group, user, or computer, the minimum permissions
should be set to allow Read and Apply Group Policy.
Note: If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If there is a link
to a non-existent WMI filter, the GPO with that link will not be processed until the link is removed or the
filter is restored.
Troubleshooting Replication
In a domain that contains more than one domain controller, Group Policy information takes time to
propagate or replicate from one domain controller to another.
Replication issues are most noticeable in remote sites with slow connections where there is long
replication latency.
The GPOTool can check for consistency of policies across all domain controllers. Another tool is
Readmin, which can provide information about Group Policy synchronization status and general
replication.
After you determine that replication is the issue, you must determine if the problem is with the FRS or
AD DS replication.
A simple test for SYSVOL replication is to put a small test file into the SYSVOL directory, and see if it
replicates to other domain controllers.
Similarly, a simple way to test AD DS replication is to create a test object, such as an OU, and see if it
replicates to other domain controllers.
In many cases, just waiting for normal replication cycles to complete resolves the problem.
Sep 7 2011 9:58PM

Nova 4, LLC
9-49
Troubleshooting Policy Refresh

Group Policy refresh refers to a clients periodic retrieval of GPOs.
During Group Policy refresh, the client contacts an available domain controller. If any GPOs changed,
the domain controller provides a list of all the appropriate GPOs.
By default, GPOs are processed at the computer only if the version number of at least one GPO has
changed on the domain controller that the computer is accessing.
Group Policy reporting provides information about when the last Group Policy refresh occurred, on
the summary page. The report also tells you if the loopback setting is enabled.
Sep 7 2011 9:58PM

Nova 4, LLC
9-50
Tools Used for Troubleshooting Group Policy
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether you can trace a
problem to core Group Policy.
Group Policy Troubleshooting Tools

RSoP
RSoP is a query engine that polls existing policies and then reports the querys results. RSoP polls existing
policies based on site, domain, domain controller, and OU. This is one of the main troubleshooting tools,
and you can use it to reveal common problems without having to resort to any other tool.
GPResult
Similar to Group Policy reporting, the GPResult tool is a command-line utility that displays slightly
different RSoP information about the user, computer, and Group Policy affecting them. GPResult lists
information that GPMC does not provide, including the domain controller that supplied the Group Policy
and the slow-link threshold.
Gpupdate
This tool refreshes local and AD DS-based Group Policy settings, including security settings. You can also
use it to force the client to pull policy settings from the domain controller.
Dcgpofix
This tool restores the default Group Policy objects to their original state after initial installation. You can
restore the Default Domain Policy, the Default Domain Controller, or both.
GPLogView
This utility is for use with Windows Vista and later versions, and is primarily used to export Group Policyrelated events from the system, and operational logs into text, HTML, or XML files. You can also run the
Sep 7 2011 9:58PM

Nova 4, LLC
9-51
tool with the -m switch, and monitor real-time activities. You can download this utility from the Microsoft
download site.
Group Policy Management Scripts

GPMC sample scripts perform a number of different troubleshooting tasks, such as providing a list of all
disabled or unlinked GPOs. If you cant find a sample script that fits your needs, you can easily modify a
sample script, or create your own script. When you install GPMC, the sample scripts are automatically
added.
Group Policy Logging

If other tools do not provide the information you need to identify the problems affecting Group Policy
application, you can enable verbose logging, and then examine the resulting log files. Log files can be
generated on both the client and the server to provide detailed information.
Prior to Windows Vista, the Userenv log file performed debug logging of the user profile and the system
policy processes. Userenv logging contains information about the following:
Group Policy settings that are not processed or not applied as expected
Folder redirection that does not occur
Logon scripts or scripts not applied as expected
Default behavior occurring because a slow link was detected
Slow logon issues
Whether a given GPO is accessible, and if not, why access was denied
The name of the domain controller that is accessing Sysvol
Roaming profile issues
In addition to Userenv.log, the following CSEs provide their own verbose logs that you can enable by
modifying the registry:
Security CSE provides WinLogon.log.
Folder Redirection CSE provides FDeploy.log.
Software Installation CSE provides AppMgmt.log.
Windows Vista introduces a change to the way that the Group Policy engine provides information. Group
Policy logging information is no longer kept in the Userenv.log file. Detailed logging now is kept in the
System event log, and the Group Policy operational log. The System event log can be accessed through
Event Viewers Applications and Services Logs section. You can use GPLogView to aggregate events from
the Group Policy operational logs into a single-view file that you can review later, or you can enable it to
run in monitor mode to see real-time event processing.
Sep 7 2011 9:58PM

Nova 4, LLC
9-52
Demonstration: Using Group Policy Diagnostic Tools
Key Points
Use various Group Policy Diagnostic Tools.
Sep 7 2011 9:58PM

Nova 4, LLC
Sep 7 2011 9:58PM

9-53
Nova 4, LLC
9-54
Exercise 1: Troubleshooting Incorrect Policy Settings: Scenario 1

Scenario
Users in the IT OU should not have access to the Run command on the Start menu. You will restore and
link the TestA GPO to apply this setting.
The local desktop technician has escalated the following issue to the server team:
Description of problem: No users should be able to access the Run command on the Start menu, but
all users in the IT OU currently have access to the Run command.
The main tasks in this exercise are:

1.
Restore the TestA GPO.
2.
Link the TestA GPO to the IT OU.
3.
Test the GPO.
4.
Troubleshoot the GPO.
5.
Resolve the issue and test the resolution.
Task 1: Restore the TestA GPO.
On NYC-DC1, in the Group Policy Management window, restore the TestA GPO from backup. The
TestA GPO is located at C:\Tools\GPOBackup.
Task 2: Link the TestA GPO to the IT OU.
In the Group Policy Management window, link the TestA GPO to the IT OU.
Task 3: Test the GPO.

1.
On NYC-CLI, log on as CONTOSO\Ed with the password, Pa$$w0rd.
2.
Click Start, and then notice the presence of the Run command. It should not be present.
3.
Log off from NYC-CL1.
Task 4: Troubleshoot the GPO.

1.
On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.
2.
In the report summary, under User Configuration Summary, notice that the TestA GPO is being
applied.
3.
On the Settings tab, under User Configuration, notice that the Add the Run command to the
Start Menu setting is enabled.
Task 5: Resolve the issue and test the resolution.

1.
Edit the TestA GPO.
2.
In the Group Policy Management Editor window, under User Configuration, Policies,
Administrative Templates, Start Menu and Taskbar, change Add the Run command to the Start
Menu to Disabled, and then click OK.
3.
On NYC-CLI, log on as CONTOSO\Ed, with the password, Pa$$w0rd.
Sep 7 2011 9:58PM

Nova 4, LLC
4.
Click Start, and notice that the Run command is no longer present.
5.
Do not log off from NYC-CL1.
Result: After completing this exercise, you will have resolved a Group Policy object issue.
Sep 7 2011 9:58PM

9-55
Nova 4, LLC
9-56
Exercise 2: Troubleshooting Incorrect Policy Settings: Scenario 2

Scenario
You have been asked to restore the TestB GPO and link it to the Loopback OU. This GPO is designed to
enhance security.
The local desktop technician has escalated the following issue to the server team:
Description of problem: Since the application of the GPO, Ed has access to the Run command on his
Start menu.

1.
Create a new OU named, Loopback.
2.
Restore the TestB GPO.
3.
Link the TestB GPO to the Loopback OU.
4.
Move NYC-CL1 to the Loopback OU.
5.
Test the GPO.
6.
Troubleshoot the GPO.
7.
Resolve the issue and test the resolution.
Task 1: Create a new OU named, Loopback.

1.
2.
Create a new Organizational Unit under Contoso.com named, Loopback.
Task 2: Restore the TestB GPO.
On NYC-DC1, in the Group Policy Management window, restore the TestB GPO from backup. The
TestB GPO is located at C:\Tools\GPOBackup.
Task 3: Link the TestB GPO to the Loopback OU.
In the Group Policy Management window, link the TestB GPO to the Loopback OU. You may need
to refresh the Group Policy Management console to view the new OU.
Task 4: Move NYC-CL1 to the Loopback OU.
In Active Directory Users and Computers, move the NYC-CL1 computer from the Computers
container to the Loopback OU.
Task 5: Test the GPO.

1.
Restart NYC-CL1.
2.
When the computer restarts, log on as Contoso\Ed, with the password, Pa$$w0rd.
3.
Click Start and notice that the Run command is present once again.
Task 6: Troubleshoot the GPO.

1.
On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.
2.
In the summary report, under Computer Configuration, review the applied GPOs and notice that
the TestB GPO has been applied.
Sep 7 2011 9:58PM

Nova 4, LLC
3.
9-57
On the Settings tab, under Computer Configuration, notice that loopback processing mode is
enabled.
Note: Group Policy applies to the user, computer, or both in a manner that depends on where both the
user and the computer objects are located in Active Directory. However, in some cases, users may need
policy applied to them based on the location of the computer object alone. You can use the Group
Policy loopback feature to apply GPOs that depend only on which computer the user logs on to.
Task 7: Resolve the issue and test the resolution.

1.
In the Group Policy Management window, disable the link for the TestB GPO.
Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there
were other settings in the GPO that you did wish to have applied.
2.
Restart NYC-CL1.
3.
When the computer restarts, log on as CONTOSO\Ed, with the password, Pa$$w0rd.
4.
Click Start and notice that the Run command is no longer present.
Result: After completing this exercise, you will have resolved a Group Policy objects issue.

following steps:
1.
2.
3.
4.
Sep 7 2011 9:58PM

Nova 4, LLC
9-58
Review Questions
1.
What methods exist that allow you to modify the application of Group Policy settings within AD DS?
Answer: You control policy processing through link order/precedence, by overriding inheritance, blocking
inheritance, enforcing link inheritance, security/WMI filtering, disabling/enabling user/computer
configuration processing, and/or modifying loopback processing.
2.
A user in one of your organizations branch locations is note receiving a software deployment
package that has been assigned to his computer in a GPO. Upon consulting GPMC, you discover that
the GPO is linked to the proper OU containing the users computer and that no filtering or
inheritance settings are affecting the GPO. What could be the problem?
Answer: Since the user is connecting from a branch location, the bandwidth available between the users
computer and the nearest domain controller may be detected as a slow link.

Windows Server 2008
R2 feature
Group Policy module
for Windows
PowerShell
Description
Automate many of the same tasks for domain-based GPOs that you perform in
the user interface by using GPMC.
Tools
Tool
Group Policy
Management
Use for
Managing Group
Policy application
Where to find it
On the Administrative Tools menu.
Sep 7 2011 9:58PM

Nova 4, LLC
9-59
Tool
Console
Use for
Where to find it
in an AD DS
domain.
Group Policy
module for
Windows
PowerShell
Automating
many of the same
tasks for domainbased GPOs that
you perform in
the user interface
by using GPMC.
On the Administrative Tools menu.
GPResult.exe
Displaying RSoP
information
about the user,
computer, and
Group Policy
affecting them.
Run from the command line.
Gpupdate.exe
Refreshing local
and AD DS-based
Group Policy
settings.
Run from the command line.
Dcgpofix.exe
Restoring the
default Group
Policy objects to
their original
state after initial
installation.
Run from the command line on a domain controller.
GPLogView
Monitoring and
exporting Group
Policy-related
events from the
system, and
operational logs.
Sep 7 2011 9:58PM

Nova 4, LLC
9-60
Sep 7 2011 9:58PM

Nova 4, LLC
Using Group Policy to Configure User and Computer Settings
Module 10
Using Group Policy to Configure User and Computer
Settings
Contents:
Lesson 1: Using Group Policy to Configure Folder Redirection and Scripts

Lab A: Using Group Policy to Configure Scripts and Folder Redirection
10-3
10-14
Lesson 2: Using Administrative Templates to Manage Users and

Computers
10-17
10-24
Lesson 3: Deploying Software Using Group Policy
10-27
10-37
Lesson 4: Deploying Group Policy Preferences
10-39
10-46
Sep 7 2011 9:58PM

10-1
Nova 4, LLC
10-2
Module Overview
In this module, you will learn how to configure a user environment by using Group Policy. Specifically, this
module provides the skills and knowledge that you need to use Group Policy to configure Folder
Redirection and to use scripts. You also will learn how Administrative Templates affect Microsoft Windows
7 and Windows Server 2008, and how to deploy software by using Group Policy. This module will also
describe how to use Group Policy preferences to enhance group policy settings.
Use Group Policy to configure folder redirection and scripts.
Use Administrative Templates to manage users and computers.
Deploy software by using Group Policy.
Deploy Group Policy Preferences.
Sep 7 2011 9:58PM

Nova 4, LLC
10-3
Lesson 1
Using Group Policy to Configure Folder Redirection

and Scripts
Windows Server 2008 enables you to use Group Policy to deploy scripts to users and computers. You can
also redirect folders that the users profile includes, from the users local hard disks to a central server.
Describe folder redirection.
Select the appropriate folder redirection configuration options.
Describe security settings for redirected folders.
Configure folder redirection.
Describe Group Policy scripts.
Configure scripts by using Group Policy.
Sep 7 2011 9:58PM

Nova 4, LLC
10-4
What Is Folder Redirection?
Key Points
With Folder Redirection, you can easily manage and back up data. By redirecting folders, you can ensure
user access to data regardless of the computers to which the users log on. Folder redirection has the
following characteristics:
When you redirect folders, you change the folders storage location from the users computer local
hard disk to a shared folder on a network file server.
After you redirect a folder to a file server, it still appears to the user as if it is stored on the local hard
disk.
Offline Files technology can be used in conjunction with redirection to synchronize the data in the
redirected folder to the users local hard drive. This ensures that users have access to their data if a
network outage occurs or if the user is working offline.
Advantages of Folder Redirection

There are many advantages of folder redirection such as the following:
Users that log on to multiple computers can access their data as long as they can access the network
share.
Offline folders allow users to access their data even if they are disconnected from the local area
network (LAN).
Data that is stored on servers in network shares are backed up.
Roaming profile size can be greatly reduced by redirecting data from the profile.
Question: Can you list some disadvantages of folder redirection?
Sep 7 2011 9:58PM

Nova 4, LLC
10-5
Folder Redirection Configuration Options
Key Points
In a Group Policy object (GPO), the following settings are available for folder redirection: None, Basic,
Advanced, and Follow the Documents folder:
None. None is the default setting. Folder redirection is not enabled.
Basic. Basic folder redirection is for users who must redirect their folders to a common area or users
who need their data to be private.
Advanced. Advanced redirection allows you to specify different network locations for different Active
Directory security groups.
Follow the Documents. Follow the Documents folder redirection is available only for the Pictures,
Music, and Videos folders. It makes the affected folder a subfolder of the Documents folder.
If you choose Basic or Advanced, you can choose from the following target folder locations:
Create a folder for each user under the root path. This option creates a folder in the form
\\server\share\User Account Name\Folder Name. Each user has a unique path for the redirected
folder to keep data private. By default, that user is granted exclusive rights to the folder, and in the
case of the Documents folder, the current contents of the folder is moved to the new location.
Redirect to the following location. This option uses an explicit path for the redirection location. It
causes multiple users to share the same path for the redirected folder. By default, that user is granted
exclusive rights to the folder, and in the case of the Documents folder, the current contents of the
folder is moved to the new location.
Redirect to the local user profile location. This option moves the location of the folder to the local
user profile under the Users folder.
Redirect to the users home directory. This option is available only for the Documents folder.
Sep 7 2011 9:58PM

Nova 4, LLC
10-6
Note: After the initial creation and application of a GPO that delivers folder redirection settings, users
require two logons before redirection takes effect. This is because users will log on with cached
credentials.
Question: Users in the same department often log on to different computers. They need access to heir
Documents folder. They also need the data to be private. Which folder redirection setting should you
choose?
Sep 7 2011 9:58PM

Nova 4, LLC
10-7
Security Settings for Redirected Folders
Key Points
You need to manually create and permission a shared network folder to store the redirected folders.
However, folder redirection can also create the users redirected folders. Folder permissions are handled as
follows:
When you use this option, the correct subfolder permissions are set automatically.
If you manually create folders, you must know the correct permissions. These permissions are
illustrated on the slide.
Question: What steps should you take to protect the data while it is in transit between the client and the
server?
Sep 7 2011 9:58PM

Nova 4, LLC
10-8
Demonstration: Configuring Folder Redirection
Key Points
Create a shared folder.
Test folder redirection.
Create a shared folder
1. On NYC-DC1, click Start, click Computer, double-click the C:/ drive, and then create a folder named
C:\Redirect.
2. Share the folder with Everyone with Full Control permission.
Create a GPO to redirect the Documents folder
1. Open the Group Policy Management console and create and link a GPO named Folder Redirection
to the Contoso domain.
2. Edit the Folder Redirection GPO.
3. Configure the Documents folder properties to use the Basic-Redirect everyones folder to the
same location setting.
4. Ensure that the Target folder location is set to Create a folder for each user under the root path.
5. Make the Root Path \\NYC-DC1\Redirect.
6. Close all open windows on NYC-DC1.
Test the Folder Redirection
1. Log on to the NYC-CL1as Contoso\Administrator.
Sep 7 2011 9:58PM

Nova 4, LLC
2. Check the properties of the Documents folder.

The path will be \\NYC-DC1\Redirect.
3. Log off of NYC-CL1.
Note: Due to cached credentials, you will need two logons to see the redirection.
Sep 7 2011 9:58PM

10-9
Nova 4, LLC
10-10
What Are Group Policy Scripts?
Key Points
You can use Group Policy scripts to perform any number of tasks. There may be actions that you need to
perform every time a computer starts or shuts down, or when users log off or on. For example, you can
use scripts to:
Clean up desktops when users log off and shut down computers.
Delete the contents of temporary directories.
Map drives or printers.
Set environment variables.
Scripts that are assigned to the computer run in the security context of the Local System account. Scripts
that are assigned to the user logging on run in the security context of that user.
Aspects of how scripts run are controlled by other group policy settings. For example, if multiple scripts
are assigned, you can control whether they run synchronous or asynchronous.
Scripts can be written in any scripting language that the Windows client can interpret, such as VBScript,
Jscript, or simple command or batch files.
Note: In Windows Server 2008 R2, the user interface (UI) in Group Policy Editor for Logon, Logoff,
Startup, and Shutdown scripts now has an extra tab for PowerShell scripts. You can simply add your
PowerShell script to this tab to deploy it. Windows Server 2008 R2 or Windows 7 can run PowerShell
scripts via Group Policy.
Scripts are stored in shared folders on the network. You need to ensure that the client has access to that
network location or scripts fail to run. Although any network location stores scripts, as a best practice, use
the Netlogon share because all users and computers that are authenticated to Active Directory Domain
Service (AD DS) have access to this location.
Sep 7 2011 9:58PM

Nova 4, LLC
10-11
For many of these settings, using Group Policy preferences is a better alternative to configuring them in
Microsoft Windows images or using logon scripts. Group Policy preferences are covered in more detail
later in this module.
Question: Which permissions are required on network shares so that clients can connect and run a script?
Sep 7 2011 9:58PM

Nova 4, LLC
10-12
Demonstration: Configuring Scripts Using Group Policy
Key Points
Create a login script to map a network drive.
Create and link a GPO to use the script and store the script in the Netlogon share.
Log on to client computer and test results.
Create a logon script to map a network drive.
1.
On NYC-DC1, launch Notepad and enter the following command:

Net use t: \\nyc-dc1\marketingtemplates
2.
Save the file as Map.bat. In the Save As dialog box, click the Save as type: drop-down arrow and
select All Files (*.*) as the type. Save the file to the default location of Documents.
3.
Copy the file to the clipboard.
Create and link a GPO to use the script and store the script in the Netlogon share.
1.
Use the Group Policy Management console to create and link a new GPO named Drivemap to the
Contoso domain.
2.
Edit the GPO to configure a user logon script.
3.
Paste the Map.bat script into the Netlogon share.
4.
Add the Map.bat script to the logon scripts.
Log on to the client to test the results.

1.
On NYC-CL1, log on as Contoso\Administrator.
2.
Click Start and click Computer and then verify that drive is mapped.
Sep 7 2011 9:58PM

Nova 4, LLC
3.
Log off of NYC-CL1.
Question: What other method could you use to assign logon scripts to users?
Sep 7 2011 9:58PM

10-13
Nova 4, LLC
10-14
Lab A: Using Group Policy to Configure Scripts and

Folder Redirection
Lab Setup
1.
2.
3.
4.
5.
Manager.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has decided to implement Group Policy to manage user desktops. The organization has
already implemented an organizational unit (OU) configuration that includes top-level OUs of different
departments. Contoso, Ltd. wants to use Group Policy to map network locations for users and redirect the
documents of specific users to ensure their data is secured and backed up.
Sep 7 2011 9:58PM

Nova 4, LLC
10-15
Exercise 1: Using a Group Policy Logon Script to Map a Network Drive

Scenario
You need to create a logon script that maps a network drive to the shared folder named Data on NYCDC1. Then, you need to use Group Policy to assign the script to all users in the Contoso domain. The script
needs to be stored in a highly available location.
1.
2.
3.
4.
Create a script to map a drive.

Create and link a GPO.
Edit the GPO and store the script in Sysvol.
Test the script.
Task 1: Create a script to map a drive to the data share

1.
On NYC-DC1, use Notepad to create a batch file named Map.bat that maps drive T to the \\nycdc1\data share.
2.
Save the file to the default location. In the Save As dialog box, click the Save as type: drop-down
arrow and select All Files (*.*) as the type. Save the file to the default location of Documents.
3.
Browse to the saved location and copy the file to the clipboard.
Task 2: Create and link a GPO
Create a GPO named Drivemap and link it to the Contoso.com domain.
Task 3: Edit the GPO and store the script in Sysvol

1.
Edit the Drivemap GPO to assign the Map.bat logon script to users.
2.
Copy the Map.bat script to the Netlogon share.
Task 4: Test the results

1.
2.
3.
On NYC-CL1, log on as Contoso\Administrator with a password of Pa$$word.

Verify that drive has been mapped.
Log off NYC-CL1.
Results: In this exercise, you created a script and a GPO to assign the script and store the script in a
highly available location.
Sep 7 2011 9:58PM

Nova 4, LLC
10-16
Exercise 2: Using Group Policy to Redirect Folders

Scenario
You need to create a network folder on NYC-DC1 and set permissions to share and secure the folder. You
will create and test a GPO to redirect the Documents folder for all members of the Research OU.
1.
2.
3.
Create a shared folder.

Create a GPO to redirect the Documents folder.
Test folder redirection.
Task 1: Create a shared folder

1.
On NYC-DC1, create a new folder C:\Redirect
2.
Share the Redirect folder to the Research group and grant them Read/Write permission.
Task 2: Create a GPO to redirect the Documents folder

1.
Create and link a new GPO named Redirect to the Research OU.
2.
Edit the Redirect GPO to redirect the Documents folder with the following settings:
Setting: Basic Redirect everyones folder to the same location.
Target folder location: Create a folder for each user under the root path.
Root Path: \\NYC-DC1\Redirect.
Task 3: Test folder redirection

1.
Log on to NYC-CL1as Dylan with a password of Pa$$w0rd.
2.
Examine the properties of the Documents folder. Note that the location of the folder is now the
Redirect network share in a subfolder named for the user.
3.
Close all open Windows and log off.

Note: Due to cached credentials, it may require two logons to see the redirection unless the user has
never logged on to this computer before.
Results: In this exercise, you created and set permissions on a shared folder. You created and linked a
GPO to redirect the executives documents to the shared folder.

When you finish the lab, leave the virtual machines running.
Sep 7 2011 9:58PM

Nova 4, LLC
10-17
Lesson 2
Using Administrative Templates to Manage Users and

Computers
The Administrative Template files provide the majority of available policy settings, which are designed to
modify specific registry keys. This is known as registry-based policy. For many applications, the use of
registry-based policy that the Administrative Template files deliver is the simplest and the best way to
support centralized management of policy settings. In this lesson, you will learn how to configure
Administrative Templates.
Describe Group Policy administrative templates.
Describe ADM and ADMX files.
Describe the Central Store.
Describe example scenarios for using administrative templates.
Sep 7 2011 9:58PM

Nova 4, LLC
10-18
Overview of Group Policy Administrative Template Settings
Key Points
Administrative Templates allow you to control the environment of the operating system and user
experience. There are two sets of Administrative Templates: one for users and one for computers. Using
the administrative template sections of the GPO, you can deploy hundreds of modifications to the
registry. Administrative Templates have the following characteristics:
They are organized into subfolders that deal with specific areas of the environment, such as Network,
System, and Windows Components.
The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in the registry, and
settings in the user section edit the HKEY_CURRENT_USER hive in the registry.
Some settings exist for both user and computer. For example, there is a setting to prevent Windows
Messenger from running in both the user and the computer templates. In case of conflicting settings,
the computer setting prevails.
Some settings are available only to certain versions of Windows operating systems, such as a number
of new settings can be applied only to the Windows 7 family of operating systems. Double-clicking
the settings will display the supported versions for that setting.
Question: Which settings are you currently configuring manually or through scripts that you could
configure by using Group Policy?
Sep 7 2011 9:58PM

Nova 4, LLC
10-19
What Are ADM and ADMX Files?
Key Points
ADM Files
Traditionally, ADM files have been used to define the settings that the administrator can configure
through Group Policy. Each successive Windows operating system and service pack has included a newer
version of these files. ADM files use their own markup language. Therefore, it is difficult to customize ADM
files. The ADM templates are located in the %SystemRoot%\Inf folder.
A major drawback of ADM files is that they are copied into every GPO that is created, and consume about
3 megabytes (MB) of space. This can cause the Sysvol folder to become very large and increase replication
traffic.
ADMX Files
Windows Vista and Windows Server 2008 introduced a new format for displaying registry-based policy
settings. These settings are defined by using a standards-based XML file format known as ADMX files.
These new files replace ADM files. Group Policy tools on Windows Vista and later and Windows Server
2008 will continue to recognize the custom ADM files that you have in your existing environment, but will
ignore any ADM file that ADMX files have superseded. Unlike ADM files, ADMX files are not stored in
individual GPOs. The Group Policy Object Editor will automatically read and display settings from the local
ADMX file store. By default, ADMX files are stored in the Windows\PolicyDefinitions folder, but they can
be stored in a central location.
ADMX files are language neutral. The plain language descriptions of the settings are not part of the
ADMX files. They are stored in language-specific ADML files. This means that administrators who speak
different languages, such as English and Spanish, can look at the same GPO and see the policy
descriptions in their own language because they can each use their own language-specific ADML files.
ADML files are stored in a subfolder of the PolicyDefinitions folder. By default, only the ADML language
files for the language of the installed operating system are added.
Sep 7 2011 9:58PM

Nova 4, LLC
10-20
Question: How could you tell if a GPO was created or edited by using ADM or ADMX files?
Question: Can you list one benefit of the ADMX format with Group Policy object?
Sep 7 2011 9:58PM

Nova 4, LLC
10-21
What Is the Central Store?
Key Points
For domain-based enterprises, administrators can create a central store location of ADMX files that is
accessible by anyone with permission to create or edit GPOs. The GPO Editor on Microsoft Windows 7 and
Windows Server 2008 automatically reads and displays Administrative Template policy settings from
ADMX files that the central store caches and ignores the ones stored locally. If the domain controller is
not available, the local store is used.
You must create the central store and then update it manually on a domain controller. The use of ADMX
files is dependent on the computers operating system where you are creating or editing the GPO.
Therefore, the domain controller can be a server with Microsoft Windows 2000, or later. The File
Replication Service (FRS) will not replicate the domain controller to that domains other controllers. Either
FRS or DFS-R is used to replicate the data, depending on server operating system and configuration.
To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the
following location:
\\FQDN\SYSVOL\FQDN\policies
For example, to create a central store for the Test.Microsoft.com domain, create a PolicyDefinitions folder
in the following location:
\\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies
A user must copy all files and subfolders of the PolicyDefinitions folder. The PolicyDefinitions folder on a
Windows 7based computer resides in the Windows folder. The PolicyDefinitions folder stores all .admx
files and .adml files for all languages that are enabled on the client computer.
Sep 7 2011 9:58PM

Nova 4, LLC
10-22
Note: A user must log on to the DC with an account that is a member of the Domain Admins group.
To ensure the appropriate languages are available, the Win7 desktop used must have the appropriate
language packs.
Question: Can the central store exist on a Windows 2003 domain controller?
Sep 7 2011 9:58PM

Nova 4, LLC
10-23
Discussion: Practical Uses of Administrative Templates
Key Points
Spend a few minutes examining the administrative templates and consider how some of them could be
employed in your organization.
Be prepared to share information about your organizations current use of GPOs and logon scripts, such
as:
How do you currently provide desktop security?
How much administrative access do users have to their systems?
Which Group Policy settings will you find useful in your organization?
Sep 7 2011 9:58PM

Nova 4, LLC
10-24
Lab Setup
1.
2.
Log on to 6419B-NYC-DC1 by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Do not log on to NYC-CL1 until directed to do so.
Lab Scenario
The organization has already implemented an OU configuration that includes top-level OUs for different
departments. User accounts are in the same container as their workstation computer accounts. All users
are running the Windows 7 operating system. You need to configure several Group Policy settings to
control the user environment and make the desktop more secure.
Sep 7 2011 9:58PM

Nova 4, LLC
Exercise 1: Configuring Administrative Templates

Scenario
You need to control the following areas of desktop systems in the Research OU.
Users should not have access to registry editing tools.
Users should not have access to the Run menu.
Users should be denied write access to removable storage.
Users should not be able to change their desktop background images.
You will also modify the Default Domain Policy to allow remote administration through the firewall,
allowing you to run Group Policy Results queries against target computers in the domain.
1.
2.
3.
4.
5.
6.
Create and link a GPO to the Research OU.

Deny access to the registry editing tools.
Deny access to the Run menu.
Deny write access to removable storage.
Deny access to the desktop display settings.
Allow remote administration through the firewall.
Task 1: Create and link a GPO to the Research OU
On NYC-DC1, open Group Policy Management and create and link a new GPO named
ResearchDesktop to the Research OU.
Task 2: Deny access to the registry editing tools
Edit the ResearchDesktop GPO to Enable the Prevent access to registry editing tools setting.
Task 3: Deny access to the Run menu
Edit the ResearchDesktop GPO to enable the Remove Run menu from Start Menu setting.
Task 4: Deny write access to removable storage
Edit the ResearchDesktop GPO to enable the Removable disks: Deny write access setting.
Task 5: Deny access to the desktop background settings
Edit the ResearchDesktop GPO to enable the Prevent changing desktop background setting.
Task 6: Allow remote administration through the Windows Firewall
Edit the Default Domain Policy to Enable the Windows Firewall: Allow inbound remote
administration exception for the LocalSubnet.
Task 7: Test the settings

1.
Log on to NYC-CL1 as Dylan with a password of Pa$$w0rd.
2.
Ensure that the Run menu does not appear on the Accessories menu.
3.
Ensure that the Change desktop background feature is disabled.
4.
Ensure that Regedit.exe does not launch.
5.
Close all open windows and log off.
Sep 7 2011 9:58PM

10-25
Nova 4, LLC
10-26
Results: In this exercise, you created and linked a GPO to control the desktop environment.

Sep 7 2011 9:58PM

Nova 4, LLC
10-27
Lesson 3
Deploying Software Using Group Policy
Windows Server 2008 includes a feature called Software Installation and Maintenance that AD DS, Group
Policy, and the WindowsInstaller service use to install, maintain, and remove software from your
organizations computers.
Describe how Group Policy Software Distribution addresses the Software Life Cycle.
Describe how Windows Installer enhances software distribution.
Describe the characteristics of assigned and published software.
Assign and publish software applications.
Manage software upgrades by using Group Policy.
Compare Group Policy software distribution with System Center Configuration Manager 2007 R2.
Sep 7 2011 9:58PM

Nova 4, LLC
10-28
How Group Policy Software Distribution Addresses the Software Life Cycle
Key Points
The software life cycle consists of four phases: preparation, deployment, maintenance, and removal.
Group Policy can be used to manage all phases except the preparation. You can apply Group Policy
settings to users or computers in a site, domain, or organizational unit to automatically install, upgrade, or
remove software.
By applying Group Policy settings to software, you can manage the phases of software deployment
without deploying software on each computer individually.
Question: How do you currently deploy software in your organization?
Sep 7 2011 9:58PM

Nova 4, LLC
10-29
How Windows Installer Enhances Software Distribution
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008 uses the Windows Installer
service. This component automates the installation and removal of applications by applying a set of
centrally defined setup rules during the installation process. The Windows installer service installs the
Microsoft Installer (.MSI) package files. MSI files contain a database that stores all the instructions required
to install the application. Small applications may be entirely in the MSI files, whereas other larger
applications will have many associated source files that are referenced by the MSI. Many ISVs will provide
MSI files for their applications.
The Windows Installer service has the following characteristics:
This service runs with elevated privileges so that software can be installed by the Windows installer
service no matter which user is logged onto the system. Users only require read access to the software
distribution point.
Applications are resilient. If an application becomes corrupted, the installer will detect and reinstall or
repair the application.
Windows Installer cannot install .EXE files. To distribute a software package that installs with an .EXE
file, the .EXE file must be converted to an .MSI file by using a third-party utility.
Question: Do users need administrative rights to manually install applications that have MSI files?
Question: What are some disadvantages of deploying software through Group Policy?
Sep 7 2011 9:58PM

Nova 4, LLC
10-30
Assigning and Publishing Software Applications
Key Points
There are two deployment types available for delivering software to clients. Administrators can either
install software for users or computers in advance by assigning the software, or give users the option to
install the software when they require it by publishing the software in Active Directory Domain Services.
Both user and computer configuration sections of a GPO have a Software Settings section. Software is
added to a GPO by adding a new package to the Software Installation node and specifying whether to
assign or publish it.
You can also choose advanced deployment of a package. This option is used to apply a customization file
to a package for custom deployment. For example, if you used the Office Customization tool to create a
setup customization file to deploy Microsoft Office 2010.
Assigning Software
Assigned software has the following characteristics:
When you assign software to a user, the users Start menu advertises the software when the user logs
on. Installation does not begin until the user double-clicks the application's icon or a file that is
associated with the application.
Users do not share deployed applicationsan application you install for one user through Group
Policy will not be available to other users.
When you assign an application to a computer, the application is installed the next time the
computer starts. The application will be available to all users of the computer.
Publishing Software
Publishing software has the following characteristics:
The Control Panel's Programs applet advertises a published program to the user. Users can install the
application by using the Programs applet, or you can set it up, so the application is installed by
document activation.
Sep 7 2011 9:58PM

Nova 4, LLC
Applications that users do not have permission to install are not advertised to them.
Applications cannot be published to computers.
10-31
Note: When configuring Group Policy to deploy applications, they must be mapped to UNC paths. If
you use local paths, the deployment will fail.
Question: What is the advantage of publishing an application over assigning it?
Sep 7 2011 9:58PM

Nova 4, LLC
10-32
Demonstration: Assigning and Publishing Software Using Group Policy
Key Points
In this demonstration, the instructor will show how to:
Create and populate an application distribution point.
Assign an application using Group Policy.
Publish an application via Group Policy.
Test the deployment.
Create and populate an application distribution folder.
1.
On NYC-DC1, click Start, click Computer and then create a folder named C:\AppDeploy.
2.
Share the folder to Everyone with Read permission.
3.
Copy XMLNotepad.xml from \\NYC-SVR1\E$\labfiles\Mod10 to the AppDeploy folder.
Assign an application to a computer via Group Policy.
Use the GPMC and expand the Contoso.com node
Edit the Default Domain Policy to assign

\\NYC-DC1\AppDeploy\XMLNotepad.msi to the computer configuration.
Publish an application via Group Policy
Use the GPMC and expand the Contoso.com node
Edit the Default Domain Policy to publish

\\NYC-DC1\AppDeploy\XMLNotepad.msi to the user configuration.
Sep 7 2011 9:58PM

Nova 4, LLC
Test the deployment.

1.
Start 6419B- NYC-CL1.
2.
Log on to NYC-CL1 as Contoso\Administrator with a password of Pa$$w0rd.
3.
Restart NYC-CL1 and log on as the administrator. A restart is required to install the assigned
application.
4.
Ensure that the XML Notepad 2007 application is installed.
5.
Open the Control Panel. From the Programs and Features page, ensure that the XML Notepad
2007 application is being advertised on the network.
Note: You require the 6419B-NYC-DC1 and 6419B-NYC-SVR1 virtual machines to complete this
demonstration. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd. Do
not log on to NYC-SVR1.
Sep 7 2011 9:58PM

10-33
Nova 4, LLC
10-34
Managing Software Upgrades Using Group Policy
Key Points
Software vendors occasionally release software patches. These usually address minor issues, such as a bug
fix or feature enhancements that do not warrant a complete reinstallation of the application. Microsoft
releases software patches via .MSP files.
Major upgrades that provide new functionality require an upgrading of a software package to a newer
version. The Upgrades tab allows you to upgrade a package by using the GPO. Upgrades using Group
Policy has the following characteristics:
You may redeploy a package if the original Windows Installer file has been modified.
Upgrades will often remove the old version of an application and install a newer version, usually
maintaining application settings.
You can remove software packages if they were delivered originally by using Group Policy. This is
useful if an LOB application is being replaced with a different application. Removal can be mandatory
or optional.
Question: Your organization is upgrading to a newer version of a software package. Some users in the
organization require the old version. How would you deploy the upgrade?
Sep 7 2011 9:58PM

Nova 4, LLC
10-35
Comparing Group Policy Software Distribution with System Center

Configuration Manager 2007 R3
Key Points
One of the most time-consuming tasks in an information technology (IT) environment is software
deployment and maintenance. Automating software deployment is an important step towards lowering
the costs and making your IT department more efficient.
Group Policy is not the only way that software can be deployed. The following table compares Group
Policy software deployment with System Center Configuration Manager 2007 R3 software deployment
features.
System Center Configuration Manager 2007 R3 Software
Group Policy Software Deployment Deployment
Is available at no extra cost as part
of the operating system
Must be purchased and licensed
Is a user-driven event that cannot be Can be scheduled to occur at a convenient time

scheduled
Has no reporting ability
Provides several reports regarding package status or software

usage and license requirements
Is designed to use .MSI files
Can create and distribute packages that can run any executable
Is relatively simple to implement
Requires more administrative effort and a working knowledge of

System Center Configuration Manager 2007 R3
Sep 7 2011 9:58PM

Nova 4, LLC
10-36
System Center Configuration Manager 2007 R3 Software

Group Policy Software Deployment Deployment
Does not scale well to distribute
large applications
Can be used to distribute any applications
Question: Are students using SCCM or any other third-party software distribution application?
Sep 7 2011 9:58PM

Nova 4, LLC
10-37
Lab Setup
1.
2.
3.
4.
5.
In Hyper-V Manager, click 6419B-NYC-SVR1, and in the actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso
Do not log on to NYC-CL1 or NYC-SVR1 until directed to do so.
Lab Scenario.
Users in the IT department need to have the XML Notepad 2007 application available on the network if
they need to install it on their computers. It has been decided to use Group Policy Software Installation to
publish the application so that it is available to install on any computers that an IT user logs on. You will
create and populate a software distribution share. Then, you will create and configure a GPO to publish
the software.
Sep 7 2011 9:58PM

Nova 4, LLC
10-38
Exercise 1: Deploying a Software Package Using Group Policy

Scenario
Users in the IT department need to have the XML Notepad 2007 application available on the network if
they need to install it on their computers. It has been decided to use Group Policy Software Installation to
publish the application so that it is available to install on any computers that an IT user logs on. You will
create and populate a software distribution share. Then, you will create and configure a GPO to publish
the software.
1.
2.
3.
4.
Create and populate a shared folder to act as a software distribution point

Create and link a GPO to deploy the software to the IT OU
Configure the GPO to publish the XML Notepad 2007 application
Test the deployment
Task 1: Create and populate a shared folder to act as a software distribution point
1.
On NYC-DC1, create a folder named C:\AppDeploy.
2.
Share the folder to Everyone with Read permission.
3.
Copy XMLNotepad.msi from \\NYC-SVR1\E$\labfiles\Mod10 to the AppDeploy folder.
Task 2: Create and link a GPO to deploy the software to the IT OU
Create and link a GPO named Software Deploy to the IT OU.
Task 3: Configure the GPO to publish the XML Notepad 2007 application
Edit the Software Deploy GPO to publish a new package located at

\\NYC-DC1\AppDeploy\XMLNotepad.msi.
Task 4: Test the deployment

1.
Log on to NYC-CL1 as Ed with a password of Pa$$w0rd.
2.
Access the Programs applet in Control Panel and install the XML Notepad 2007 from the network.
3.
Close all open windows and log off.

Results: In this exercise, you created and populated a software distribution share and created and
configured a GPO to publish an application

Sep 7 2011 9:58PM

Nova 4, LLC
10-39
Lesson 4
Deploying Group Policy Preferences
Common settings that affect the user and computer environment could not be delivered through Group
Policy, such as mapped drives. These settings were usually delivered through logon scripts or imaging
solutions. Windows Server 2008 includes the new Group Policy preferences built-in to the Group Policy
Management Console (GPMC). Additionally, administrators can configure preferences by installing the
Remote Server Administration Tools (RSAT) on a computer running Windows 7. This allows many common
settings to be delivered through Group Policy.
Note: Specific support for download and install of Group Policy preferences are as follows: Windows
Vista RTM or later, Windows XP with Service Pack 2 or later, Windows Server 2003 with Service Pack 1
or later.
Describe Group Policy Preferences.
Identify the differences between Group Policy settings and preferences.
Apply Windows setting by using preferences.
Apply Control Panel settings by using preferences.
Describe Group Policy preference features.
Sep 7 2011 9:58PM

Nova 4, LLC
10-40
What Are Group Policy Preferences?
Key Points
Group Policy preference extensions are more than twenty Group Policy extensions that expand the range
of configurable settings within a GPO. A number of settings that had to be applied by scripts in the past
can now be applied via preferences, such as drive mappings.
Group Policy preferences are natively supported on Windows Server 2008 and later and on Windows Vista
SP2 and later. Group Policy preferences client-side extensions for Windows Server 2003 and Windows
Vista SP1 and earlier can be downloaded and installed to provide support for preferences on those
systems.
Configuring Group Policy preferences does not require any special tools or software installation. They are
natively part of GPOs in Windows Server 2008 and are applied in the same manner as group policy
settings by default. Preferences have two distinct sections, Windows Settings and Control Panel Settings.
When you configure a new preference, you need to perform the following four basic actions:
Create. Create a new preference setting for the user or computer.
Delete. Remove an existing preference setting for the user or computer.
Replace. Delete and re-create a preference setting for the user or computer. The result is that Group
Policy preferences replace all existing settings and files associated with the preference item.
Update. Modify an existing preference setting for the user or computer.
Question: Your organization currently has a number of Windows 2000 workstations in the organization.
You wish to use Group Policy preferences to map printers for all users. What steps must you take to
support the Windows 2000 clients?
Sep 7 2011 9:58PM

Nova 4, LLC
10-41
Comparing Group Policy Settings to Preferences
Key Points
Preferences are similar to policies in that they apply configurations to the user or computer, but there are
several differences in the way they are configured and applied. There are many differences between
Group Policy settings and Group Policy preferences. One of these differences is that preferences are not
enforced. However, preferences can be auto reapplied. The following is a list of differences between
Group Policy settings and Preferences:
Preference settings are not enforced.
Group Policy settings disable the user interface for settings managed by the policy; preferences do
not.
Group Policy settings are applied at regular intervals. Preferences may be applied once only or at
intervals.
Like Group Policy settings, preferences can be applied to computers or to users.
The end user can change any preference setting that is applied through Group Policy, but policy
settings prevent users from changing them.
In some cases, the same setting can be configured through a policy setting as well as a preference
item. If conflicting preference and group policy settings are configured and applied to the same
object, the value of the policy setting always applies.
Group Policy preferences overwrite original settings; Group Policy settings do not.
Sep 7 2011 9:58PM

Nova 4, LLC
10-42
Applying Windows Settings Using Preferences
Key Points
Windows settings allow you to control operating systembased settings. This is a valuable tool for
performing common tasks, such as mapping network drives and placing shortcuts on desktops, without
having to resort to scripts.
Windows Settings control the following user and computer settings:
Create, update, replace and delete environmental variables, just as with other preferences.
Copy, update, replace, or delete attributes of files.
Create, update, replace, and delete folders.
Create, update, replace and delete a property in a configuration of .ini properties
Create, update, replace, and delete registry keys and values.
Create, update, replace, and delete network shares (computer only).
Create, update, replace, and delete a shortcut to a file system object, such as a folder or a URL.
Configure settings for application. An application plug-in is required. (User only).
Create, update, replace, and delete mapped network drives (user only).
Question: How can you configure Group Policy preferences from a Windows 7 system?
Sep 7 2011 9:58PM

Nova 4, LLC
10-43
Applying Control Panel Settings Using Preferences
Key Points
Control Panel settings allow access to configure many of the Control Panel applets without a technician.
This is especially useful for performing tasks that are often difficult for users, such as configuring data
source names and creating VPN connections.
Control Panel settings control the following user and computer settings:
Create, replace, update, or delete Open Database Connectivity (ODBC) data sources names.
Enable or disable hardware devices or classes of devices.
Create, replace, update, or delete Open with extensions for file types.
Modify user-configurable Internet settings (user only).
Create, replace, update, or delete local users and groups.
Create, modify, or delete networking with virtual private networking (VPN) or dial-up connections.
Modify power options and create, replace, update, or delete power schemes.
Create, replace, update, or delete TCP/IP, share, or local printer connections.
Modify regional options (user only).
Create, replace, update, or delete scheduled tasks.
Modify services configuration (computer only).
Modify Start menu options (user only).
Question: You need to configure a service to automatically start at computer startup. You do not want
local users to be able to change this behavior. How should you proceed?
Sep 7 2011 9:58PM

Nova 4, LLC
10-44
Group Policy Preferences Features
Key Points
After you create a Group Policy Preference, you must configure its properties. Different preferences will
require different input information. For example, shortcut preferences require target paths, whereas
environment variables require variable types and values. Preferences also provide a number of features in
the common properties to assist in deployment.
General Properties Tab

The General Properties tab is where basic information is provided. The first step is to specify the action for
the preference: Create, Delete, Replace, or Update. Different settings will be available depending on the
initial action selected. For example, when creating a drive mapping, you must provide a Universal Naming
Convention (UNC) path and option for the drive letter to assign.
Common Property Tab

The common properties are consistent for all preferences. They allow you to control the behavior of the
preference as follows:
Stop processing items in this extension if an error occurs. If an error occurs while processing a
preference, no other preferences in this GPO will process.
Run in logged-on users security context. Preferences can run as the System account or the
logged-on user. This setting forces the logged-on user context.
Remove this item when it is no longer applied. Unlike policy settings, preferences are not removed
when the GPO that delivered it is removed. This setting will change that behavior.
Apply once and do not reapply. Normally, preferences are refreshed at the same interval as Group
Policy settings. This setting changes that behavior to apply the setting only once on logon or startup.
Item-level targeting. One of the most powerful features of preferences is item-level targeting. It
allows you to easily specify criteria to determine exactly which users or computers will receive a
preference. Criteria includes:
Sep 7 2011 9:58PM

Nova 4, LLC
Computer name
IP address range
Operating system
Security group
User
WMI queries and many other criteria
Question: You have mapped a drive by using preferences, but the user reports that though the drive
appears, the user cannot access the drive. What might be the issue?
Sep 7 2011 9:58PM

10-45
Nova 4, LLC
10-46
Lab Setup
1.
2.
Password: Pa$$w0rd
Domain: Contoso
Do not log on to NYC-CL1 until directed to do so.
Sep 7 2011 9:58PM

Nova 4, LLC
10-47
Exercise 1: Deploying Group Policy Preferences

Scenario
To simplify Group Policy management, including eliminating the need for logon scripts, you need to
deploy Group Policy preferences that allow more flexibility for corporate users.
The IT department needs a network location to house their knowledgebase documentation. All members
of the IT department need access to that location no matter where they log on. All corporate users need
an application shortcut placed on their desktop.
1.
Create a shared folder to contain the IT knowledgebase documents.
2.
You will use preferences to map a drive for the IT group to the IT documents folder.
3.
You will create a desktop shortcut for the all users.
4.
You will verify the settings.
Task 1: Create and share a folder to contain the IT documents

1.
On NYC-DC1, create C:\ITDocs and share the folder to Everyone.
Task 2: Use preferences to map a drive for the IT group

1.
Edit the Default Domain policy to configure the following User preferences:
Create a new mapped drive to \\NYC-DC1\ITDocs.
Reconnect at logon.
Use the drive letter R.
Run the preference in the logged-on users security context.
Configure item-level targeting for the Contoso\IT security group.
Task 3: Use preferences to create a desktop shortcut to the Notepad application

1.
Edit the Default Domain Policy to configure the following user preferences:
Create a new shortcut item.
Name the shortcut Notepad.
Ensure that the target is a File System Object.
Set the location to All Users Desktop.
Set the target path to C:\Windows\System32\notepad.exe.
On the Common tab, clear the Run in logged-on users security context check box.
Task 4: Test the preference settings

1.
Log on to NYC-CL1 as Ryan with a password of Pa$$w0rd. Ensure that the Notepad shortcut
appears on the desktop.
2.
Ensure that drive R is mapped to the ITDocs shared folder.
3.
Log on as Dylan with a password of Pa$$w0rd. Ensure that the Notepad shortcut appears on the
desktop.
4.
Ensure there is no drive mapped to the ITDocs shared folder.
Sep 7 2011 9:58PM

Nova 4, LLC
10-48
Results: In this exercise, you used Group Policy preferences to map a drive to selected users and
create a desktop shortcut for all users.

following steps:
1.
2.
3.
4.
Sep 7 2011 9:58PM

Nova 4, LLC
10-49
Review Questions
1.
Can PowerShell scripts be used as Startup scripts?
2.
Why do some Group Policy settings take two logons before going into effect?
3.
How can you support Group Policy preferences on Windows XP SP2?
Common Issues Related to Group Policy Settings

Identify the causes for the following common issues related to group policy settings and fill out the
troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue
Troubleshooting Tip
You have configured folder redirection for an

OU, but none of the users folders are being
redirected to the network location. When you
look in the root folder, you observe that a
subdirectory named for each user has been
created, but they are empty. What is the
problem?
The problem is most likely permission-related. The users

named subdirectories are being created by the Group
Policy, but the users dont have enough permission to
create their redirected folders inside them.
You have assigned an application to an OU.

The problem may be permission-related. Users need
After multiple logons, users report that no one read access to the software distribution share. Another
has installed the application.
possibility is that the software package was mapped by
using a local path instead of a UNC.
You have a mixture of Windows XP and
Windows 7. After configuring several settings
in the Administrative templates of a GPO XP,
users report that some settings are being
applied while others are not.
Not all new settings apply to legacy systems such as

Windows XP. Check the setting itself to see which
operating systems the setting applies to.
Sep 7 2011 9:58PM

Nova 4, LLC
10-50
Real-World Issues and Scenarios

1.
2.
The IT support technicians regularly visit user desktops to troubleshoot issues. They require that their
documents and troubleshooting tools always be available to install. Folder redirection can make their
documents and troubleshooting installation files available from any location.
All users in the organization are having Microsoft Office 2010 installed. There are approximately 1000
users who will receive the application at the same time. What would be the best way to deploy this
application? This application should be deployed by using SCCM or a third-party tool. It is too large
to deploy by using Group Policy to many users at the same time.
Best Practices Related to Group Policy

Supplement or modify the following best practices for your own work situations:
Use folder redirection to decrease the size of user profiles and store user data on the network.
Use folder redirection to ensure that critical data will be backed up.
Only use group policy software installation to deploy small applications.
Use Group Policy preferences to perform configurations instead of using scripts.
Sep 7 2011 9:58PM

Nova 4, LLC
Implementing Security Settings Using Group Policy
Module 11
Contents:
Lesson 1: Overview of Security Settings
11-3
Lesson 2: Implementing Fine-Grained Password Policies
11-14
Lab A: Implementing Security by Using Group Policy
11-21
Lesson 3: Restricting Group Membership and Access to Software
11-26
Lab B: Configuring Restricted Groups and Application Control Policies
11-36
Sep 7 2011 9:58PM

11-1
Nova 4, LLC
11-2
Module Overview
Failure to have adequate security policies can lead to many risks for an organization. A well designed
security policy helps to protect an organizations investment in business information and internal
resources such as hardware and software. Having a security policy in itself is not enough, however. You
must implement the policy for it to be effective. Group Policy has a number of security-related
components that can assist you in implementing security policies in your environment.
Objectives
Understand security settings.
Implement fine-grained password policies.
Restrict group membership and access to software.
Sep 7 2011 9:58PM

Nova 4, LLC
11-3
Lesson 1
Overview of Group Policy Security Settings
Group Policy provides settings you can use to implement and manage security in your organization.
Group Policy contains settings to control a large scope of the Windows environment, including security.
Aspects like password and account requirements, auditing behavior are configurable by using Group
Policy settings. In addition, there are several built-in components of Group Policy that can help you to
establish a consistent and secure environment.
Objectives
Describe the security settings that can be configured by using Group Policy.
Describe the account policies that can be configured by using Group Policy.
Describe local policies.
Describe Advanced Audit Policy Configuration settings.
Describe Windows Firewall with Advanced Security.
Sep 7 2011 9:58PM

Nova 4, LLC
11-4
Overview of Security Settings
Key Points
Security policies are rules that protect resources on computers and networks. Group Policy allows you to
configure many of these rules as Group Policy settings. For example, you can configure password policies
as part of Group Policy.
Group Policy has a large security section to configure security for both users and computers. This way, you
can apply security consistently across the organization in Active Directory Domain Services (AD DS) by
defining security settings in a Group Policy object that is associated with a site, domain, or OU.
Computer security areas that Windows XP, Windows Vista, Windows 7, Windows Server 2003 R2,
Windows Server 2008, and Windows Server 2008 R2 support are:
Security Area
Description
Account Policies
Password Policies, Account Lockout Policies, and Kerberos Policies
Local Policies
Audit Policy, User Rights Assignment, Security Options
Event Log
Application, System, and Security Event Log Settings
Restricted Groups
Membership of security groups
System Services
Startup and permission for system services
Registry
Permissions for registry keys
File System
Permissions for folders and files
Wired Network (IEEE802.3) Policies
IEEE802.3 policies for wireless connections
Public Key Policies
Management and distribution of public keys
Sep 7 2011 9:58PM

Nova 4, LLC
Security Area
Description
Software Restriction Policies
Control access to software
Internet Protocol security (IPsec)

Policies
Assign IPsec Policies to computers
New computer security areas that Windows Vista, Windows 7, Windows Server 2008 and Windows
Server 2008 R2 support are:
Security Area
Description
Windows Firewall with

Advanced Security
Configure Windows Firewall settings
Network List Manager Policies
Control client network locations
Wireless Network (IEEE802.11)

Policies
IEEE802.11 policies for wireless local area network (LAN) interfaces
Network Access Protection
Control Network Access Protection settings for computers
New computer security areas that Windows 7 and Windows Server 2008 R2 support are:
Security Area
Description
Application Control Policies
Configure application control settings for AppLocker
Default Security Policies

After installing AD DS, there are two default Group Policy objects (GPOs) that provide security settings:
Default Domain Policy
Default Domain Controllers Policy
Sep 7 2011 9:58PM

11-5
Nova 4, LLC
11-6
What Are Account Policies?
Key Points
Account policies protect your organizations accounts and data by mitigating the threat of brute force
guessing of account passwords. In Windows operating systems, and many other operating systems, the
most common method for authenticating a users identity is to use a secret password. Securing your
network environment requires that all users utilize strong passwords. Password policy settings control the
complexity and lifetime of passwords. You can configure password policy settings through Group Policy.
Where Are Account Policies Implemented?

The policy settings under Account policies are implemented at the domain level. A Windows Server 2008
domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication
protocol policy. Configuring these policy settings at any other Active Directory level only affects local
accounts on member computers at those levels.
Note: Fine-grained passwords allow different users and groups to have different password policies.
Fine-grained policies are discussed later in this module.
Components of Account Policies

Password Policy
Password policies that can be configured are.
Policy
Password must meet
complexity
requirements
Function
Requires passwords to:
Be at least six characters long.
Contain a combination of at least
three of the following characters:
uppercase letters, lowercase letters,
Best Practice
Enable this setting. These
complexity requirements can help
ensure a strong password. Strong
passwords are more difficult to
crack than those containing simple
Sep 7 2011 9:58PM

Nova 4, LLC
Policy
Function
11-7
Best Practice
numbers, symbols (punctuation

letters or numbers.
marks).
Must not contain the user's user name
or screen name.
Enforce password
history
Prevents users from creating a new

password that is the same as their
current password or a recently used
password. To specify how many
passwords are remembered, provide a
value. For example, a value of 1 means
that only the last password will be
remembered, and a value of 5 means
that the previous five passwords will be
remembered.
Use a number that is greater than

1. Enforcing password history
ensures that passwords that have
been compromised are not used
repeatedly.
Maximum password
age
Sets the maximum number of days that

a password is valid. After this number of
days, the user will have to change the
password.
Set a maximum password age of

3070 days. Setting the number of
days too high provides hackers with
an extended window of
opportunity to crack the password.
Setting the number of days too low
might be frustrating for users who
have to change their passwords too
frequently.
Minimum password
age
Sets the minimum number of days that

must pass before a password can be
changed.
Set the minimum password age to

at least
1 day. By doing so, you require that
the user can only change their
password once a day. This will help
enforce other settings. For example,
if the past five passwords are
remembered, this will ensure that
at least five days must pass before
the user can reuse the original
password. If the minimum
password age is set to 0, the user
can change their password six times
on the same day and begin reusing
the original password on the same
day.
Minimum password
length
Specifies the fewest number of

characters a password can have.
Set the length between 8 and 12

characters (provided that they also
meet complexity requirements). A
longer password is more difficult to
crack than a shorter password,
assuming the password is not a
word or a common phrase.
Store passwords by
using reversible
encryption
Provides support for applications that

require knowledge of a user password
for authentication purposes.
Do not use this setting unless you

use a program that requires it,
enabling this setting decreases the
security of stored passwords.
Sep 7 2011 9:58PM

Nova 4, LLC
11-8
Account Lockout Policy

The Account Lockout Policies that can be configures are.
Policy
Function
Best Practice
Account lockout
threshold
Specifies the number of failed

login attempts allowed before
the account is locked out. For
example, if the threshold is set
to 3, the account will be locked
out after a user enters incorrect
login information three times.
A setting between 3 and 5 allows for reasonable

user error as well as limits repeated login
attempts for malicious purposes.
Account lockout
duration
Allows you to specify a time

frame, in minutes, after which
the account will automatically
unlock and resume normal
operation. If you specify 0, the
account will be locked out
indefinitely until an
administrator manually unlocks
it.
After the threshold has been reached and the

account is locked out, the account should remain
locked long enough to block or deter any
potential attacks, but short enough not to
interfere with productivity of legitimate users.
Duration of 30 to 90 minutes should work well in
most situations.
Reset account
lockout counter
after
Defines a time frame for

counting the incorrect login
attempts. If the policy is set for
one hour, and the account
lockout threshold is set for three
attempts, a user can enter the
incorrect login information
three times within one hour. If
they enter incorrect information
twice, but get it correct the third
time, the counter will reset after
one hour has elapsed (from the
first incorrect entry) so that
future failed attempts will again
start counting at one.
Using a time frame between 30 and 60 minutes is

sufficient to deter automated attacks as well as
manual attempts by an attacker to guess a
password.
Kerberos Policy
This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimes
and enforcement. Kerberos policies do not exist in Local Computer Policy.
How Clients Receive Account Policies

Although you can configure Account policies only at the domain level, clients do not receive their
Account policies directly from the domain-level policy. Account policies are unique in that domain
controllers receive Account policies from the domain-level policy. The domain controller, in turn, passes
domain Account Policy to the client at logon. Therefore, blocking inheritance of domain-level policies will
not prevent users from receiving Account policies. However, blocking inheritance at the Domain
Controllers OU would prevent users from receiving any changes to Account policies, because the domain
controllers would not receive the new settings.
Note: Account policies on local computers apply to local users only.
Sep 7 2011 9:58PM

Nova 4, LLC
11-9
What Are Local Policies?
Key Points
Every Windows 2000 Server or later computer has Local policies. In these objects, Group Policy settings
are stored on individual computers, regardless of whether they are part of an Active Directory
environment. The Local Group Policy Objects (LGPOs) are stored in a hidden folder named
%windir%\system32\Group Policy. This folder does not exist until you configure an LGPO.
Local Group Policy Precedence

In an Active Directory environment, LGPOs have the lowest precedence, and always are processed first if
you have them configured.
Local Computer Security Policies

LGPOs contain fewer settings than domain Group Policy objects, particularly under Security Settings.
For example, LGPOs do not support domain-based GPO features like Folder Redirection or Software
Installation. The LGPO does support some security policy settings. However, LGPO security policy settings
supported by Windows Server 2008 can only contain security settings for the following areas:
Account Policies
Local Policies
Windows Firewall with Advanced Security
Network List Manager Policies
Public Key policies
Software Restriction policies
Application Control Policies (Windows Server 2008 R2 only)
IP Security policies
Advanced Audit Policy Configuration (Windows Sever 2008 R2 only)
Sep 7 2011 9:58PM

Nova 4, LLC
11-10
When there are conflicts, security settings that you define in AD DS always override any that you define
on the local computer.
What Are User Rights?

User rights refer to the ability to perform actions on the system. Each computer has its own set of user
rights, such as the right to change the system time. Most rights are granted either to the Local System or
Administrator. You can configure rights through LGPOs, or through domain policies. The default domain
policy has no rights defined by default.
Sep 7 2011 9:58PM

Nova 4, LLC
11-11
Advanced Audit Policy Configuration
Key Points
The nine basic audit policies under Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Audit Policy allow you to configure security audit policy settings for broad sets of
behaviors, some of which generate many more audit events than others. An administrator has to review
all events that are generated, whether they are of interest or not.
In Windows Server 2008 R2 and Microsoft Windows 7, administrators can audit more specific aspects of
client behavior on the computer or network, thus making it easier to identify the behaviors that are of
greatest interest. For example, in Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Audit Policy, there is only one policy setting for logon events, Audit logon events.
In Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\System Audit Policies, you can instead choose from eight different policy settings in the
Logon/Logoff category. This provides you with more detailed control of what aspects of logon and logoff
you can track.
These security auditing enhancements can help your organization audit compliance with important
business-related and security-related rules by tracking precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL) is applied to every file and folder or registry key on a
computer or file share as a verifiable safeguard against undetected access.
Sep 7 2011 9:58PM

Nova 4, LLC
11-12
Windows Firewall with Advanced Security
Key Points
Windows Server 2008 includes a new and enhanced version of Windows Firewall. The new Windows
Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration.
Windows Firewall Enhancements

Windows Firewall with Enhanced Security is a new MMC snap-in that allows you to perform advanced
configuration of Windows Firewall.
Windows Firewall in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 has
the following enhancements:
Supports filtering for both incoming and outgoing traffic.
Provides a new Microsoft Management Consoles (MMC) snap-in that you can use to configure
advanced settings.
Integrates firewall filtering and Internet Protocol security (IPsec) protection settings.
Enables you to configure rules to control network traffic.
Provides network location-aware profiles.
Enables you to import or export policies.
Firewall Rules
Windows Firewall with Advanced Security allows you to create the following rules.
Rule
Description
Program
rule
This type of rule allows traffic for a particular program. You can identify the program by
program path and executable name.
Sep 7 2011 9:58PM

Nova 4, LLC
Port rule
11-13
This type of rule allows traffic on a particular TCP or User Datagram Protocol (UDP) port
number or range of port numbers.
Predefined Windows includes a number of Windows functions that you can enable, such as File and
rule
Printer Sharing, Remote Assistance, and Windows Collaboration. Creating a predefined rule
actually creates a group of rules that allows the specified Windows functionality to access
the network.
Custom
rule
A custom rule allows you to create a rule that you may not be able to create by using the
other types of rules.
Firewall rules can filter connections by user, computer, or groups in AD DS. For rules with these conditions,
you must secure the connection with IPsec by using a credential that carries the Active Directory account
information, such as Kerberos version 5 (v5).
Many pre-defined rules exist that allow normal network traffic to pass, such as Dynamic Host
Configuration Protocol (DHCP), Domain Name System (DNS) queries, and authentication requests. You
can modify or disable these rules as necessary.
The default behavior of the new Windows Firewall is to:
Block all incoming traffic unless it is solicited or it matches a configured rule.
Allow all outgoing traffic unless it matches a configured rule.
Windows Firewall comes preconfigured with a number of rules enabled to allow typical network traffic in
and out of a Windows Server computer.
Firewall Profiles
Windows Firewall with Advanced Security is a network-aware application. Network awareness enables
applications to sense changes to the network to which the computer is connected. The administrator can
create a profile for each network category, with each profile containing different firewall policies.
Windows Firewall supports three profiles by default.
Profile
Description
Public, for when you

are connected to an
untrusted public
network
Other than domain networks, all networks are categorized as public. By

default, the Public (most restrictive) profile is used in Windows Vista and
Windows 7.
Private, for when you

are connected behind a
firewall
A network is categorized only as private if an administrator or an application

identifies the network as private. This profile is referred to as the Home profile
in Windows Vista and Windows 7.
Domain, for when your

computer is part of a
Windows domain
Windows automatically identify networks on which they can authenticate

access to the domain controller, for the domain to which the computer is
joined in this category. No other networks can be placed in this category. This
profile is referred to as the Work profile in Windows Vista and Windows 7.
When a user connects to a network that is not part of the domain category, Windows asks the user to
identify the network as either Public or Private. The user must be a local administrator of the computer to
identify the network as Private. Each profile has its own state, Off or On, its own settings, and its own
logging.
Sep 7 2011 9:58PM

Nova 4, LLC
11-14
Lesson 2
Implementing Fine-Grained Password Policies
Prior to Windows 2008, a single set of account policies, contained in the Default Domain GPO, was used
to control password and account settings. In Windows Server 2008, using fine-grained password policies,
you can allow different password requirements and account lockout policies for different Active Directory
users or groups.
Objectives
Describe fine-grained password policies.
Describe how fine-grained password policies are implemented.
Describe considerations for implementing fine-grained password policies.
Implement fine-grained password policies.
Sep 7 2011 9:58PM

Nova 4, LLC
11-15
What Are Fine-Grained Password Policies?
Key Points
In previous versions of AD DS, you could apply only one password and account lockout policy to all users
in the domain. Fine-grained password policies allow you to have different password requirements and
account lockout policies for different Active Directory users or groups. This is desirable when you want
different sets of users to have different password requirements, but do not want separate domains. For
example, the Domain Admins group may need strict password requirements to which you do not want to
subject ordinary users. If you do not implement fine-grained passwords, then the normal default domain
account policies apply to all users.
Fine-grained password policies can be used to enhance the security of your domain environment and
typically act to complement the account policies in your Default Domain Policy GPO. Generally, the
Default Domain Policy GPO is used to control the majority of your accounts, and then fine-grained
password policies are applied to user accounts or groups that require or warrant a different account policy
than the rest of the domain.
Fine-grained password policies are not actual Group Policy settings. Rather, a fine-grained password
policy is contained in an object in Active Directory called a Password Settings Object (PSO). The PSO
contains all of the individual settings used to control AD DS user account behavior. A PSO is then linked to
one or more Active Directory users or groups, to whom the settings then apply, overriding the account
policy settings in the Default Domain Policy GPO.
Sep 7 2011 9:58PM

Nova 4, LLC
11-16
How Fine-Grained Password Policies Are Implemented
Key Points
There are three major steps involved in implementing fine-grained passwords:
Create necessary groups, and then add the appropriate users.
Create PSOs for all defined password policies.
Apply PSOs to the appropriate users or global security groups.
What Are Shadow Groups?

A shadow group is simply a way to group together users who do not otherwise share global group
memberships. For example, if you want to apply a fine-grained password policy to all the members of a
particular OU, but there is no security group that contains all users in that OU, you could create a shadow
global group and place all the appropriate users into it. That global group would exist only to support the
application of a fine-grained password policy.
Creating a PSO
There are two tools you can use to create PSOs.
Tool
Description
ADSIedit
This is a graphical user interface (GUI) tool that acts as a low-level

editor for AD DS. ADSIedit provides a wizard to assist you in creating
and assigning a PSO.
LDIFDE
This is a command-line utility that uses an LDF input file to perform

batch operations such as add, create, and modify against AD DS. You
need to create an LDF input file that specifies the settings for the PSO.
Sep 7 2011 9:58PM

Nova 4, LLC
11-17
Applying or Modifying a PSO

You can use both the ADSIedit and LDIFDE tools to apply a PSO to a user or group during the PSO
creation, or anytime afterwards. You can use both tools to modify existing PSOs.
Active Directory Users and Computers with Advanced features turned on, can be used to open Password
Settings Container in the System container, and then apply or modify an existing PSO.
Storing Fine-Grained Password Policies

To store Fine-grained password policies, Windows Server 2008 includes two new object classes in the
AD DS schema:
Password Settings container
Password Settings object
A Password Settings Container (PSC) is created by default under the System container in the domain. You
can view it by using the Active Directory Users and Computers snap-in with advanced features enabled. It
stores the Password Settings objects (PSOs) for that domain.
A PSO has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos
settings). These settings include attributes for the following password settings:
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Passwords must meet complexity requirements
Store passwords using reversible encryption
These settings also include attributes for the following account lockout settings:
Account lockout duration
Account lockout threshold
Reset account lockout after
In addition, a PSO has the following two new attributes:
PSO link. This is a multivalued attribute that is linked to users and/or group objects.
Precedence. This is an integer value that is used to resolve conflicts if multiple PSOs are applied to a
user or group object.
These nine attributes are required attributes. This means that you must define a value for each one.
Settings from multiple PSOs cannot be merged.
Defining the Scope of Fine-Grained Password Policies

A PSO can be linked to a user (or inetOrgPerson) or group object that is in the same domain as the PSO.
A PSO has an attribute named msDS-PSOAppliesTo that contains a forward link to only user or group
objects. The msDS-PSOAppliesTo attribute is multivalued, which means that you can apply a PSO to
multiple users or groups. You can create one password policy and apply it to different sets of users or
groups.
Sep 7 2011 9:58PM

Nova 4, LLC
11-18
A new attribute, msDS-PSOApplied, has been added to the user and group objects in Windows Server
2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDS-PSOApplied
attribute has a back-link, a user or group can have multiple PSOs applied to it.
You can link a PSO to other types of groups in addition to global security groups. However, only PSOs
that are linked to global security groups or user objects are considered. PSOs that are linked to
distribution groups or other types of security groups are ignored.
Integer8
Time-related values in a PSO are stored as an Integer8 data type. An Integer8 value is represented in
intervals of -100 nanoseconds.
While time-related values in PSO objects can be entered in a DD:HH:MM:SS format within the PSO
creation wizard, understanding the Integer8 format can help you convert Integer8 values you see in PSOs
to a more meaningful number.
You can use the following conversion guide table to obtain the corresponding I8 values:
Time unit
Multiplication factor
m minutes
-60*(10^7) = - 600000000
h hours
-60*60* (10^7) = -36000000000
d days
-24*60*60*(10^7) = -864000000000
The following are examples of how to obtain appropriate I8 values for the time attributes.
To obtain the msDS-MaximumPasswordAge time attribute I8 value for two days,
multiply 2 by -864000000000. For example, use the following equation:
22*(-864000000000) = -1728000000000
To obtain the msDS-MinimumPasswordAge time attribute I8 value for 1 day,
11*(-864000000000) = -864000000000
To obtain the msDS-LockoutObservationWindow time attribute I8 value for 30
minutes, multiply 30 by -600000000. For example, use the following equation:
330*(-600000000) = -18000000000
To obtain the msDS-LockoutDuration time attribute I8 value for 30 minutes,
30*(-600000000) = -18000000000
Note: Although PSO values are stored in Integer8 format, you can use the
easier and more logical DD:HH:MM:SS format for entering time values. For
example. 30 minutes would be represented as 00:00:30:00 while 4 days would
be represented as 04:00:00:00.
Sep 7 2011 9:58PM

Nova 4, LLC
11-19
Considerations for Implementing Fine-Grained Password Policies
Key Points
Several considerations need to be made when implementing a fine-grained password policy:
Fine-grained password policies cannot be applied to OUs; they can only be applied to user objects
and global security groups.
Users or groups can have multiple PSOs applied to them. The PSO that determines the users account
settings is the PSO with the lowest PSO Precedence integer value.
If you apply a Password Settings Object (PSO) directly to the user, it takes precedence over all group
assignments.
If no PSOs are linked to a user account, account policy settings contained in the Default Domain
Policy GPO apply.
By default, only members of the Domain Admins group can create a PSO or apply a PSO to a group
or user.
To implement fine-grained password policies, the domain functional level must be Windows Server
2008 or higher.
Sep 7 2011 9:58PM

Nova 4, LLC
11-20
Demonstration: Implementing Fine-Grained Password Policies
Key Points
Create and apply PSOs.
1.
Open ADSI Edit.
2.
Connect to NYC-DC1.
3.
Navigate to the Password Setting Container.
4.
Create a new msDS-PasswordSettings object.
5.
Configure the policy settings.
6.
Apply to the PSO to the Domain Admins global group.
Sep 7 2011 9:58PM

Nova 4, LLC
11-21
Lab A: Implementing Security Using Group Policy
Lab Setup
1.
2.
3.
4.
5.
Manager.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
Contoso, Ltd. has decided to implement Group Policy to configure security for users and computers in the
organization. The company recently upgraded all the workstations to Windows 7, and all the servers to
Windows Server 2008. The organization wants to utilize Group Policy to implement security settings for
the workstations, servers, and users.
Sep 7 2011 9:58PM

Nova 4, LLC
11-22
Exercise 1: Configuring Account and Security Policy Settings

You have been tasked to implement a domain account policy with the following criteria:
Domain passwords will be eight characters.
Strong passwords will be enforced.
Passwords will be changed exactly every 20 days.
Accounts will be locked out for 30 minutes after five invalid logon attempts.
You will also configure a local policy on the Windows 7 client that enables the local Administrator
account, and prohibits access to the Run menu for Non-Administrators.
Then, you will create a wireless network policy for Windows 7 that creates a profile for the Corp wireless
network. This profile will define 802.1x as the authentication method. This policy will also deny access to a
wireless network named, Research.
Finally, you will configure a policy to prevent the Windows Installer service from running on any domain
controller.
1.
Create an account policy for the domain.
2.
Configure local policy settings for a Windows 7 client.
3.
Create a wireless network GPO for Windows 7 client.
4.
Configure a GPO that prohibits the Windows Installer service on all domain controllers.
Task 1: Create an account policy for the domain.

1.
On NYC-DC1, start the Group Policy Management Console.
2.
In the Group Policy Management console pane, expand Forest: Contoso.com, expand Domains,
expand Contoso.com, and then click Group Policy Objects.
3.
In the details pane, right-click Default Domain Policy, and then click Edit.
4.
In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, and then expand Account Policies.
5.
Edit the Account Policy in the Default Domain Policy with the following values:
Password Policy:
Domain passwords: 8 characters in length
Strong passwords: enforced
Minimum password age: 19 days
Maximum password age: 20 days
Account lockout policy:
Account Lockout Threshold: 5 invalid logon attempts
Account lockout duration: 30 minutes
Lockout counter: reset after 30 minutes
Task 2: Configure local policy settings for a Windows 7 client.

1.
Start NYC-CL1 and log on as Contoso\Administrator, with the password, Pa$$w0rd.
Sep 7 2011 9:58PM

Nova 4, LLC
11-23
2.
Create a new MMC, and then add the snap-in for the Group Policy Object Editor for the Local
Computer.
3.
Open Computer Configurations Windows Settings, open Security Settings, open Local Policies,
open Security Options, and then enable the Accounts: Administrator Account Status setting.
4.
Add the Group Policy Object Editor snap-in to the MMC again and then click Browse.
5.
Click the Users tab, select the Non-Administrators group, click OK, and then click Finish.
6.
In then console pane, expand Local Computer\Non-Administrators Policy, expand User

Configuration, expand Administrative Templates, and then click Start Menu and Taskbar, and
then enable the Remove Run from Start Menu setting.
7.
Close the MMC without saving the changes.
8.
Restart NYC-CL1.
Task 3: Create a wireless network GPO for Windows 7 client.

1.
On NYC-DC1, in the GPMC, create a new GPO named, Windows 7 Wireless.
2.
Edit the GPO by right-clicking Windows Settings\Security Settings\Wireless Network (IEEE

802.11) Policies, and then clicking Create a New Wireless Network Policy for Windows Vista and
Later Releases.
3.
In the New Wireless Network Policy dialog box, click Add, and then click Infrastructure.
4.
Create a new profile named, Corporate, and then, in the Network Name (SSID) field, type Corp.
5.
Click the Security tab, change the Authentication method to Open with 802.1X, and then click OK.
6.
Click the Network Permissions tab, and then click Add.
7.
Type Research in the Network Name (SSID): field, set the Permission to Deny, and then click OK
twice.
8.
Close the Group Policy Management Editor, and then leave the GPMC open.
Task 4: Configure a policy that prohibits a service on all domain controllers.

1.
On NYC-DC1, in the GPMC, edit the following to disable the Windows Installer service: Default
Domain Controller Policy, Computer Configuration, Policies, Windows Settings, Security
Settings, and System Services.
2.
Close the Group Policy Management Editor and leave the GPMC open.
Result: After completing this exercise, you will have configured account and security policy settings.
Sep 7 2011 9:58PM

Nova 4, LLC
11-24
Exercise 2: Implementing Fine-Grained Password Policies

Your corporate security policy dictates that members of the Domain Admins group will have strict
password policies. The passwords must meet the following criteria:
30 passwords will be remembered in password history.
Domain passwords will be 10 characters.
Strong passwords will be enforced.
Passwords will not be stored with reversible encryption.
Passwords will be changed every seven days exactly.
Accounts will be locked out for 30 minutes after three invalid logon attempts.
You will create a fine-grained password policy to enforce these policies for the Domain Admins global
group.
1.
Create a PSO by using ADSI Edit.
2.
Assign the PSO to the Domain Admins global group.
Task 1: Create a PSO by using ADSI Edit.

1.
On NYC-DC1, in the Run menu, type adsiedit.msc, and then press ENTER.
2.
Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults.
3.
Navigate to DC=Contoso, DC=com, CN=System, CN=Password Settings Container, right-click

CN=Password Settings Container, and then create a new object.
4.
In the Create Object dialog box, click msDS-PasswordSettings, and then click Next. Provide the
following values:
In Value box, type ITAdmin.
In the msDS-PasswordSettingsPrecedence value, type 10.
In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE.
In the msDS-PasswordHistoryLength value, type 30.
In the msDS-PasswordComplexityEnabled value, type TRUE.
In the msDS-MinimumPasswordLength value, type 10.
In the msDS-MinimumPasswordAge value, type 06:00:00:00.
In the msDS-MaximumPasswordAge value, type 07:00:00:00.
In the msDS-LockoutThreshold value, type 3.
In the msDS-LockoutObservationWindow value, type 00:00:30:00.
In the msDS-LockoutDuration value, type 00:00:30:00.
Task 2: Assign the PSO to the Domain Admins global group.

1.
In ADSI Edit, select the CN=Password Settings Container and then in the details pane, double-click
CN=ITAdmin.
2.
In the CN=ITAdmin Properties window, scroll down and then double-click msDS-PSOAppliesTo.
3.
Link the Domain Admins account to the object.
Sep 7 2011 9:58PM

Nova 4, LLC
4.
Close the ADSI Edit window.

Results: After completing this exercise, you will have implemented a fine-grained password policy.
Sep 7 2011 9:58PM

11-25
Nova 4, LLC
11-26
Lesson 3
Restricting Group Membership and Access to

Software
In a large network environment, one of the challenges of network security is controlling the membership
of built-in groups in the directory and on workstations. Another concern is preventing access to
unauthorized software on workstations.
Objectives
Describe the Restricted Groups.
Configure Restricted Groups.
Describe Software Restriction Policy.
Describe AppLocker.
Describe the difference between AppLocker and SRPs.
Configure AppLocker.
Sep 7 2011 9:58PM

Nova 4, LLC
11-27
What Are Restricted Groups?
Key Points
In some cases, you may want to control the membership of certain groups in a domain to prevent
addition of other user accounts to those groups, such as the local administrators group.
You can use the Restricted Groups policy to control group membership. Use the policy to specify what
members are placed in a group. If you define a Restricted Groups policy and refresh Group Policy, any
current member of a group that is not on the Restricted Groups policy members list is removed. This can
include default members such as domain administrators.
Although you can control domain groups by assigning Restricted Groups policies to domain controllers,
you should use this setting primarily to configure membership of critical groups such as Enterprise Admins
and Schema Admins. You can also use this setting to control the membership of built-in local groups on
workstations and member servers. For example, you can place the Helpdesk group into the local
Administrators group on all workstations.
You cannot specify local users in a domain GPO. Local users who currently are in the local group that the
policy controls will be removed. The only exception is that the local Administrators account will always be
in the local Administrators group.
Sep 7 2011 9:58PM

Nova 4, LLC
11-28
Demonstration: Configuring Restricted Groups
Key Points
In this demonstration you will see how to:
Configure restricted groups for the local administrators group.
Demonstration Steps
1.
2.
Navigate to Computer Configuration, click Policies, click Windows Settings, Security Settings,
and then click Restricted Groups.
3.
Add the IT and Domain Admins groups to the Administrators group.
4.
Close the Group Policy Management console.
Sep 7 2011 9:58PM

Nova 4, LLC
11-29
What Is a Software Restriction Policy?
Key Points
A primary security concern for client computers is the current applications available on each computer. To
do their jobs, users need access to the applications that meet their specific needs. There is the possibility,
however, that unneeded or unwanted applications get installed on the client computers, whether
unintentionally or for malicious or non-business purposes.
Introduced in the Windows XP operating system and the Windows Server 2003 operating system, SRPs
allow an administrator to identify and specify which applications are permitted to run on client
computers. SRP settings are configured and deployed to clients by using Group Policy. An SRP set
comprises the following key components.
Rules
Rules govern how SRP responds to an application being run or installed. Rules are the key constructs
within an SRP, and a group of rules together determine how an SRP will respond to applications being
run. Rules can be based on one of the following criteria that apply to the primary executable file for the
application in question.
Hash. A cryptographic fingerprint of the file.
Certificate. A software publisher certificate used to digitally sign a file.
Path. The local or Universal Naming Convention (UNC) path of where the file is stored.
Zone. The Internet Zone.
Security Levels
Each applied SRP is assigned a security level that governs the way the operating system reacts when the
application that is defined in the rule is run. The three available security levels are as follows.
Disallowed. The software identified in the rule will not run, regardless of the access rights of the user.
Basic User. Allows the software identified in the rule to run as a standard, non-administrative user.
Sep 7 2011 9:58PM

Nova 4, LLC
11-30
Unrestricted. Allows the software identified in the rule to run unrestricted by SRP.
Default Security Level

The way a system behaves in general is determined by the Default Security Level, which governs how the
operating system reacts to applications without any SRP rules defined. The following three points outline
a system default behavior, based on the Default Security Level applied in the SRP:
Disallowed. No applications will be allowed to run unless an SRP rule is created that allows each
specific application or set of applications to run.
Basic User. All applications will run under the context of a basic user, regardless of the permissions of
the user who is logged on, unless an SRP rule is created to modify this behavior for a specific
application or set of applications. Unrestricted. All applications will run as if SRP was not enabled,
unless specifically defined by an SRP rule.
Based on these three components, there are two primary ways to use SRPs:
If an administrator knows all the software that should be allowed to run on clients, the Default
Security Level can be set to Disallowed. All applications that should be allowed to run can be
identified in SRP rules that would apply either the Basic User or Unrestricted security level to each
individual application, depending on the security requirements.
If an administrator does not have a comprehensive list of the software that should be allowed to run
on clients, the Default Security Level can be set to Unrestricted or Basic User, depending on security
requirements. Any applications that should not be allowed to run can then be identified by using SRP
rules, which would use a security level setting of Disallowed.
Software Restriction Policy settings can be found in Group Policy at the following location: Computer
Configuration\Windows Settings\Security Settings\Software Restriction Policies.
Note: Software Restriction Policies are not enabled by default in Windows Server 2008 R2.
Sep 7 2011 9:58PM

Nova 4, LLC
11-31
Overview of AppLocker
Key Points
Application Control Policies represent the next evolution of control over the operations of applications
within your domain environment. Application Control Policies are controlled by AppLocker.
AppLocker (introduced in the Windows 7 operating system and Windows Server 2008 R2) provides a
number of enhancements, which improve upon the functionality previously provided by SRP. AppLocker
provides administrators with a variety of methods for quickly and concisely determining the identity of
applications that they may want to restrict or permit access to.
AppLocker is applied through Group Policy to computer objects within an organizational unit. In addition,
individual AppLocker rules can be applied to individual AD DS users or groups.
AppLocker also contains options for monitoring or auditing the application of rules, both as rules are
being enforced and in an audit-only scenario.
AppLocker can help organizations prevent unlicensed or malicious software from executing, and can
selectively restrict ActiveX controls from being installed. It can also reduce the total cost of ownership by
ensuring that workstations are standardized across their enterprise and that users are running only the
software and applications that are approved by the enterprise.
Specifically, the following scenarios provide examples of where AppLocker can be used to provide some
level of application management:
Your organization implements a policy to standardize the applications used within each business
group, so you need to determine the expected usage compared to the actual usage.
The security policy for application usage has changed, and you need to evaluate where and when
those deployed applications are being accessed.
Your organization's security policy dictates the use of only licensed software, so you need to
determine which applications are not licensed or prevent unauthorized users from running licensed
software.
Sep 7 2011 9:58PM

Nova 4, LLC
11-32
An application is no longer supported by your organization, so you need to prevent it from being
used by everyone.
A new application or a new version of an application is deployed, and you need to allow certain
groups to use it.
Specific software tools are not allowed within the organization, or only specific users have access to
those tools.
A single user or small group of users needs to use a specific application that is denied for all others.
Some computers in your organization are shared by people who have different software usage needs.
AppLocker is available in the following editions of Windows:
Windows Server 2008 R2 Standard operating system
Windows Server 2008 R2 Enterprise operating system
Windows Server 2008 R2 Datacenter operating system
Windows Server 2008 R2 for Itanium-based Systems operating system
Windows 7 Ultimate operating system
Windows 7 Enterprise operating system

Note: AppLocker is not enabled by default in Windows Server 2008 R2.
Sep 7 2011 9:58PM

Nova 4, LLC
11-33
AppLocker vs. SRPs
Key Points
When implementing SRPs in previous Windows versions, it was particularly difficult to create policies that
were secure and remained functional after software updates were applied. This was due to the lack of
granularity of certificate rules and the fragility of hash rules that became invalid when an application
binary was updated. To resolve this issue, AppLocker enables you to create a rule that combines a
certificate and a product name, file name, and file version. This simplifies your ability to specify that
anything signed by a particular vendor for a specific product name can run.
Certificate rules in SRP allow you to trust all software signed by a specific publisher; however, AppLocker
gives you greater flexibility. When creating publisher rules, you can trust the publisher, and also drill down
to the product level, the executable level, and even the version.
For example, with SRP, you can create a rule that affectively reads Trust all content signed by Microsoft.
With AppLocker, you further refine the rule to specify: Trust the Microsoft Office 2007 Suite if it is
signed by Microsoft and the version is greater than 12.0.0.0.
The AppLocker enhancements over the SRP feature can be summarized as follows:
The ability to define rules based on attributes derived from a files digital signature, including the
publisher, product name, file name, and file version. SRP supports certificate rules, but they are less
granular and more difficult to define.
A more intuitive enforcement model; only a file that is specified in an AppLocker rule is allowed to run.
A new, more accessible user interface that is accessed through a new Microsoft Management Console
(MMC) snap-in extension to the Group Policy Management Console snap-in.
An audit-only enforcement mode that allows administrators to determine which files will be prevented
from running if the policy were in effect.
The following table outlines other key differences between AppLocker and SRPs.
Sep 7 2011 9:58PM

Nova 4, LLC
11-34
Feature
SRP
AppLocker
Rule scope
Specific user or group (per Specific users or groups (per rule)

Group Policy object
[GPO])
Rule conditions
provided
File hash, path, certificate,

registry path, Internet
zone
File hash, path, publisher
Rule types
provided
Allow and Deny
Allow and Deny
Default Rule
action
Allow and deny
Implicit Deny
Audit only mode No
Yes
Wizard to create
multiple rules at
one time
No
Yes
Policy import or
export
No
Yes
Rule collection
No
Yes
Windows
PowerShell
support
No
Yes
Custom error
messages
No
Yes
Implementing AppLocker and SRPs

Prior to Windows Server 2008 R2 and Windows 7, Windows operating systems were only able to use SRP
rules. In Windows Server 2008 R2 and Windows 7, you can apply SRP or AppLocker rules, but not both.
This allows you to upgrade an existing implementation to Windows 7 and still take advantage of the SRP
rules defined in group policies.
However, if Windows Server 2008 R2 or Windows 7 have both AppLocker and SRP rules applied in a
group policy, then only the AppLocker rules are enforced and the SRP rules are ignored.
When you add a single AppLocker rule in Windows Server 2008 R2 or Windows 7, all processing of SRP
rules stops. Therefore, if you are replacing SRP rules with AppLocker rules, you must implement all
AppLocker rules that you require at one time. If you implement the AppLocker rules incrementally, you
will lose the functionality provided by SRP rules that have not yet been replaced with corresponding
AppLocker rules.
Note: SRP is still the standard method to restrict software usage in versions of Windows prior to
Windows Server 2008 and Windows 7.
Question: Why must AppLocker rules be defined in a GPO separate from SRP rules?
Sep 7 2011 9:58PM

Nova 4, LLC
Demonstration: How to Configure Application Control Policies
Key Points
Create a GPO to enforce the default AppLocker Executable rules.
Apply the GPO to the domain.
Test the AppLocker rule.
1.
Open the Group Policy Management Console.
2.
Create a new GPO.
3.
Configure the AppLocker default rules in the GPO.
4.
Link the GPO to the Contoso.com domain
5.
Switch to NYC-CL1.
6.
Attempt to open Wordpad.
Sep 7 2011 9:58PM

11-35
Nova 4, LLC
11-36
Lab B: Configuring Restricted Groups and Application

Control Policies
Lab Scenario
The enterprise administrator created a design that includes modifications to further security areas.
Ensuring that IT staff members have access to the proper administrative rights on client computers is
critical and you have been asked to configure the domain environment to allow this.
In addition, you have been asked to ensure that a widely used application in the environment that has
been recently replaced by a new software suite is no longer used at Contoso, Ltd.
Sep 7 2011 9:58PM

Nova 4, LLC
Exercise 1: Configuring Restricted Groups

You need to ensure that the IT global group is included in the local Administrators group for all of the
organizations computers.
1.
Configure restricted groups for the local Administrators group.
2.
Test restricted groups for the local Administrators group.
Task 1: Configure restricted groups for the local administrators group.

1.
On NYC-DC1, open the GPMC, browse to the Group Policy Objects folder, and then edit the
Default Domain Policy.
2.
Navigate to Computer Configuration, expand Policies, expand Windows Settings, expand

Security Settings, right-click Restricted Groups, and then click Add Group.
3.
Add the Administrators group, and then click OK.
4.
In the Administrators Properties dialog box, add the following groups:
5.
Contoso\IT
Contoso\Domain Admins
Close the Group Policy Management Editor.
Task 2: Test restricted groups for the local administrators group.

1.
Start the 6419B-NYC-CL1 VM. If the VM is already started, shut down and restart NYC-CL1.
2.
Log on to NYC-CL1 as Contoso\Ed with a password of Pa$$w0rd.
3.
Open the Edit local users and groups window using the Start Menu Search dialog.
4.
Confirm that the Administrators group contains both CONTOSO\Domain Admins and
CONTOSO\IT as members.
5.
Close the local users and groups window and log off NYC-CL1.
Results: After completing this exercise, you configured and tested restricted groups by using Group
Policy.
Sep 7 2011 9:58PM

11-37
Nova 4, LLC
11-38
Exercise 2: Configuring Application Control Policies

Scenario
Microsoft Office 2007 has recently been installed in the Research Department at Contoso, Ltd on all client
computers. Previously, WordPad was used for word processing tasks in the Research Department. To
encourage users to use the new word processing capabilities of Office Word 2007, you have been asked
to restrict users in the Research Department from running WordPad on their computers.
1.
Create a GPO to enforce the default AppLocker Executable rules.
2.
Apply the GPO to the Contoso.com domain.
3.
Test the AppLocker rule.
Task 1: Create a GPO to enforce the default AppLocker Executable rules.

1.
On NYC-DC1, in the Group Policy Management console, create a new GPO entitled, Wordpad
Restriction Policy.
2.
Edit the new GPO with the following settings:
Application Control Policy: Under Executable Rules, create a new executable publisher rule for
C:\Program Files\Windows NT\Accessories\wordpad.exe that denies Everyone access to
run any version of wordpad.exe.
Configure Executable rules to be enforced.
Configure the Application Identity service to run and set it to Automatic.
Task 2: Apply the GPO to the Contoso.com domain.
Apply the WordPad Restriction Policy GPO to the Contoso.com domain container.
Task 3: Test the AppLocker rule.

1.
Restart and then log on to NYC-CL1 as Contoso\Alan with the password, Pa$$w0rd.
2.
Refresh Group Policy by running gpupdate /force from the command prompt.
3.
Try to run Start - All Programs - Accessories WordPad.

Note: The AppLocker policy should restrict you from running this application. If the application
runs, log off from NYC-CL1 and log on again. It may take a few minutes for the policy setting to
apply to NYC-CL1. After the policy setting is applied, the application will be restricted.
Results: After completing this exercise, you will have restricted an application by using AppLocker.

following steps:
1.
2.
Sep 7 2011 9:58PM

Nova 4, LLC
3.
4.
Sep 7 2011 9:58PM

11-39
Nova 4, LLC
11-40
Review Questions
1.
You want to place an application control policy on a new type of executable file. What must you do
before you can create a rule for this executable code?
2.
What setting must you configure to ensure that users are only allowed 3 invalid logon attempts?
3.
You want to provide consistent security settings for all client computers in the organization. The
computer accounts are scattered across multiple OUs. What is the best way to provide this?

Windows Server 2008
R2 Feature
Description
Advanced Audit Policy

Configuration
Expands available audit policy settings from 9 to 53 in Windows Server 2008

R2 and Windows 7
Application Control
Policies
Controls applications by using AppLocker
Sep 7 2011 9:58PM

Nova 4, LLC
Providing Efficient Network Access for Remote Offices
Module 12
Contents:
Lesson 1: Overview of Remote Office Requirements
12-3
Lesson 2: Implementing Read-Only Domain Controllers
12-6
12-16
Lesson 3: Implementing BranchCache
12-21
12-34
Sep 7 2011 9:58PM

12-1
Nova 4, LLC
12-2
Configuring, Managing and Maintaining Windows Server 2008 Servers
Module Overview
Remote offices have a unique set of challenges for network infrastructure. Many remote offices connect to
the head office over wide area network (WAN) links that are slow and subject to high latency. Slow
connectivity between the remote office and the enterprise network affects network logons and access to
files. To provide fast and secure logons at remote offices, you can place a read only domain controller
(RODC) at the remote office. You can use BranchCache to speed up access to data across the WAN and
reduce WAN utilization.
After this module, you will be able to:
Explain remote office requirements.
Implement read-only domain controllers.
Implement BranchCache
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 1
Overview of Remote Office Requirements
Remote offices have unique management challenges. A remote office typically has slow connectivity to
the enterprise network and limited infrastructure for securing servers. Therefore, the challenge lies in
being able to provide efficient access to network resources for users in remote offices.
After this lesson, you will be able to:
Discuss the common challenges in providing efficient remote office access to network resources.
Describe options for providing efficient access to network resources.
Sep 7 2011 9:58PM

12-3
Nova 4, LLC
12-4
Discussion: Challenges to Managing Remote Office Connectivity
Key Points
Usually, a head office is a central communication hub for remote offices. Most remote office has a fewer
users than the head office. Each remote office also has slow connectivity to the head office.
For example, a chain of retail stores has a head office with many employees and fast internal network
connectivity. The branch offices are remotely located with very few employees in each location and slow
connectivity to the data in the head office.
Question: Why are network connections between remote offices and the head office slow and unreliable?
Question: How does slow and unreliable network connectivity affect the users in remote offices?
Question: How does management of computers systems in remote offices compare with the
management of computer systems in the head office?
Question: How does system security in remote offices compare with system security in the head office?
Sep 7 2011 9:58PM

Nova 4, LLC
12-5
Options for Providing Efficient Access to Network Resources
Key Points
You can meet the challenge of slow and less reliable connectivity of the remote offices by using the
following two features of Windows Server 2008:
Read-only domain controllers
BranchCache
Read-Only Domain Controllers

To increase logon speed and reliability, you can install a domain controller at a remote office. However, a
standard domain controller holds a copy of all user accounts and their passwords for the domain. Give
sufficient time, anyone who steals a server with a copy of Active Directory can access the passwords.
A read-only domain controller (RODC) in a remote office limits the passwords it can store. This helps you
to address some of the security concerns associated with remote offices. Typically, you limit the passwords
on the read-only domain controller in the remote office to only users who work in that office.
BranchCache
Accessing the files in the head office can be very slow for users in the remote offices. BranchCache helps
speed up access to files by caching them on a local computer or on a server in the remote office. If a file
has not been modified in the head office and is accessed from the remote office, the cached copy of the
file in the remote office is opened rather than the copy of the file from the head office.
In addition to providing faster file access, BranchCache decreases the overall WAN utilization because only
new and modified files are copied over the WAN. This keeps the WAN free for other activities.
Sep 7 2011 9:58PM

Nova 4, LLC
12-6
Lesson 2
Implementing Read-Only Domain Controllers
An RODC helps meet the security and management challenges of remote offices. Therefore, you need to
understand the features of RODCs, how to deploy them, and how to configure them. Configuring an
RODC includes configuring password replication policies and performing local administration tasks on the
RODC.
Discuss the features of RODCs.
Describe how to deploy RODCs.
Describe a Password Replication Policy.
Configure a Password Replication Policy
Administer RODC credential caching.
Configure administrator role separation for RODCs.
Sep 7 2011 9:58PM

Nova 4, LLC
12-7
Read-Only Domain Controller Features
Key Points
An RODC has a read-only copy of an Active Directory domain, which contains all of the objects in the
domain, but not all of their attributes. System-critical attributes, such as authentication-related data, are
not replicated to an RODC because an RODC is considered not secure. You can prevent additional
attributes from being replicated to RODCs by marking the attribute as confidential.
You cannot make changes to the domain database on an RODC because the Active Directory database on
the RODC is read-only. All requests for changes are forwarded to a writable domain controller. Because no
changes are performed on the RODC, replication of Active Directory changes is one way from writable
domain controllers to the RODC.
Credential Caching
User and computer credentials are not replicated to an RODC by default. To use an RODC to enhance user
logon, you need to configure a Password Replication Policy (PRP) that defines which user credentials can
be cached. Limiting the credentials cached on the RODC reduces the security risks. If the RODC is stolen,
only passwords for the cached user and computer accounts need to be reset.
If user and computer credentials are not replicated to an RODC then a writable domain controller must be
contacted during the authentication process. Typically, the credentials for local users and computers are
cached on an RODC.
Administrator Role Separation

To manage a writable domain controller, you must be a member of the domain local Administrators
group. Any user placed in the domain local Administrators group is given permissions to manage all
domain controllers in the domain. This causes problems for administration of remote offices with a
writable domain controller because the administrator in a remote office should not be given access to the
domain controllers in the rest of the organization.
Sep 7 2011 9:58PM

Nova 4, LLC
12-8
Permissions to administer a RODC are granted by placing a user account in the local Administrators group
on the RODC. This gives the administrator of a remote office permission to manage only that RODC,
which may also be configured to provide other services such a file shares and printing.
Read-Only DNS
Domain Name System (DNS) is a critical resource for a Windows network. If an RODC is configured as a
DNS server, DNS zones can be replicated through Active Directory Domain Services to the RODC. DNS on
the RODC is read-only. DNS update requests are referred to a writable copy of DNS.
Sep 7 2011 9:58PM

Nova 4, LLC
12-9
How to Deploy an RODC
Key Points
To deploy an RODC, ensure that the following activities are performed:
Ensure that the forest functional level is Windows Server 2003 or laterall domain controllers must
be Windows Server 2003 or later, and each domain in the forest must be at the domain functional
level of Windows Server 2003 or later.
Run ADPrep /RODCPrep. This configures permissions on DNS application directory partitions to allow
them to be replicated to RODCs. This is required only if the Active Directory forest has been
upgraded.
Ensure that there is a writable Windows Server 2008 domain controller. An RODC replicates the
domain partition only from the Windows Server 2008 domain controllers. Therefore, each domain
with RODCs must have at least one Windows Server 2008 domain controller. The Schema and
Configuration partitions can be replicated from Windows Server 2003.
Consider replication patterns. Each remote office with an RODC should have direct connectivity to a
site with a Windows Server 2008 domain controller. This minimizes the replication traffic over the
WAN.
RODC Installation
Like a writable domain controller, an RODC can be installed by using an attended or an unattended
installation. If you perform an attended installation by using the graphical interface, you select the RODC
as one of the additional domain controller options.
You can also delegate the RODC installation to the administrator in the remote office by using a staged
installation. In a staged installation, you need to perform the following steps:
1.
Ensure that the server to be configured as the RODC is not a member of the domain.
2.
A domain administrator uses Active Directory Users and Computers to precreate the RODC account in
the Domain Controllers organizational unit. The wizard for performing this process prompts for the
Sep 7 2011 9:58PM

Nova 4, LLC
12-10
necessary information, including the users or groups that are allowed to join the RODC to the
domain.
3.
The administrator in the remote office runs dcpromo /UseExistingAccount:Attach and follows the
wizard to join the domain as the precreated RODC account.
Note: You can also perform a staged installation by using dcpromo with command-line options or an
unattended installation file.
Sep 7 2011 9:58PM

Nova 4, LLC
12-11
What Is Password Replication Policy?
Key Points
A Password Replication Policy (PRP) determines which user and computer credentials can be cached on a
specific RODC. If PRP allows an RODC to cache an accounts credentials, authentication and service ticket
activities of that account can be processed by the RODC. If an accounts credentials cannot be cached on
RODC, authentication and service ticket activities are referred by the RODC to a writable domain
controller.
The PRP for an RODC contains both an Allowed List and a Denied List. Each list can contain specific
accounts or groups. An account must be on the Allowed List for credentials to be cached. If a group is on
the Allowed List and a member of that group is on the Denied List, caching is not allowed for that
member.
There are two domain local groups that can be used to globally allow or deny caching to all RODCs in a
domain:
Allowed RODC Password Replication Group is added to the Allowed List of all RODCs. This group has
no members by default.
Denied RODC Password Replication Group is added to the Denied List of all RODCs. By default,
Domain Admins, Enterprise Admins, and Group Policy Creator Owners are the members of this group.
You can configure the Allowed List and Denied List for each RODC. The Allowed List contains only the
Allowed RODC Password Replication Group. The default membership of the Denied List includes
Administrators, Server Operators, and Account Operators.
In most cases, you want to add accounts separately to each RODC rather than globally allowing password
caching. This allows you to limit the number of credentials cached to only those accounts commonly at
that location. Domain administrative accounts should not be cached on RODCs in remote offices.
Computer accounts should be cached to speed up authentication of computer accounts during system
startup.
Sep 7 2011 9:58PM

Nova 4, LLC
12-12
Demonstration: How to Configure a Password Replication Policy
Key Points
The PRP for an RODC is configured in the properties of the RODC computer account. In this
demonstration, you will see how to configure the PRP for an RODC.
Demonstration Steps
1.
2.
Precreate an RODC account in the Domain Controllers OU.
3.
View the Password Replication Policy tab in the Properties of the RODC computer account.
4.
Add Adam Carter and allow credentials to be cached.
5.
Close the Properties of the RODC computer account.
6.
View the Membership tab of the Allowed RODC Password Replication Group.
7.
Close the Properties of the Allowed RODC Password Replication Group.
8.
View the Membership tab of the Denied RODC Password Replication Group.
9.
Close the Properties of the Denied RODC Password Replication Group.
10. Close Active Directory Users and Computers.
Sep 7 2011 9:58PM

Nova 4, LLC
12-13
Demonstration: Administering RODC Credentials Caching
Key Points
After a PRP has been configured for an RODC, it is useful to see what activity the RODC has been
performing for accounts. You can view a list of accounts with passwords stored on the RODC. If the RODC
security is compromised, you can use this list of accounts to determine which passwords should be reset.
You can also display a list of accounts that have been authenticated by using the RODC. This list has
accounts that do not have a password stored on the RODC, but authentication was initiated on the RODC.
You can use this list to determine which accounts are authenticating locally and identify which accounts
should have credentials cached.
Finally, you can prepopulate passwords for accounts in the cached credentials. This ensures that
authentication is performed locally the next time the account is used rather than being referred to a
writable domain controller and then cached.
View passwords stored on an RODC.
Prepopulate passwords on an RODC.
Demonstration Steps
1.
2.
View the Password Replication Policy tab in the Properties of the RODC computer account.
3.
Click the Advanced button and view the Policy Usage tab.
4.
Use the list box to display Accounts whose passwords are stored on this Read-only Domain
Controller.
5.
Use the list box to display Accounts that have been authenticated to this Read-only Domain
Controller.
Sep 7 2011 9:58PM

Nova 4, LLC
12-14
6.
Click Prepopulate Password and add Adam Carter. This will fails because the RODC is not active.
7.
Close all open windows.
Note: You require the 6419B-NYC-DC1 virtual machine to complete this demonstration. Log on to the
virtual machine as Contoso\Administrator, with the password, Pa$$w0rd.
Sep 7 2011 9:58PM

Nova 4, LLC
12-15
Overview of Administrator Role Separation
Key Points
The management of RODCs is separated from other domain controllers. Therefore, you can delegate
administration of RODCs to local administrators in remote offices without giving those administrators
access to writable domain controllers.
You can delegate administration of an RODC in the properties of the RODC computer account on the
Managed By tab. You should follow this method to delegate the administration of an RODC because it
can easily be centrally managed.
Only a single security principal can be specified on the Managed By tab of an RODC computer account.
Specify a group so that you can delegate management permissions to multiple users by making them
members of the group.
You can also delegate administration of an RODC by using ntdsutil or dsmgmt with the local roles option.
C:\>dsmgmt
Dsmgmt: local roles
local roles: add adam administrators
You should cache the password for delegated administrators to ensure that system maintenance can be
performed when a writable domain controller is unavailable.
Sep 7 2011 9:58PM

Nova 4, LLC
12-16
Lab Setup
1.
2.
3.
In the actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 through 4 for 6419B-NYC-SVR1 and 6419B-NYC-CL1.
Sep 7 2011 9:58PM

Nova 4, LLC
12-17
Exercise 1: Installing an RODC

Scenario
You are a server administrator at Contoso, Ltd. Your organization has a head office and many remote
offices. The remote offices are small and have low speed connectivity to the head office. You want to
speed up authentication at the remote offices containing a file server by configuring the file server as an
RODC.
NYC-DC1 is the head office domain controller. NYC-SVR1 is the file server in the remote office being
configured as an RODC. NYC-CL1 is a client computer located in the remote office.
1.
Verify the prerequisites for a staged installation of an RODC.
2.
Stage a delegated installation of an RODC.
3.
Complete a staged installation an RODC.
Task 1: Verify the prerequisites for a staged installation of an RODC

1.
2.
In the properties of Contoso.com, verify that the forest functional level is at least Windows Server
2003.
3.
On NYC-SVR1, open Server Manager and verify whether the computer is a member of a domain.
4.
Use the Change System Properties option to place NYC-SVR1 in a workgroup named TEMPORARY.
5.
Restart NYC-SVR1.
Task 2: Stage a delegated installation of an RODC

1.
2.
Delete the NYC-SVR1 computer account from the Computers container.
3.
At the Domain Controllers OU, precreate a read-only domain controller account by using default
settings, except for the following:
4.
Computer name: NYC-SVR1
Delegate to: CONTOSO\IT
View the DC Type for the NYC-SVR1 computer account in the Domain Controllers OU.
Task 3: Complete a staged installation of an RODC

1.
Log on to NYC-SVR1 as Administrator with the password of Pa$$w0rd.
2.
On NYC-SVR1, run dcpromo.exe.
3.
Complete Active Directory Domain Services Installation Wizard by using default options except
those listed below:
Create the domain controller in an Existing forest.
Add the domain controller to an existing domain.
Network credentials: Andrea (a member of the IT group)
Password for Andrea: Pa$$w0rd
Sep 7 2011 9:58PM

Nova 4, LLC
12-18
4.
Directory Services restore mode password: Pa$$w0rd
When installation is complete, reboot NYC-SVR1.
Results: In this exercise, you configured NYC-SVR1 as an RODC in the contoso.com domain.
Sep 7 2011 9:58PM

Nova 4, LLC
12-19
Exercise 2: Configuring Password Replication Policy and Credential

Caching
Scenario
After installing an RODC for a remote office, you need to configure password replication and credential
caching for the remote office. A specific group of research users who work in the remote office need to
have their passwords cached in this office. You need to verify that password caching is functioning
correctly.
1.
Configure domain-wide password replication.
2.
Create a group to manage password replication to the remote office RODC.
3.
Configure password replication policy for the remote office RODC.
4.
Evaluate resultant password replication policy.
5.
Monitor credential caching.
6.
Prepopulate credential caching.
7.
Test cached passwords on NYC-SVR1.
Task 1: Configure domain-wide password replication policy.

1.
2.
In the Users container, view the membership of the Allowed RODC Password Replication Group
and verify that there are no current members.
3.
Add the DNSAdmins group to the Denied RODC Password Replication Group.
4.
In the Domain Controllers OU, open the properties of NYC-SVR1.
5.
On the Password Replication Policy tab, verify that the Allowed RODC Password Replication
Group and Denied RODC Password Replication Group are listed.
Task 2: Create a group to manage password replication to the remote office RODC.
1.
On NYC-DC1, in Active Directory Users and Computers, in the Research OU, create a new group
named Remote Office Users.
2.
Add Alan, Alexander, Dylan, Max, and NYC-CL1 to the membership of Remote Office Users.
Task 3: Configure password replication policy for the remote office RODC
1.
On NYC-DC1, in Active Directory Users and Computers, click the Domain Controllers OU, and then
open the properties of NYC-SVR1.
2.
On the Password Replication Policy tab, allow the Remote Office Users group to replicate
passwords to NYC-SVR1.
Task 4: Evaluate resultant password replication policy.

1.
On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of NYC-SVR1.
2.
On the Password Replication Policy tab, open the Advanced configuration.
3.
On the Resultant Policy tab, add Alexander and confirm that Alexanders password can be cached.
Sep 7 2011 9:58PM

Nova 4, LLC
12-20
Task 5: Monitor credential caching.

1.
Attempt to log on to NYC-SVR1 as Alexander. This logon will fail because Alexander does not have
permission to logon to the RODC, but authentication is performed.
2.
On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, open the
properties of NYC-SVR1.
3.
4.
On the Policy Usage tab, select the Accounts that have been authenticated to this Read-only
Domain Controller option. Notice that Alexanders password has been cached.
Task 6: Prepopulate credential caching.

1.
On NYC-DC1, in Active Directory Users and Computers, in the Domain Controllers OU, right-click
NYC-SVR1 and click Properties.
2.
3.
On the Policy Usage tab, prepopulate the passwords for Alan and NYC-CL1.
4.
Read the list of cached passwords and confirm that Alan and NYC-CL1 have been added.
Task 7: Test cached passwords on NYC-SVR1.

1.
Shut down NYC-DC1.
2.
On NYC-CL1, open Network and Sharing Center.
3.
In Network and Sharing Center, open the properties of Local Area Connection 3, and add an
Alternate DNS server of 10.10.0.11 in the properties of TCP/IPv4.
4.
Log off and log on as Alexander with a password of Pa$$w0rd.
5.
Log off and log on as Alan with a password of Pa$$w0rd.
Results: In this exercise, you configured and tested password replication for an RODC.

following steps:
1.
2.
3.
4.
Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1.
Sep 7 2011 9:58PM

Nova 4, LLC
12-21
Lesson 3
Implementing BranchCache
BranchCache is a new feature in Windows Server 2008 R2 and Windows 7 that reduces WAN link
utilization for remote offices. In some cases, it can also improve application performance for remote office
users that access data in the head office. Remote office client computers use a data cache in the remote
office to reduce traffic over a WAN link. If you configure client computers to use the Distributed Cache
mode, the cached content is distributed across client computers. If you configure client computers to use
the Hosted Cache mode, the cached content is maintained on a server computer on the remote office
network. You can customize BranchCache settings and perform additional configuration tasks after
configuring BranchCache. You can also monitor BranchCache events, work, and performance and query
BranchCache infrastructure to verify the configuration of servers and usage of cache.
Describe BranchCache.
Compare Hosted Cache mode with Distributed Cache mode.
Describe BranchCache requirements.
Describe how to configure servers for BranchCache.
Describe how to configure clients for BranchCache.
Configure BranchCache.
Verify and monitor BranchCache status.
Sep 7 2011 9:58PM

Nova 4, LLC
12-22
Overview of BranchCache
Key Points
One of the challenges that remote offices face is improving the performance of intranet resources that are
accessed from head offices or regional data centers. Typically, branch offices are connected by WANs,
which usually have slower data rates than the intranet. Reducing the network utilization on the WAN
connection provides more bandwidth for other applications and services.
The BranchCache feature in Windows Server 2008 R2 and Windows 7 reduces the network utilization on
WAN connections between branch offices and headquarters by locally caching frequently used files on
computers in the branch office. BranchCache improves the performance of applications that use one of
the following protocols:
HTTP or HTTPS. The protocols used by web browsers and other applications.
SMB, including signed SMB traffic. The protocol used for accessing shared folders.
BITS. Background Intelligent Transfer Service (BITS) is a Windows component that distributes content
from a server to clients by using only idle network bandwidth.
Note: BranchCache can only be utilized for SMB 2.
BranchCache retrieves data from a server when the client requests the data. Because BranchCache is a
passive cache, it will not increase the WAN utilization. BranchCache only caches the read requests and will
not interfere when a user saves a file.
BranchCache improves the responsiveness of common network applications that access intranet servers
across slow WAN links. Because BranchCache does not require any additional infrastructure, you can
improve the performance of remote networks by deploying Windows 7 to client computers and Windows
Server 2008 R2 to server computers, and by enabling the BranchCache feature.
Sep 7 2011 9:58PM

Nova 4, LLC
12-23
BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),
SMB Signing, and end-to-end IP Security (IPSec). You can use BranchCache to reduce the network
bandwidth utilization and improve application performance even if the content is encrypted.
Sep 7 2011 9:58PM

Nova 4, LLC
12-24
Compare Hosted Cache Mode with Distributed Cache Mode
Key Points
You can configure BranchCache to use the Hosted Cache mode or the Distributed Cache mode.
Hosted Cache. The Hosted Cache mode operates by deploying a computer that is running Windows
Server 2008 R2 as a host in the branch office. Client computers are configured with the fully qualified
domain name (FQDN) of the host computer so that they can retrieve content from the Hosted Cache
when available. If the content is not available in the Hosted Cache, the content is retrieved from the
content server by using a WAN link and then provided to the Hosted Cache so that the subsequent
client requests can get it from there.
Distributed Cache. You can configure BranchCache in the Distributed Cache mode for small remote
offices. In this mode, local Windows 7 clients keep a copy of the content and make it available to
other authorized clients that request the same data. This eliminates the need to have a server in the
branch office. However, unlike the Hosted Cache mode, this configuration works across a single
subnet only. In addition, clients that hibernate or disconnect from the network will not be able to
provide content to other requesting clients.
When BranchCache is enabled on the client computer and the server computer, the client computer
performs the following process to retrieve data by using the HTTP, HTTPS, or SMB protocol:
1.
The client computer running Windows 7 connects to a content server computer running Windows
Server 2008 R2 in the head office and requests content similar to the way it would retrieve content
without using BranchCache.
2.
The content server computer in the head office authenticates the user and verifies that the user is
authorized to access the data.
3.
The content server computer in the head office returns identifiers or hashes of the requested content
to the client computer instead of sending the content itself. The content server computer sends that
data over the same connection that the content would have normally been sent.
Sep 7 2011 9:58PM

Nova 4, LLC
4.
12-25
Using retrieved identifiers, the client computer does the following:
If configured to use Distributed Cache, the client computer multicasts on the local network to
find other client computers that have already downloaded the content.
If configured to use Hosted Cache, the client computer searches for content availability on the
Hosted Cache.
5.
If the content is available in the remote office, either on one or more clients or on the Hosted Cache,
the client computer retrieves the data from within the remote office and ensures that the data is
updated and has not been tampered with or corrupted.
6.
If the content is not available in the remote office, the client computer retrieves the content directly
from the server computer at the data center. The client computer then either makes it available on
the local network to other requesting client computers or sends it to the Hosted Cache, where it is
made available to other client computers.
Question: Can you use BranchCache if both servers in the remote office are running Windows Server
2008 when you have deployed Windows 7 to all remote office client computers?
Sep 7 2011 9:58PM

Nova 4, LLC
12-26
BranchCache Requirements
Key Points
BranchCache optimizes traffic flow between head office and remote offices, and only Windows Server
2008 R2 servers and Windows 7 clients can benefit from it. The earlier versions of Windows operating
systems will not benefit from this feature. You can cache only the content stored on Windows Server 2008
R2 file servers or web servers by using BranchCache.
Requirements for Using BranchCache

To use BranchCache:
You must install the BranchCache feature or the BranchCache for Network Files role service on the
Windows Server 2008 R2 server that is hosting the data.
You must configure clients either by using Group Policy or the netsh command.
If you want to use BranchCache for caching content from the web server, you must install the
BranchCache feature on the web server. Additional configurations are not needed. If you want to use
BranchCache to cache content from the file server, you must install the BranchCache for the Network Files
role service on the file server, configure hash publication for BranchCache, and create BranchCacheenabled file shares.
BranchCache is supported on Full Installation of Windows Server 2008 R2 and on Server Core.
Requirements for Distributed Cache and Hosted Cache Modes

In the Distributed Cache mode, BranchCache works across a single subnet only. If client computers are
configured to use the Distributed Cache mode, any client computer can search locally for the computer
that has already downloaded and cached the content by using a multicast protocol called WS-Discovery.
In the Distributed Cache mode, content servers in the head office must run Windows Server 2008 R2, and
the clients in the branch must run Windows 7 or Windows Server 2008 R2. You should configure the client
firewall to allow incoming traffic, HTTP, and WS-Discovery.
Sep 7 2011 9:58PM

Nova 4, LLC
12-27
In the Hosted Cache mode, the client computers are configured with the FQDN of the host server to
retrieve content from the Hosted Cache. Therefore, the BranchCache host server must have a digital
certificate, which is used to encrypt communication with client computers. In the Hosted Cache mode,
content servers in the head office must run Windows Server 2008 R2. Hosted Cache in the branch must
run Windows Server 2008 R2 and the client in the branch must run Windows 7. You must configure a
firewall to allow incoming HTTP traffic from the Hosted Cache server. In both cache modes, BranchCache
uses the HTTP protocol for data transfer between client computers.
Question: You have a mixed computer environment that includes Windows Vista SP2 and Windows 7
client computers and Windows Server 2003 SP2, Windows Server 2008 SP2, and Windows Server 2008 R2
servers. Your computers are also located in multiple sites. Can you use the BranchCache feature in this
scenario?
Sep 7 2011 9:58PM

Nova 4, LLC
12-28
Server Configuration for BranchCache
Key Points
You can use BranchCache to cache web content, which is delivered by HTTP or HTTPS, and to cache
shared folder content, which is delivered by the SMB protocol. By default, BranchCache is not installed on
The following table lists the servers that you can configure for BranchCache.
Server
Description
Web server or BITS server
To configure a Windows Server 2008 R2 web server or an application server

that uses the Background Intelligent Transfer Service (BITS) protocol, you
install the BranchCache feature. You must ensure that the BranchCache
service has started. Then, you need to configure clients who will use the
BranchCache feature; no additional configuration of the web server is
needed.
File server
The BranchCache for the Network Files role service of the File Services
server role needs to be installed before you can enable BranchCache for
any file shares. After you install the BranchCache for the Network Files role
service, use Group Policy to enable BranchCache on the server. Finally, you
need to configure each individual file share to enable BranchCache. You
also need to configure clients who will use the BranchCache feature.
Hosted Cache server
For the Hosted Cache mode, you must add the BranchCache feature to the
Windows Server 2008 R2 server that you are configuring as a Hosted Cache
server.
To secure communication, client computers use transport layer security
(TLS) when communicating with the Hosted Cache server. To support
authentication, the Hosted Cache server must be provisioned with a
certificate that is trusted by clients and is suitable for server authentication.
By default, BranchCache allocates five percent of disk space on the active
Sep 7 2011 9:58PM

Nova 4, LLC
Server
Description
partition for hosting cache data. However, you can change this value by
using Group Policy or the netsh command.
Question: How can you enable BranchCache support on a Windows Server 2008 R2 content server?
Sep 7 2011 9:58PM

12-29
Nova 4, LLC
12-30
Client Configuration for BranchCache
Key Points
You do not need to install the BranchCache feature in Windows 7 because BranchCache is already
included in Windows 7. However, BranchCache is disabled by default on client computers. To enable and
configure BranchCache, you need to perform the following steps:
1.
Enable BranchCache.
2.
Enable the Distributed Cache mode or Hosted Cache mode.
3.
Configure the client firewall to allow BranchCache protocols.
Enabling BranchCache
If you enable the Distributed Cache or Hosted Cache mode without enabling the overall BranchCache
feature, the BranchCache feature will still be disabled on the client computers. However, you can enable
the BranchCache feature on a client computer without enabling the Distributed Cache mode or the
Hosted Cache mode. In this configuration, the client computer uses only the local cache and does not
attempt to download from other BranchCache clients on the same subnet or from a Hosted Cache server.
Therefore, multiple users of a single computer can benefit from a shared local cache in this local caching
mode.
Enabling the Distributed Cache mode or Hosted Cache mode

You can enable the BranchCache feature on client computers either by using group policy or the netsh
command.
To configure BranchCache settings by using group policy, perform the following steps:
1.
2.
Browse to Computer Configuration/Policies/Administrative Templates/Network, and then click

BranchCache.
Sep 7 2011 9:58PM

Nova 4, LLC
3.
12-31
Turn on BranchCache and set either the Distributed Cache or Hosted Cache mode.
To configure BranchCache settings by using the netsh command, perform the following steps:
1.
Use the following netsh syntax for the distributed mode.
netsh branchcache set service mode=distributed
2.
Use the following netsh syntax for the hosted mode.
netsh branchcache set service mode=hostedclient location=<Hosted Cache server>
Configuring the Client Firewall to Allow BranchCache Protocols

In the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer between
client computers and the WS-Discovery protocol for cached content discovery. You should configure the
client firewall to allow the following incoming rules:
BranchCacheContent Retrieval (Uses HTTP)
BranchCachePeer Discovery (Uses WSD)
In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between client
computers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you should
configure the client firewall to allow the incoming rule, BranchCacheContent Retrieval (Uses HTTP).
Additional configuration tasks for BranchCache

After you configure BranchCache, clients can access the cached data in BranchCache-enabled content
servers, available locally in the branch office, and not across a slow WAN link. You can modify
BranchCache settings and perform additional configuration tasks, such as:
Setting the cache size.
Setting the location of the Hosted Cache server.
Clearing the cache.
Creating and replicating a shared key for using in a server cluster.
Question: How can you configure a Windows 7 client computer to benefit from BranchCache?
Sep 7 2011 9:58PM

Nova 4, LLC
12-32
Demonstration: Configuring BranchCache
Key Points
Enable branch cache for a file server
Configure client settings in a GPO
To configure a file share for BranchCache:
1.
Use ServerManager to install the BranchCache for network files roles service.
2.
Use the Local Group Policy Editor to browse to Computer Configuration\Administrative

Templates\Network\Lanman Server and enable Hash Publication for BranchCache.
3.
In the Properties of a file share, in the Offline Settings, select the Enable BranchCache check box.
4.
Use the Local Group Policy Editor to browse to Computer Configuration\Administrative

Templates\Network\BranchCache and enable the appropriate client settings for your scenario.
Note: If you use Group Policy Management to edit a GPO, the settings for BranchCache will be
prefaced with Policies.
Question: Clients in the remote office and file servers in the head office are configured for BranchCache.
Will the branch office client benefit from BranchCache when accessing file in the head office for the first
time?
Sep 7 2011 9:58PM

Nova 4, LLC
12-33
BranchCache Monitoring
Key Points
After the initial configuration, you may want to verify that BranchCache is configured correctly and
functioning properly. You can use the netsh branchcache show status all command to display the
BranchCache service status. On client and Hosted Cache servers, additional information such as the
location of the local cache, the size of the local cache, and the status of the firewall rules for HTTP and
WS-Discovery protocols that BranchCache uses is shown.
You can also use the following tools to monitor BranchCache:
Event Viewer. You can monitor BranchCache events in Event Viewer. BranchCache has two types of
event logs, operational and audit. The operational log appears in the Event Viewer at Applications
and Services Logs\Microsoft\Windows\PeerDist\Operational, and you can view the audit log events in
the Security log.
Performance counters. You can monitor BranchCache work and performance by using the
BranchCache performance monitor counters. BranchCache performance monitor counters are useful
debugging tools for monitoring BranchCache effectiveness and health. You can also use BranchCache
performance monitor for determining the bandwidth savings in the Distributed Cache mode or in the
Hosted Cache mode. If you have System Center Operations Manager 2007 SP2 implemented in the
environment, you can use BranchCache Management Pack for System Center Operations Manager
2007.
Question: Which tool should you use for monitoring BranchCache performance and bandwidth savings?
Sep 7 2011 9:58PM

Nova 4, LLC
12-34
Lab Setup
1.
2.
3.
4.
Password: Pa$$w0rd
Domain: Contoso
Sep 7 2011 9:58PM

Nova 4, LLC
12-35
Exercise 1: Configuring BranchCache in Distributed Cache Mode

Scenario
offices. Many of the remote offices are small and have low speed connectivity to the head office. For the
smallest offices without a server, you are configuring BranchCache in Distributed Cache mode.
NYC-DC1 is the head office file server. NYC-CL1 and NYC-CL2 are the client computers located in a
remote office.
Note: Due to lab constraints, some additional configuration is required to simulate the slow connection
between the clients and the head office server.
1.
Configure NYC-DC1 to use BranchCache.
2.
Simulate a slow link to the remote office.
3.
Enable a file share for BranchCache.
4.
Configure client to use BranchCache in distributed mode.
5.
Configure client firewall rules for BranchCache.
6.
Apply BrancheCache settings to the clients.
7.
Test BranchCache in Distributed Caching mode.
Task 1: Configure NYC-DC1 to use BranchCache.

1.
On NYC-DC1, use Server Manager to add the BranchCache for network files role service.
2.
Run gpedit.msc to open the Local Group Policy Editor console.
3.
In the Local Group Policy Editor console, in Computer Configuration\Administrative

Templates\Network\Lanman Server, enable Hash Publication for BranchCache only for shared
folders on which BranchCache is enabled.
4.
Leave the Local Group Policy Editor console open for the next task.
Task 2: Simulate a slow link to the remote office.

1.
On NYC-DC1, in the Local Group Policy Editor console, in Computer Configuration\Windows

Settings\Policy-based QoS, create a new policy with the following settings:
Policy name: Limit to 100 KBps
Outbound Throttle Rate: 100 KBps
All other settings as default
Task 3: Enable a file share for BranchCache.

1.
On NYC-DC1, use Windows Explorer to browse to C:\.
2.
Open the properties of the Share folder.
3.
On the Sharing tab, open Advanced Sharing.
4.
Click Caching and enable BranchCache.
Sep 7 2011 9:58PM

Nova 4, LLC
12-36
Task 4: Configure clients to use BranchCache in distributed cache mode.

1.
Open the Group Policy Management console in Administrative Tools.
2.
In the Group Policy Management console, create a new GPO named BranchCache that is linked to
Contoso.com.
3.
Edit the BranchCache GPO and browse to Computer Configuration\Policies\Administrative

Templates\Network\BranchCache.
4.
To enable BranchCache on all clients, enable the Turn on BranchCache setting.
5.
To configure the clients to use BranchCache in distributed mode, enable the Set BranchCache
Distributed Cache mode setting.
6.
To force the client to use BranchCache for all file transfers, enable Configure BranchCache for
network files setting and set it for 0 milliseconds. This setting is required to simulate access from a
remote office and is not typically required.
7.
Leave the Group Policy Management Editor open for the next task.
Task 5: Configure client firewall rules for BranchCache.

1.
On NYC-DC1, in the Group Policy Management Editor, browse to Computer

Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security, and then click Inbound Rules.
2.
Create a new predefined inbound rule for BranchCacheContent Retrieval (Uses HTTP).
3.
Create a new predefined inbound rule for BranchCachePeer Discovery (Uses WSD).
Task 6: Apply BranchCache settings to the clients.

1.
Start 6419B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the
password of Pa$$w0rd.
2.
On NYC-CL1, open a command prompt.
3.
To force updating of Group Policy objects, type the following code and then press ENTER.
gpupdate /force
4.
To verify that BranchCache is enabled and properly configured, type the following code and then
press ENTER.
netsh branchcache show status all
5.
Restart NYC-CL1. After the computer restarts, log on as Contoso\Administrator with the password
of Pa$$w0rd.
6.
Open the Performance administrative tool and remove all existing counters from Performance
Monitor.
7.
Add all of the BranchCache counters to Performance Monitor.
8.
Change Performance Monitor to Report view.
9.
Start 6419B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with the
password of Pa$$w0rd
10. On NYC-CL2, open a command prompt.

11. To force updating of Group Policy objects, type the following code and then press ENTER.
Sep 7 2011 9:58PM

Nova 4, LLC
12-37
gpupdate /force
12. To verify that BranchCache is enabled and properly configured, type the following code and then
press ENTER.
13. Restart NYC-CL2. After the computer restarts, log on as Contoso\Administrator with the password
of Pa$$w0rd.
14. Open the Performance administrative tool and remove all existing counters from Performance
Monitor.
15. Add all of the BranchCache counters to Performance Monitor.
16. Change Performance Monitor to Report view.
Task 7: Test BranchCache in distributed caching mode.

1.
On NYC-CL1, browse to \\NYC-DC1.contoso.com\Share.
2.
Copy mspaint.exe from the share on NYC-DC1 to the desktop of NYC-CL1.
3.
Review the performance statistics on Performance Monitor. Notice that the file is downloaded from
the server.
4.
To verify that there is now content in the cache, type the following code and press ENTER.
5.
6.
Copy mspaint.exe from the share on NYC-DC1 to the desktop of NYC-CL2.
7.
Review the performance statistics on Performance Monitor. Notice that the file is downloaded from
cache.
8.
To view the BranchCache statistics, type the following code and then press ENTER.
Results: In this exercise, you configured BranchCache in the Distributed Cache mode and verified that it
is functional.
Sep 7 2011 9:58PM

Nova 4, LLC
12-38
Exercise 2: Configuring BranchCache in Hosted Cache Mode (Optional)

Scenario
offices. Many of the remote offices are small and have low speed connectivity to the head office. For the
remote offices with a server, you are configuring BranchCache in Hosted Cache mode.
NYC-DC1 is the head office file server. NYC-CL1 and NYC-CL2 are the client computers located in the
branch office. NYC-SVR1 is the BranchCache hosted cache server in the remote office.
1.
Configure clients to use BranchCache in hosted cache mode.
2.
Install the BranchCache feature on NYC-SVR1.
3.
Request a certificate and link it to BranchCache.
4.
Start the BranchCache host server.
5.
Configure Performance Monitor or NYC-SVR1.
6.
Clear BranchCache data and performance statistics on NYC-CL1.
7.
Clear BranchCache data and performance statistics on NYC-CL2.
8.
Test BranchCache in Hosted Caching mode
Task 1: Configure clients to use BranchCache in hosted cache mode.

1.
On NYC-DC1, open the Group Policy Management administrative tool.
2.
Edit the BranchCache GPO that is linked to Contoso.com.
3.
Browse to Computer Configuration\Policies\Administrative Templates\Network\BranchCache.
4.
Modify the Set BranchCache Distributed Cache mode setting to Not Configuration.
5.
Enable the Set BranchCache Hosted Cache mode settings and configure NYC-SVR1.contoso.com as
the hosted cache.
6.
On NYC-CL1, open a command prompt, type the following code, and then press ENTER.
gpupdate /force
7.
To verify the configuration, type the following code, and then press ENTER.
8.
On NYC-CL2, open a command prompt, type the following code, and then press ENTER.
gpupdate /force
9.
Task 2: Install the BranchCache feature on NYC-SVR1.

1.
Start 6419B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the
password of Pa$$w0rd.
Sep 7 2011 9:58PM

Nova 4, LLC
2.
12-39
On NYC-SVR1, use Server Manager to add the BranchCache feature.
Task 3: Request a certificate and link it to BranchCache

1.
On NYC-SVR1, open a blank Microsoft Management Console and add the Certificates snap-in for
the Computer Account.
2.
At the Personal node in the Certificates snap-in, request a new Computer certificate.
3.
In the Personal node of the Certificates snap-in, open the new certificate.
4.
On the Details tab, identify the Thumbprint and copy the value to the clipboard.
5.
6.
Type the following code and then press Enter. You can paste the certificatehashvalue from the
certificate, but you must remove the spaces.
netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5eea714-454d-8de2-492e4c1bd8f8}
7.
Task 4: Start the BranchCache Host Server.

1.
2.
In Contoso.com, create a new OU named BranchCacheHost.
3.
Move the computer account for NYC-SVR1 into the BranchCacheHost OU.
4.
Open the Group Policy Management administrative tool.
5.
Block inheritance to the BranchCacheHost OU.
6.
Restart NYC-SVR1 and log on as Contoso\Administrator with the password of Pa$$w0rd..
7.
To enable NYC-SVR1 as a BranchCache Hosted Cache server, open a command prompt, type the
following code, and then press ENTER.
netsh branchcache set service hostedserver
Task 5: Configure Performance Monitor or NYC-SVR1.

1.
On NYC-SVR1, open the Performance administrative tool and remove all existing counters from
Performance Monitor.
2.
3.
Task 6: Clear BranchCache data and performance statistics on NYC-CL1.

1.
2.

To clear the BranchCache data, at the command prompt, type the following code, and then press
ENTER.
netsh branchcache flush
Sep 7 2011 9:58PM

Nova 4, LLC
12-40
3.
To clear the BranchCache performance statistics, stop and start the BranchCache service.
4.
From the Start menu, open Manage offline files.
5.
Delete temporary files from the Disk Usage tab.
6.
Monitor.
7.
8.
Task 7: Clear BranchCache data and performance statistics on NYC-CL2.

1.
2.
To clear the BranchCache data, at the command prompt, type the following code, and then press
ENTER.
netsh branchcache flush
3.
To clear the BranchCache performance statistics, stop and start the BranchCache service.
4.
From the Start menu, open Manage offline files.
5.
Delete temporary files from the Disk Usage tab.
6.
Monitor.
7.
8.
Task 8: Test BranchCache in hosted caching mode.

1.
2.
Copy MSpaint.exe to the desktop.
3.
Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval:
Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval:
Bytes Served).
4.
5.
Copy MSpaint.exe to the desktop.
6.
Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval:
Bytes from Cache).
7.
Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted
Cache: Client file segment offers made).

following steps:
1.
2.
Sep 7 2011 9:58PM

Nova 4, LLC
3.
4.
Repeat these steps for 6419B-NYC-SVR1, 6419B-NYC-CL1 and 6419B-NYC-CL2.
Sep 7 2011 9:58PM

12-41
Nova 4, LLC
12-42
Review Questions
1.
What is the benefit of implementing an RODC at a branch office?
2.
How does BranchCache differ from Distributed File System (DFS)?
3.
Why would you want to implement BranchCache in hosted cache mode rather than distributed cache
mode?

1.
Your organization has just created a remote office with four users and no server. Users are
complaining that access to files in the head office is very slow. How can you speed up access to files
for users in the remote office?
2.
Your organization has just created a remote office with 15 users. This office has a local file server. The
users are complaining that their logon process is very slow. How can you speed up the authentication
process for users in the remote office?
3.
Your organization has just created a remote office with 15 users. This office has a local domain
controller that does not have a secure storage location. An application run in the remote office
modifies Active Directory Domain Services data. How can you ensure that the Active Directory
Domain Services data is secure?
Best Practices Related to RODC Password Caching

Do not cache passwords for Domain Admins and other sensitive accounts on an RODC
Use the option to display accounts that have been authenticated to an RODC to identify potential
accounts that should be cached on the RODC.
Sep 7 2011 9:58PM

Nova 4, LLC
12-43
Review the list of accounts to show passwords are stored on an RODC and verify that sensitive
accounts are not being cached.
Remember to cache the passwords of computer accounts in remote offices.
Use the Resultant Policy tab to verify that password for a particular user can be cached on a RODC.

feature
Description
BranchCache
A new feature in Windows Server 2008 R2 and Windows 7 that reduces WAN
link utilization for remote offices. In some cases, it can also improve
application performance for remote office users that access data in the head
office. It can be configured in Distributed Cache Mode or Hosted Cache
Mode.
Sep 7 2011 9:58PM

Nova 4, LLC
12-44
Sep 7 2011 9:58PM

Nova 4, LLC
Monitoring and Maintaining Windows Server 2008
Module 13
Contents:
Lesson 1: Planning Monitoring Tasks
13-3
Lesson 2: Calculating a Server Baseline
13-9
Lesson 3: Interpreting Performance Counters
13-18
Lesson 4: Selecting Appropriate Monitoring Tools
13-26
13-33
Sep 7 2011 9:58PM

13-1
Nova 4, LLC
13-2
Module Overview
When a system failure or an event that affects system performance occurs, you need to be able to repair
the problem or resolve the issue quickly and efficiently. With so many variables and possibilities in the
modern network environment, the ability to determine the root cause quickly often depends on having an
effective performance monitoring methodology and toolset.
Performance-monitoring tools are used to identify components that require additional tuning and
troubleshooting. By identifying components that require additional tuning, you can improve the efficiency
of your servers.
Objectives
Plan Monitoring Tasks.
Calculate server baselines.
Interpret performance counters.
Select appropriate monitoring tools.
Sep 7 2011 9:58PM

Nova 4, LLC
13-3
Lesson 1
Planning Monitoring Tasks
Monitoring your server environment provides many benefits. You will be able to identify potential issues
before they escalate and affect the users in your organization. You will be able to provide performance
and reliability reports by using historical statistics from your environment when requested. You will also be
able to assess the performance status of your environment at any given time, whether or not a specific
issue is occurring. These benefits come from a well-planned and tested monitoring environment. If your
monitoring environment is not properly planned and tested, the act of monitoring performance itself can
cause potential issues in your environment.
This lesson will introduce you to the details involved with planning monitoring tasks and how you can
ensure that your monitoring environment is accurate, stable, and effective.
Objectives
Describe the reasons for monitoring.
Identify the types of monitoring.
Describe the considerations for planning for event monitoring.
Sep 7 2011 9:58PM

Nova 4, LLC
13-4
Reasons for Monitoring Windows Servers
Key Points
Monitoring servers provides a number of benefits, and there are a number of different reasons you might
monitor a Windows server.
Information Technology (IT) Infrastructure Health

The effective operation of your server infrastructure is often critical to your organizations business goals.
Properly functioning and configured hardware, and adequate use and assignment of resources play an
important part in maintaining the consistency of server operation.
By using performance-monitoring tools, you can record performance statistics that allow you to
determine when a server is really slower at responding to user requests, rather than relying on user
perception of "slow" and "fast" response times. You can use these statistics to determine which
component or components of your server infrastructure may be the source of performance-related issues.
Service Level Agreement Monitoring

Many organizations maintain service level agreements (SLAs) that dictate the required availability for
servers and server-hosted applications. These SLAs may contain stipulations regarding server availability
(NYC-DC1 must be available 99.995% of business hours) or they may specify performance related
requirements (the average query time for this database server must be less than five seconds for any given
day).
In many cases, violation of a service level agreement results in a reduction of payment for services or
similar penalties. As a result, you want to ensure that the SLAs imposed upon your environment are met
on a continuing basis.
Performance monitoring tools can be used to monitor the specific areas related to your SLAs and help
you identify issues that could affect your SLA before they become a problem.
Sep 7 2011 9:58PM

Nova 4, LLC
13-5
Planning for Future Requirements

The business and technical needs of your organization are subject to change. New initiatives may require
new servers to host new applications or increased storage within your environment.
Monitoring these areas over a period of time allows you to effectively assess how your server resources
are being currently utilized. Then, you can make an informed decision on how your server environment
needs to grow or otherwise change to meet future requirements.
Identifying Issues
Troubleshooting problems that arise in your server environment can be a tedious and potentially
frustrating task. Issues that affect your users need to be resolved as quickly as possible and with minimal
impact on the business needs of your organization.
Troubleshooting an issue based solely on symptoms provided by users or anecdotal evidence often leads
to misdiagnosed causes and wasted time and resources. Monitoring your server environment allows you
to take a more informed and proactive approach to troubleshooting. When you have an effective
monitoring solution implemented, you can identify issues within your infrastructure before they cause a
problem for your end users. You can also have more concrete evidence of reported issues and narrow
down the cause of problems, saving you investigative time.
Question: Can you list four troubleshooting procedures that would benefit from server monitoring.
Sep 7 2011 9:58PM

Nova 4, LLC
13-6
Types of Monitoring
Key Points
You should select the most appropriate tool to suit the type of monitoring that is required.
There are different methods that you can use to collect performance data from servers in your
organization. You should use each of these methods to suit your requirements.
Historical Data
Reviewing collected or historical data can be useful for tracking trends over time, determining when to
relocate resources, and deciding when to invest in new hardware to meet the changing requirements of
your business.
Historical data may be in the form of Windows event logs or performance data collected over a period of
time and retained for reference.
You should use historical performance data to assist you when you plan future server requirements.
Historical data is also useful for establishing a baseline for your servers performance, which allows you to
make accurate assessments of server performance when performing real time monitoring.
Real Time Data

Real-time or interactive monitoring of systems is useful when you want to determine the effect of
performing a specific action on a server or if you need to troubleshoot specific events.
Real-time monitoring allows you to assess your infrastructure and gain insight into what is happening on
your servers currently. Real-time monitoring can be used to identify an issue with a malfunctioning
application or failing hardware component. This type of monitoring can also help you to ensure that you
are meeting SLAs at any given point in time.
Several tools are available to assist you in monitoring your server environment, both historical and real
time. The following is a list of tools to assist you in monitoring your server environment.
Sep 7 2011 9:58PM

Nova 4, LLC
13-7
Tool
Description
Event Viewer
Event Viewer collects information that relates to server operations. This

data can help to identify performance issues on a server. You should
search for specific events in the event log file to locate and identify
problems.
Task Manager
Task Manager allows you to monitor the real-time aspects of your

server. You can view information related to hardware performance,
and the applications and processes that are currently running on your
server.
Resource Monitor
Resource Monitor allows you to look deeper into the real-time

performance of your server. It provides performance information
related to the CPU, memory, hard disk, and network components of
your server.
Performance Monitor
Performance Monitor is the most robust monitoring tool in Windows

Server 2008. It allows for both real-time and historical monitoring of
your servers performance and configuration data.
Reliability Monitor
Reliability Monitor provides a historical view of your servers reliabilityrelated information like event log errors and warnings.
Sep 7 2011 9:58PM

Nova 4, LLC
13-8
Planning for Event Monitoring
Key Points
Planning for event monitoring means ensuring that your monitoring activities met you technical needs
and do not interfere with your organizations business requirements.
You should ensure that your systems are cost-effective for your organization. Your business may achieve
staff reductions through improved management that is realized by efficient event monitoring. You can
prevent service and system outages by ensuring that resources retain enough capacity to meet SLAs.
You should consider the cost that monitoring events incurs. The cost that is incurred to monitor systems is
an investment in ensuring that your systems continue to run effectively and efficiently. You can measure
costs by using several metrics, including:
Time allocated to personnel to perform monitoring tasks.
Money invested in monitoring systems.
By using automated systems, you can monitor servers proactively and possibly reduce the overall number
of staff required to perform monitoring.
By providing a monitoring environment for your server infrastructure to respond automatically to events,
you create an environment that allows you to be flexible and dynamic in your response to issues related
to your servers. Windows Server 2008 enables dynamic system responses through many of the included
tools to automatically respond to events with actions like sending e-mail messages, recording an event in
the event log, or running a custom command or management task.
Sep 7 2011 9:58PM

Nova 4, LLC
13-9
Lesson 2
Calculating a Server Baseline
Calculating performance baselines for your server environment allows you to more accurately interpret
real-time monitoring information. A baseline for your servers performance tells you what the
performance monitoring statistics look like under normal use. A baseline is established by monitoring
performance statistics over a period of time. When an issue or symptom occurs in real time, you can use
your baseline statistics to compare to you real time statistics and identify any anomalies.
This lesson discusses some of the key server components to measure. You will learn how to use analysis
and planning techniques from collected performance metrics to improve your server infrastructure.
Objectives
Describe strategies for tuning and testing performance.
Identify performance bottlenecks.
Describe common performance metrics to monitor.
Describe the reasons for analyzing performance trends.
Describe the reasons to plan for future capacity requirements.
Sep 7 2011 9:58PM

Nova 4, LLC
13-10
Strategies for Tuning and Testing Performance
Key Points
Tuning and testing server performance is critical to the effective operation of your server environment.
Done correctly, tuning and testing performance can identify and remove potential hardware-related
issues, ensure your server is using its resources effectively and provide you with information you can use
to prevent performance related issues from affecting your servers performance.
Insufficient memory is a common cause of serious performance problems in computer systems. If you
suspect other problems, check memory counters to rule out a memory shortage. Poor response time on a
workstation is most likely to result from memory and processor problems; servers are more susceptible to
disk and network problems.
Before you start tuning, consider the following recommendations:
Make one change at a time. In some cases, a problem that appears to relate to a single component
might be the result of bottlenecks involving multiple components. For this reason, it is important to
resolve problems individually.
Making multiple changes simultaneously may make it impossible to assess the impact of each
individual change.
Repeat monitoring after every change. This is important for understanding the effect of the change
and to determine whether additional changes are required. Proceed methodically, making one
change to the identified resource at a time and then testing the effects of the changes on
performance. Because tuning changes can affect other resources, it is important to keep records of
the changes you make and to review after you make a change.
In addition to monitoring, review event logs, because some performance problems generate output
that you can display in Event Viewer.
To see whether network components are playing a part in performance problems, compare the
performance of programs that run over the network with locally run programs.
Sep 7 2011 9:58PM

Nova 4, LLC
13-11
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune servers to overcome initial limitations. The following table lists suggestions
for improving performance on various types of hardware.
Sep 7 2011 9:58PM

Nova 4, LLC
13-12
Identifying Performance Bottlenecks
Key Points
Analysis of your monitoring data can reveal problems such as excessive demand on certain hardware
resources resulting in bottlenecks.
Causes of Bottlenecks
Demand may become extreme enough to cause resource bottlenecks for the following reasons:
Resources are insufficient, and additional or upgraded components are required.
Resources are not sharing workloads evenly and need to be balanced.
A resource is malfunctioning and needs to be replaced.
A program is monopolizing a particular resource; this might require substituting another program,
having a developer rewrite the program, adding or upgrading resources, or running the program
during periods of low demand.
A resource is incorrectly configured and configuration settings need to be changed.
By monitoring the basic hardware components of your servers, you can determine the most likely
bottleneck that is affecting the performance of your servers. By adding additional capacity to
components, you can tune servers to overcome initial limitations. The following table lists suggestions for
improving performance on various types of hardware.
Hardware
Suggestions
Processors
You may be able to overcome performance bottlenecks that occur

with processors by:
o Adding processors.
o Increasing the speed of processors.
o Reducing or controlling process or affinity, or the number
of processor cores an application uses. Limiting an
Sep 7 2011 9:58PM

Nova 4, LLC
Hardware
13-13
Suggestions
application to only some of the processor cores frees the
remaining cores for other applications to use.
Disks
You may be able to increase disk performance by:

Adding faster disks.
Performing routine maintenance tasks such as
defragmenting.
Moving data, applications, and the page files onto
separate disks.
Memory
You can improve memory bottlenecks by adding additional physical

memory. If the amount of memory requested exceeds the physical
memory, information will be written to virtual memory, which is slower
than physical memory.
However, increasing a computers virtual memory can allow
applications that consume a large amount of memory to run on a
computer with limited physical memory.
Alternatively, you can reduce the load on the server by reducing the
number of users on the server or through application tuning.
Networks
You can reduce network bottlenecks by:

Upgrading network infrastructure, including network adapters
to support higher network bandwidth (100 Mbps to 1 Gbps,
for example).
Install multiple network adapters in a server to distribute
network load.
Reducing the amount of traffic.
You should consider the limitations of network bandwidth and
segment networks where appropriate. You can increase network
throughput by tuning your network adaptor and other network
devices such as switches, firewalls, and routers.
Sep 7 2011 9:58PM

Nova 4, LLC
13-14
Common Performance Metrics
Key Points
You should familiarize yourself with basic performance measurement objects and counters used to
monitor the main hardware components.
There are a large number of measurement objects available within Performance Monitor that relate to all
aspects of the hardware, operating system, and installed applications on a server.
The following table lists some common performance metrics to measure:
Object
Descriptions
Cache
File system cache. The cache is an area of physical memory that is used
to store recently used data to permit access to the data without having
to read from the disk.
Memory
Physical, random access memory (RAM) counters.

Virtual memory, RAM, and disk counters.
Includes paging, which is the movement of pages of code and data
between the disk and physical memory.
Objects
Logical objects in the system, including threads and processes.
Paging File
Reserved space on the disk that complements committed physical

memory.
Physical Disk
Hard disk or fixed drives as the computer sees them (hardware RAID
may not be visible to these counters).
Process
Running applications and system processes. All the threads in a process

share the same address space and have access to the same data.
Processor
Aspects of processor activity. Each processor is represented as an
Sep 7 2011 9:58PM

Nova 4, LLC
Object
13-15
Descriptions
instance of the object.
Server
Communication between the local computer and network.
System
Counters that apply to more than one instance of component

processes on the computer.
Thread
Counters that measure aspects of thread behavior. A thread is the basic

object that runs instructions on a processor. All running processes have
at least one thread.
Sep 7 2011 9:58PM

Nova 4, LLC
13-16
What Is a Performance Trend?
Key Points
You should give careful consideration to the value of performance data to ensure that it reflects the real
server environment.
You should consider performance analysis alongside business or technology growth and upgrade plans. It
may be possible to reduce the number of servers in operation after you have measured performance and
assessed the required environment.
By analyzing performance trends, you can predict when existing capacity is likely to be exhausted. You
should review historical analysis with consideration to your business and use this to determine when
additional capacity is required. Some peaks are associated with one-time activities such as very large
orders. Other peaks occur on a regular basis, such as a monthly payroll, and these peaks may require
increased capacity to meet increasing numbers of employees.
Planning for future server capacity is a requirement for all organizations. Business planning often requires
additional server capacity to meet targets. By aligning your IT strategy with the strategy of the business,
you can support the business objectives.
You should plan the server capacity to maximize the use of available space, power, and cooling. In many
situations, the applications on a single physical server may not be consuming a significant amount of
server resources. The underutilization of these resources means that your server environment is not
operating as efficiently as it could. In this case, you should consider virtualizing your environment to
reduce the number of physical servers that are required. You can consolidate servers by implementing 64bit computing and utilizing Hyper-V in the Microsoft Windows Server 2008 environment.
Sep 7 2011 9:58PM

Nova 4, LLC
13-17
Planning for Future Capacity Requirements
Key Points
Capacity planning focuses on assessing server workload, the number of users that a server can support,
and how to scale systems to support additional workload and users in the future.
New server applications and services affect the performance of your IT infrastructure. These services may
receive dedicated hardware although they often use the same local area network (LAN) and wireless area
network (WAN) infrastructure. Planning for future capacity should include all hardware components and
how new servers, services, and applications affect the existing infrastructure. Factors such as power,
cooling, and rack space are often overlooked during initial exercises to plan capacity expansion. You
should consider how your servers can scale up and out to support an increased workload.
Tasks such as upgrading to Windows Server 2008 and updating operating systems may affect your servers
and network. It is not unknown for an update to cause a problem with an application. Careful
performance monitoring before and after updates are applied can identify problems.
An expanding business requires you to provide support for more users. You should consider business
requirements when you purchase hardware. This consideration will ensure that you can meet future
business requirements through increasing the number of servers or by adding capacity to existing
hardware.
Capacity requirements include:
More servers.
Additional hardware.
Reducing application loads.
Reducing users.
Sep 7 2011 9:58PM

Nova 4, LLC
13-18
Lesson 3
Interpreting Performance Counters
Implementing performance monitoring is the first step to having an accurate assessment of your server
environment.
The second step is analyzing and interpreting performance monitoring information to derive useful
information that allows you to better manage and maintain the servers you are responsible for.
This lesson takes a closer look at performance counters used in performance monitoring to give you a
better understanding what they measure and what the statistics related to these counters can tell you
about your environment.
Objectives
Describe object counters related to the central processing unit (CPU).
Describe object counters related to memory.
Describe object counters related to disk performance.
Describe object counters related to network performance.
Identify performance objects by server role.
Sep 7 2011 9:58PM

Nova 4, LLC
13-19
Primary CPU Performance Counters
Key Points
CPU counters measure the server's CPU-related performance information and hardware-related events.
CPU Performance Counters
Processor\% Processor Time. Processor\% Processor Time shows the percentage of elapsed time
that this thread used the processor to run instructions. An instruction is the basic unit of execution in
a processor, and a thread is the object that runs instructions. Code run to handle some hardware
interrupts and trap conditions is included in this count.
Processor\Interrupts/sec. Processor\Interrupts/sec shows the rate, in incidents per second, at which

the processor received and serviced hardware interrupts.
Processor\System Processor Queue Length. The System\Processor Queue Length counter is a

rough indicator of the number of threads each processor is servicing. The processor queue length,
sometimes called processor queue depth, reported by this counter is an instantaneous value that is
representative only of a current snapshot of the processor, so it is necessary to observe this counter
over a long period of time. Also, the System\Processor Queue Length counter is reporting total queue
length for all processors, and not length per processor.
Sep 7 2011 9:58PM

Nova 4, LLC
13-20
Primary Memory Performance Counters
Key Points
The memory performance object consists of counters that describe the behavior of physical and virtual
memory on the computer. Physical memory is the amount of RAM on the computer. Virtual memory
consists of space in physical memory and on disk. Many of the memory counters monitor paging, which is
the movement of pages of code and data between disk and physical memory. Excessive paging is a
symptom of a memory shortage and can cause delays that interfere with all system processes.
Memory Performance Counters
Pages/sec. Pages/sec shows the rate, in incidents per second, at which pages were read from or
written to disk to resolve hard page faults. This counter is a primary indicator for the kinds of faults
that cause system-wide delays. It is the sum of Pages Input/sec and Pages Output/sec. It is counted in
numbers of pages, so it can be directly compared to other counts of pages such as Page Faults/sec. It
includes pages retrieved to satisfy faults in the file system cache (usually requested by applications)
and noncached mapped memory files.
Available Bytes. Available Bytes shows the amount of physical memory, in bytes, immediately
available for allocation to a process or for system use. It is equal to the sum of memory assigned to
the standby (cached), free, and zero page lists.
Committed Bytes. Committed Bytes shows the amount of committed virtual memory, in bytes.
Pool Nonpaged Bytes. Pool Nonpaged Bytes shows the size, in bytes, of the nonpaged pool. Pool
Nonpaged Bytes is calculated differently than Process\Pool Nonpaged Bytes, so it might not equal
Process(_Total )\Pool Nonpaged Bytes.
Sep 7 2011 9:58PM

Nova 4, LLC
13-21
Primary Disk Performance Counters
Key Points
The LogicalDisk performance object consists of counters that monitor logical partitions of hard or fixed
disk drives. System Monitor identifies logical disks by their drive letter, such as "C:".
The PhysicalDisk performance object consists of counters that monitor hard or fixed disk drives. Disks are
used to store file, program, and paging data. They are read to retrieve these items, and are written to
record changes to them. The values of physical disk counters are sums of the values of the logical disks (or
partitions) into which they are divided.
Disk Performance Counters
% Disk Read Time, % Disk Time, % Disk Write Time, % Idle Time. These counters are of little
value when multiple physical drives are behind logical disks. Imagine a subsystem of 100 physical
drives presented to the operating system as five disks, each backed by a 20-disk RAID 0+1 array. Now
imagine that the administrator spans the five physical disks that have one logical disk, volume X. One
can assume that any serious system that needs that many physical disks has at least one outstanding
request to volume X at the same time. This makes the volume appear to be 100% busy and 0% idle,
when in fact the 100-disk array could be up to 99% idle.
Average Disk Bytes / { Read | Write | Transfer }. This counter collects average, minimum, and
maximum request sizes. If possible, individual or sub-workloads should be observed separately.
Multimodal distributions cannot be differentiated by using average values if the request types are
consistently interspersed.
Average Disk Queue Length, Average Disk { Read | Write } Queue Length. These counters collect
concurrency data, including burstiness and peak loads. Guidelines for queue lengths are given later in
this module. These counters represent the number of requests in flight below the driver that takes the
statistics. This means that the requests are not necessarily queued, but could actually be in service or
completed, and on the way back up the path.
Sep 7 2011 9:58PM

Nova 4, LLC
13-22
Primary Network Performance Counters
Key Points
Most workloads require access to production networks to ensure communication with other applications
and services, and to communicate with users. Network requirements include elements such as
throughputthat is the total amount of traffic that passes a given point on a network connection per unit
of time.
Other network requirements include the presence of multiple network connections. Workloads might
require access to several different networks that must remain secure. Examples include connections for:
Public network access.
Networks for performing backups and other maintenance tasks.
Dedicated remote-management connections.
Network adapter teaming for performance and failover.
Connections to the physical host server.
Connections to network-based storage arrays.
By monitoring the network performance counters, you can evaluate your network performance.
Network Performance Counters

The following are the Network performance counters related to Network Interface > [adapter name]:
Bytes received per second.
Bytes sent per second.
Packets received per second.
Packets sent per second.
Sep 7 2011 9:58PM

Nova 4, LLC
13-23
Output queue length. This counter is the length of the output packet queue (in packets). If this is
longer than 2, delays occur. You should find the bottleneck and eliminate it if you can. Because NDIS
queues the requests, this length should always be 0.
Packets received errors. This counter is the number of incoming packets that contain errors that
prevent them from being deliverable to a higher-layer protocol. A zero value does not guarantee that
there are no receive errors. The value is polled from the network driver, and it can be inaccurate.
Sep 7 2011 9:58PM

Nova 4, LLC
13-24
Identifying Performance Objects by Server Role
Key Points
Specific server roles install a range of performance objects and associated counters.
Windows Server 2008 uses server roles to improve server efficiency and security. By identifying the role
that a server performs, you can ensure that you measure the necessary counters to monitor performance.
By using server roles, you ensure that you install and activate only the required components on your
servers. Only the performance objects and counters that are relevant to the installed server role are
available to monitor.
You should note that you enable missing performance objects and counters by installing additional server
roles or adding features.
Additional performance objects that are installed with each server role can assist with server monitoring.
The following table identifies common server roles and the performance objects that can be monitored to
assess performance.
Server role
Performance counters to monitor
Active Directory Domain

Services (domain controller)
If you notice slow write or read operations, check the following disk
I/O counters under the Physical Disk category to see whether
many queued disk operations exist:
o Avg. Disk Queue Length
o Avg. Disk Read Queue Length
o Avg. Disk Write Queue Length
o If lsass.exe (Local Security Authority Subsystem) uses
lots of physical memory, check the following
Database counters under the Database category to
see how much memory is used to cache the database
for Active Directory Domain Services.
Sep 7 2011 9:58PM

Nova 4, LLC
Server role
13-25
Performance counters to monitor

o
o
Database Cache % Hit

Database Cache Size (MB)
File Server
File Servers are typically heavily dependent on their physical disk

systems for file read and write operations. The following counters
should be measured to ensure that the PhysicalDisk subsystem is
keeping up with serer demand.
o % Disk Time
o Avg. Disk Queue Length
o Avg. Disk Bytes/Transfer
Network performance is also a primary component of file server
performance. These counters can be monitored to ensure that
proper network bandwidth is available to the file server.
o Bytes Received Per Second
o Bytes Sent Per Second
o Output Queue Length
Hyper-V (virtualization)
Performance troubleshooting and tuning can be difficult on

virtualized servers. Virtual hardware provides a less consistent
monitoring environment than physical hardware.
Two layers of performance monitoring are usually recommended in
a virtualized scenario. One at the physical or host server level to
monitor key physical hardware components, and one at the
virtualized server level to monitor the virtual hardware and its
impact on the operating system and applications of the virtual
server.
Web Server (IIS)
Network-related performance counters are an important tool in

measuring web server performance.
Additionally, processor related counters can be helpful in identifying
issues where web server applications are running processor
intensive processes.
The Web Service performance counters provide valuable
information regarding requests to the web server, bandwidth
consumed and web server-specific statistics like page not found
errors.
Sep 7 2011 9:58PM

Nova 4, LLC
13-26
Lesson 4
Selecting Appropriate Monitoring Tools
Windows Server 2008 provides a range of tools to monitor the operating system and applications. You
can use these tools to tune your system for efficiency and troubleshoot problems. You should use these
tools and complement them where necessary with your own tools.
Objectives
Describe Performance Monitor.
Describe the Reliability Monitor.
Describe Resource Monitor.
Describe Event Subscriptions.
Sep 7 2011 9:58PM

Nova 4, LLC
13-27
Performance Monitor
Key Points
Performance Monitor is a Microsoft Management Console (MMC) snap-in used to obtain system
performance information. You can use this tool to analyze the performance effect of applications and
services. You can use Performance Monitor for an overview of system performance or collect detailed
information for troubleshooting.
The Performance Monitor includes the following features:
Monitoring Tools
Data Collector Sets
Reports
Monitoring Tools
The Monitoring Tools node contains the Performance Monitor graph view. It provides a visual display of
built-in Windows performance counters, either in real time or as a way to review historical data.
The Performance Monitor graph view includes the following features:
Multiple graph views
Custom views that you can export as data collector sets
Performance Monitor uses performance counters to measure the system state or activity.
Performance Counters can be included in the operating system or can be present as part of installed
applications. Performance Monitor requests the current value of performance counters at specified time
intervals.
You can add performance counters to the Performance Monitor by dragging and dropping the counters
or by creating a custom data collector set.
Sep 7 2011 9:58PM

Nova 4, LLC
13-28
Performance Monitor features multiple graph views that enable you to visually review performance log
data. You can create custom views in Performance Monitor that can be exported as Data Collector Sets for
use with performance and logging features.
Data Collector Sets

The data collector set is a custom set of performance counters, event traces, and system configuration
data.
After you have created a combination of data collectors that describe useful system information, you can
save them as a data-collector set, and then run the set and view the results.
A data collector set organizes multiple data-collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in the Performance Monitor. You can configure a data collector set to generate alerts when it
reaches thresholds.
You can also configure a data collector set to run at a scheduled time, for a specific length of time, or until
it reaches a predefined size. For example, you can run the data collector set for ten minutes every hour
during your working hours to create a performance baseline. You can also set the data collector to restart
when set limits are reached, so that a separate file is created for each interval.
The Data Collector Sets and Performance Monitor tools enable you to organize multiple data-collection
points into a single component that you can use to review or log performance.
Performance Monitor also includes default Data Collector Set templates to help system administrators
collect performance data that is specific to a server role or monitoring scenario.
Reports
Use the Reports node to view and create reports from a set of counters that you create by using Data
Collector Sets.
Sep 7 2011 9:58PM

Nova 4, LLC
13-29
Reliability Monitor
Key Points
The Reliability Monitor reviews the computers reliability and problem history. The Reliability Monitor can
be used to obtain several kinds of reports and charts that can help you identify the source of reliability
issues. Access the Reliability Monitor by clicking View System History on the Maintenance tab in the
Action Center.
The following topics explain the main features of the Reliability Monitor.
System Stability Chart

The System Stability Chart summarizes system stability, for the past year, in daily increments. This chart
indicates any information, error, or warning messages, and simplifies the task of identifying issues and the
date on which they occurred.
Installation and Failure Reports

The System Stability Report also provides information about each event in the chart. These reports include
the following events:
Software Installs
Software Uninstalls
Application Failures
Hardware Failures
Windows Failures
Miscellaneous Failures
Sep 7 2011 9:58PM

Nova 4, LLC
13-30
Records Key Events in a Timeline

The Reliability Monitor tracks key events about the system configuration, such as the installation of new
applications, operating-system patches, and drivers. It also tracks the following events to help you identify
the reasons for reliability issues.
Memory problems
Hard disk problems
Driver problems
Application failures
Operating system failures
The Reliability Monitor is a useful tool that provides a timeline of system changes and reports the systems
reliability. You can use this timeline to determine whether a particular system change correlates with the
start of system instability.
Problem Reports and Solution Tool

The Problem Reports and Solutions feature in Reliability Monitor helps users track problem reports and
any solution information that they have received.
The Problem Reports and Solutions tool only helps the user to store information. All Internet
communication related to problem reports and solutions is handled by Windows Error Reporting.
The Problem Report and Solution Tool provides a list of the attempts made to diagnose your computers
problems.
If an error occurs while an application is running, Windows Error Reporting Services prompts the user to
select whether to send error information to Microsoft over the Internet. If information is available that can
help the user resolve this problem, Windows displays a message to the user with a link to the resolving
information.
You can use the Problem Reports and Solutions tool to track resolving information and recheck to find
new solutions.
You can start the Problem Reports and Solutions tools from the Reliability Monitor. The following options
are available:
Save reliability history.
View problems and responses.
Check for solutions to all problems.
Clear the solution and problem history.
Sep 7 2011 9:58PM

Nova 4, LLC
13-31
Resource Monitor
Key Points
The Resource Monitor interface in Windows Server 2008 R2 provides an in depth look at the real time
performance of your server.
You can use Resource Monitor to monitor the use and performance of CPU, disk, network, and memory
resources in real time. This allows for resource conflicts and bottlenecks to be identified and resolved.
By expanding the monitored elements, system administrators can identify which processes are using
which resources. In addition, Resource Monitor allows you to select a process or processes to track by
selecting their check boxes. When a process is selected, it remains selected in every pane of Resource
Monitor, providing the information you require regarding that process at the top of the screen, no matter
where you are in the interface.
Sep 7 2011 9:58PM

Nova 4, LLC
13-32
What Are Event Subscriptions?
Key Points
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue
might require you to examine a set of events stored in multiple logs on multiple computers. Event Viewer
provides the ability to collect copies of events from multiple remote computers, and store them locally. To
specify which events to collect, you create an event subscription. After a subscription is active and events
are being collected, you can view and manipulate these forwarded events as you would any other locally
stored events.
Using the event-collecting feature requires that you configure both the forwarding and the collecting
computers. The functionality depends on the Windows Remote Management (WinRM) and the Windows
Event Collector services (Wecsvc). Both of these services must be running on computers participating in
the forwarding and collecting process.
Creating a Subscription
Before you can create a subscription to collect events on a computer, you must configure the collecting
computer (collector), and each computer from which events will be collected (source).
After you configure the computers, you can create a subscription to specify which events to collect, by
selecting the Subscriptions folder, and then clicking the link on the Action menu.
Sep 7 2011 9:58PM

Nova 4, LLC
13-33
Lab Setup
In Hyper-V Manager, click 6419B-NYC-DC1, and then, in the Actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2-4 for 6419B-NYC-SVR1
Lab Scenario
NYC-SVR1 has just been deployed at the New York office of Contoso, Ltd. You have been asked to
establish a performance baseline for this server for comparison to real time performance stats and to
ensure the server is currently operating properly and efficiently.
Sep 7 2011 9:58PM

Nova 4, LLC
13-34
Exercise 1: Determining Performance Metrics

You have been asked to assess NYC-SVR1 and establish a performance baseline for this server by using
Performance Monitor. Before establishing the baseline, you must identify what performance counters you
will use to record performance information. You have been asked by your manager to ensure the four
primary hardware components of the server are measured.
The main task is as follows:
1.
Determine the performance counter objects to use
Task 1: Determine the performance counter objects to use.

Question: What are the main hardware components that you should be measuring on NYC-SVR1?
Question: Which Performance Monitor objects correspond to these components?
Note: After completing this exercise, you will have determined performance metrics.
Sep 7 2011 9:58PM

Nova 4, LLC
13-35
Exercise 2: Configuring a Performance Baseline

You have been asked to establish a performance baseline for NYC-SVR1 based on the Processor, Memory,
Physical Disk, and Network objects within Performance Monitor. The baseline should be as thorough as
possible, so you have been asked to include all counters from these objects.
1.
Create a Data Collector Set to log the counters for the Processor, Memory, PhysicalDisk, and Network
Interface objects.
2.
Review the Data Collector Set Report to ensure that performance data has been captured.
Task 1: Create a Data Collector Set to log the counters for the Processor, Memory,
PhysicalDisk, and Network Interface objects.
1.
On NYC-SVR1, open Performance Monitor.
2.
Expand the Data Collector Sets node and create a new User Defined Data Collector Set named,
NYC-SVR1 Baseline.
3.
Add all counters for the Processer, Memory, PhysicalDisk, and Network Interface objects.
4.
Run the Data Collector Set when the wizard is complete.

Note: The Data Collector Set will take a few moments to collect data. Complete Exercise 3 and then
come back to finish Task 2 of this exercise.
Task 2: Review the Data Collector Set report to ensure that performance data has been
captured.
1.
Stop the NYC-SVR1 Baseline data collector set.
2.
Expand the Reports node and view the most recent report run for the user-defined NYC-SVR1
Baseline object.
3.
Ensure that the report has collected the performance data.

Note: After completing this exercise, you will have configured a performance baseline.
Sep 7 2011 9:58PM

Nova 4, LLC
13-36
Exercise 3: Viewing Performance Using Monitoring Tools

You have been asked to ensure that there are no significant performance related issues on NYC-SVR1
1.
Use Resource Monitor to view system performance statistics.
2.
Use Reliability Monitor to view server reliability history.
Task 1: Use Resource Monitor to view system performance statistics.

1.
On NYC-SVR1, open Resource Monitor.
2.
View the graphs on the right of the screen to ensure none of them are near the top of the graph
window.
3.
Click each tab in the Resource Monitor window to view the real time performance data for the
associated component.
4.
Close the Resource Monitor.
Task 2: Use Reliability Monitor to view server reliability history

1.
On NYC-SVR1, open Reliability Monitor
2.
Check the Reliability Monitor for any Error events represented by a red X icon.
3.
Close the Reliability Monitor.

Note: After completing this exercise, you will have viewed performance by using monitoring tools.

following steps:
1.
2.
3.
4.
Sep 7 2011 9:58PM

Nova 4, LLC
13-37
Review Questions
1.
Why would establishing baseline performance be important in a larger environment?
2.
Where would centralized event collection be valuable in obtaining event information from multiple
computers?

feature
Resource Monitor
Description
Resource Monitor offers in-depth real-time performance monitoring
and a comprehensive view of your servers performance-related
configuration.
Tools
Tool
Use for
Where to find it
Event Viewer
Viewing server event

logs and collecting
event logs from other
computers
Server Manager console
Task Manager
Viewing simple real-time

performance
information
Press Ctrl + Shift + Esc

Or
Right-click the taskbar and select Task Manager
Performance
Monitor
Viewing and collecting

performance
information for many
Start Administrative Tools

Or
Server Manager console
Sep 7 2011 9:58PM

Nova 4, LLC
13-38
Tool
Use for
Where to find it
aspects of your server

Reliability Monitor
Viewing reliabilityrelated information

and events.
Windows Server 2008 Action Center

or
Type Reliability in the Start Menu Search field
Resource Monitor
Viewing in-depth realtime performance

information for your
server
Start Administrative Tools

Or
The Performance tab in Task Manager
Sep 7 2011 9:58PM

Nova 4, LLC
Managing Window Server 2008 Backup and Recovery
Module 14
Contents:
Lesson 1: Planning and Implementing File Backups on Windows
Server 2008
14-3
Lesson 2: Planning and Implementing File Recovery
14-14
Lab A: Implementing Windows Server Backup and Recovery
14-19
Lesson 3: Recovering Active Directory
14-23
Lesson 4: Troubleshooting Windows Server Startup
14-29
14-37
Sep 7 2011 9:58PM

14-1
Nova 4, LLC
14-2
Module Overview
Disaster recovery planning is a critical part of managing any server infrastructure. This module examines
the necessary planning for backup and restore procedures, and startup issues to ensure that you protect
data and servers sufficiently against disasters. This module will also focus on the improvements in the
Windows Server Backup application included with the operating system.
Microsoft Windows Server 2008 R2 also has new options for restoring Active Directory Domain
Services (AD DS), such as the Active Directory Recycle Bin.
The ability to troubleshoot startup issues has been improved for Windows Server 2008. Common startup
issues can be automatically detected and repaired to get servers back online in a timely manner.
Restoring data is a riskier operation than backing up data because you can overwrite and lose existing
data through careless restore procedures. You should only permit trusted administrators to perform
restore operations; it is likely that the restore operators are a subset of the backup operators, but in some
organizations, the backup and restore teams are separated.
Plan and implement file backups on Windows Server 2008.
Plan and implement file recovery.
Describe Active Directory recovery methods.
Troubleshoot Windows Server startup.
Sep 7 2011 9:58PM

Nova 4, LLC
Lesson 1
14-3
Planning and Implementing File Backups on Windows

Server 2008
This lesson examines the planning elements that are required to create a successful, unobtrusive, and
secure backup process. You can apply these considerations when you are planning backup for various
types of data on your network. Typically, you will distribute backup tasks among various servers and
personnel in your environment.
Describe decision points for selecting backup software and appointing backup operators.
Describe changes to Windows Backup in Windows Server 2008 R2.
Describe the planning process for backup.
Determine a data retention plan.
Describe the factors that affect backup policy.
Describe Windows Server Backup features.
Sep 7 2011 9:58PM

Nova 4, LLC
14-4
Selecting Backup Software
Key Points
You need to use backup software to back up the data and servers on your network. When planning your
backup strategy, you must choose which backup software to use. You can choose the backup feature in
the Windows Server 2008 operating system or you can choose third-party backup software. Your choice
depends on your backup medium, how you intend to manage your backups across several servers, and
licensing costs, among other factors. For example, the Windows Server 2008 Backup feature has no
additional licensing costs, but it does not support tape backups. This may have a major influence on your
decision.
The Windows Server 2008 Backup feature also supports command-line use through the Wbadmin.exe
command. This is useful for scripting or performing specific backups such as system state data.
There are many improvements to the Windows Server Backup feature in Windows Server 2008 R2,
including more backup options and more control through the Windows Server Backup Microsoft
Management Console (MMC). These changes are discussed in the next topic.
You may also have special requirements, such as databases, that you must regularly back up. A database
backup may require special software or tools to perform the backup.
Question: What backup software or solutions do you currently use?
Sep 7 2011 9:58PM

Nova 4, LLC
14-5
Changes to Windows Backup in Windows Server 2008 R2
Key Points
The Windows Server Backup feature provides a basic backup and recovery solution for computers running
the Windows Server 2008 operating system, but it has very limited options. For example, it can only back
up entire volumes. The Windows Server Backup feature of Windows Sever 2008 R2 has many new
enhancements, including enhanced wizards, to implement a flexible backup plan. The following table
outlines feature availability in the different versions.
Feature
Supported in
Windows Server 2008
Supported in Windows Server 2008 R2
Volume level backup
Yes
Yes
Scheduling backups
Yes
Yes
System State backup
Yes (command-line only)
Yes
Incremental System State No

backup
Yes
Back up specific files and No

folders
Yes
Exclude specific files,

folders, or file types
No
Yes
Back up to volumes or
network shares
No (dedicated volumes only)
Yes
PowerShell support (local No

and remote)
Yes
Bare Metal Recovery
Yes
No
Sep 7 2011 9:58PM

Nova 4, LLC
14-6
Feature
Supported in
Windows Server 2008
Supported in Windows Server 2008 R2
backup option
Question: What command-line utility can be used to back up System State in Windows Server 2008?
Sep 7 2011 9:58PM

Nova 4, LLC
Process for Planning Backup in Windows Server 2008
Key Points
When you plan your backup strategy, you must plan the elements that are listed in the following table.
Plan Elements
Details
List the data to

back up.
You must identify all data that requires backup so that you can restore your data
and systems in the event of a disaster.
You must identify the quantity of data, which in Windows Server 2008 includes
which volumes or files and folders to back up, so that you can choose an
appropriate storage medium and identify how long a backup or restore operation
requires.
Create a backup
schedule.
You must plan how frequently and at what times servers perform automated
backup tasks. Most organizations perform daily backups at the least.
Choose a backup
type.
Based on the frequency and the time that is taken to perform a backup and a
restore operation, you may also need to select a backup type.
Your backup software may enable you to choose from the following backup types:
Full or Normal
Incremental
Differential
Windows Server Backup performs full backups by default. You can enable
incremental backups by configuring performance settings in MMC. Windows
Server Backup does not support differential backups.
Choose the
backup medium.
Based on your backup software, the size of backups, and the time to restore data,
you should choose an appropriate backup medium.
Backup media include:
Tape (not available with Windows Server 2008 backup)
Sep 7 2011 9:58PM

14-7
Nova 4, LLC
14-8
Plan Elements
Details
Hard disk (fixed or removable)
DVD
Shared folder
Tape is available in various formats, supporting various data rates and storage
capacities. If you back up to tape, you should ensure that the tape format that you
use is appropriate to the quantity of data that you are backing up.
The Windows Server 2008 Backup feature does not support backing up to tape.
Volumes and shared folders are the only supported storage media.
Consider the length of time that you require to retain backups to restore data. Will
you be able to restore data from one month ago, six months ago, 12 months ago,
or longer?
You must also consider the storage location of your backup media. Tapes are
susceptible to magnetic fields and heat, so they should be stored away from these
environmental factors. Backup media should be stored offsite in case of disaster
such as fire or flood.
Windows Server 2008 Backup Types

The Windows Server Backup feature in Windows Server 2008 consists of an MMC snap-in and commandline tools. You can use wizards to guide you through running backups and recoveries. You can use
Windows Server Backup 2008 to back up a full server (all volumes), selected volumes, or just the system
state.
In case of disasters such as hard disk failures, you can perform system recovery by using a full server
backup and the Windows Recovery Environmentthis will restore your complete system onto the new
hard disk.
The ability to take just a system state backup is not exposed in the GUI interface of backup. If you wish to
take just a system state backup, you must use the wbadmin.exe utility. WBadmin.exe is a command-line
utility.
Windows Server 2008 R2 Backup Types

Windows Server Backup in R2 provides the same backup types as Windows Server 2008, including the
following options:
Select specific items for backup.
Bare metal recovery. Bare metal recovery includes all volumes that are necessary for Windows
to run. You can use this backup type in conjunction with the Windows Recovery Environment to
recover from a hard disk failure, or if you need to recover the entire computer image to new
hardware.
System State. System State is the ability to use the GUI interface to create a system state backup
Individual files and folders. Individual files and folders enables you to back up selected files and
folders, instead of just full volumes
The ability to exclude selected files or file types. For example, you can exclude .tmp files.
More storage locations to choose from. You can store backups on remote shares or non-dedicated
volumes.
Question: You wish to use incremental backups as part of your backup strategy. How will you enable this?
Sep 7 2011 9:58PM

Nova 4, LLC
14-9
Creating the Data Retention Plan
Key Points
How long must you keep data? Must you keep data for legal compliance, such as Sarbanes-Oxley, or for
business requirements, such as the ability to audit all projects during the previous five years?
Where should you archive data? Do users require access to archived data regularly, which may require
keeping the data on a server, or can the data be archived to a static medium such as optical or tape
storage? For static media archival, you must consider that media such as DVD or tape has a finite lifetime
for storing data.
What is the cost of data storage? Different storage mechanisms and media have different costs associated
with them. If you keep your data archive on your corporate storage area network (SAN), this has a
relatively high cost per gigabyte (GB). If you keep archived data on a server hard disk, it has a lower cost
per GB, and data that is stored on tape has a very low cost per GB. Contrary to this is the ease of access, so
you must balance the cost against the ease of access for the data. Typically, you move older data to
cheaper storage media.
What software tools can assist data retention? Your backup software or additional tools may have dataretention capabilities, or you could invest in software to assist data retention in your organization.
Consider tools such as Microsoft System Center Data Protection Manager, which can offer backup
capabilities and options to archive older data to media such as tape, instead of hard disk.
Question: What is your current data retention plan?
Sep 7 2011 9:58PM

Nova 4, LLC
14-10
Factors that Affect Backup Policy
Key Points
A number of factors affect the formulation of an organizations backup policy. Most companies cannot
endure a major data loss. Some companies are effectively out of business if a critical system is down. The
time and cost of data or server replacement will be overriding factors. The following table lists the major
decision points to consider when working out a backup strategy.
Factor
Details
Service level
agreements
(SLAs)
If your information technology (IT) department has agreed on SLAs or intends to

create SLAs for data or server availability, you must include consideration of backup
and restore processes with your SLA. An SLA should specify the data or servers to
which it refers, and it should identify acceptable periods of unavailability. It is
important that the time that is taken to perform a restore operation does not exceed
the SLA; if it does, the SLA is redundant.
Cost
When you plan your backup policy, you must consider the cost of your backup
solution. Costs for your backup solutions can include hardware, software, and media.
You should carefully consider cost with respect to backup and restore times, and the
required storage quantities. Larger storage capacities or faster storage media are
more expensive, but you may require these for specific data types in your
organization, such as database backups.
When you plan for increases in data storage, you should include any necessary
increase in backup costs that are required to maintain your backup schedule.
Bandwidth
If you back up to a different physical location, such as a secure offsite storage

provider or a dedicated disaster recovery site, you must consider bandwidth
requirements. The available bandwidth for these backups directly impacts the time
that is taken to perform a backup and restore operation, and unless fast links are
available, you would typically use these as additional protection if a physical or
environmental disaster occurs at your primary location.
You might also consider using Distributed File System (DFS) replication to enable
Sep 7 2011 9:58PM

Nova 4, LLC
Factor
14-11
Details
backup at another location. If you have branch offices, you can decide to perform all
regular file-based backups from your main office by replicating content to the main
office, and then performing the backup.
Personnel
You should also consider who can perform backup tasks. This includes physical tasks
such as loading or changing tape libraries, and system tasks such as performing
backups or changing backup schedules.
Question: Does your IT department fulfill any SLAs?
Sep 7 2011 9:58PM

Nova 4, LLC
14-12
Demonstration: Overview of the Windows Server Backup Features
Key Points
In this demonstration, the instructor will:
Describe Windows Server Backup features.
Note: You require the 6419B-NYC-DC1 and 6419B-NYC-SVR1 virtual machines to complete this
demonstration. Log on to the virtual machine as Contoso\Administrator, with the password,
Pa$$w0rd.
Install the Windows Server Backup Feature

1.
On NYC-DC1, use Server Manager to install the Windows Server Backup Feature. Include the
command-line tools in the installation.
Use the backup wizard to schedule a backup.

1.
On NYC-DC1, run Windows Server Backup and schedule a backup of drive C: to the remote backup
folder on NYC-SVR1.
Use the backup wizard to back up a folder.

1.
Run the Backup Once wizard to back up the C:\MarketingTemplates folder to the remote backup
folder on NYC-SVR1.
Use the restore wizard to restore the MarketingTemplates folder to the C: drive
1.
On NYC-DC1, delete the C:\MarketingTemplates folder.
2.
In the Windows Server Backup MMC, run the Recovery Wizard with the following options:
Getting started: A backup stored on another location
Sep 7 2011 9:58PM

Nova 4, LLC
3.
Location Type: Remote Shared Folder
Remote Folder: \\NYC-SVR1\Backup
Backup Date: Today
Recovery Type: Files and Folders
Item to Recover: NYC-DC1\Local Disk (C:)\MarketingTemplates
Recovery destination: Another Location (C:)
Navigate to C:\ and ensure that the files have been restored.
Sep 7 2011 9:58PM

14-13
Nova 4, LLC
14-14
Lesson 2
Planning and Implementing File Recovery
A data loss and recovery event may be as small as a single file that affects a single user or as widespread
as a critical server failure that affects the whole organization. In either case, it is important to have a plan
in place so that IT personnel know how to deal with the event.
Describe the considerations for data recovery.
Describe Windows Server Backup Recovery Types.
Describe Windows Server Recovery Options.
Determine when to update backup and recovery policies.
Sep 7 2011 9:58PM

Nova 4, LLC
14-15
Considerations for Data Recovery
Key Points
The impact of a data recovery event depends on the magnitude of the data loss. A total server failure may
affect thousands of users and cause business operations to come to a halt, whereas a user accidentally
deleting a file may only represent an inconvenience. The following considerations must be taken into
account when planning for data recovery:
The Impact of Server Failure Compared to Individual File Loss

Total server failure usually has a widespread effect and needs to be dealt with swiftly. Keeping local copies
of the most recent full server backups onsite and offsite can help mitigate the amount of down time.
Individual files are usually quick and easy to restore. Volume Shadow Copy technology can be
implemented to allow users to recover their own files in case of accidental deletion or file corruption.
Impact on Operations
Some data or servers could be lost for a short time with a minimal impact on operations. For example, a
server running redundant network services like AD DS or Domain Name System (DNS) could be lost as
long as there is a second server providing those services. Other servers, like Windows Server Update
Service (WSUS), could be lost for a period without any significant effect on operations. More critical
servers, such as Microsoft SQL or Microsoft Exchange may require more consideration, such as high
availability solutions.
Impact on Service Level Agreements

If you are subject to SLAs that require a certain response time, you will have to factor that into your data
recovery plan. It may mean keeping standby hardware that is ready to be brought into service quickly in
case of server failure.
Sep 7 2011 9:58PM

Nova 4, LLC
14-16
Windows Server Backup Recovery Types
Key Points
Windows Server Backup in Windows Server 2008 R2 provides the following recovery types:
Files and folders. Individual files or folders can be recovered as long as backup is on an external disk
or in a remote shared folder.
Applications and data. Applications and their data can be recovered if the application has a Volume
Shadow Copy Service writer and has registered with Windows Server Backup.
Volumes. Restoring a volume always restores all the contents of the volume. You cannot restore
individual files or folders.
Operating system. The operating system can be recovered through Windows Recovery Environment
(WinRE).
Full server. The full server can be recovered through WinRE.
System state. System state creates a point-in-time backup that can be used to restore a server to a
previous working state.
Question: What type of recovery can you use to repair a corrupted certificate database on the certificate
server?
Sep 7 2011 9:58PM

Nova 4, LLC
14-17
Windows Server Recovery Options
Key Points
The Windows Server Backup Recovery Wizard several options for managing file and folder recovery. The
Windows Server Backup Recovery Wizard manages recovery destination, conflict resolution, and security
settings. The recovery options are as follows:
Recovery Destination
Original location. The original location restores the data to the location it was backed up originally.
Another location. Another location restores the data to a different location.
Conflict Resolution
Restoring data from a backup will often conflict with existing versions of the data. Conflict resolution
provides a way to determine how those conflicts will be handled. When these conflicts occur you have the
following options:
Create copies and have both versions.
Overwrite existing version with recovered version.
Do not recover items if they already exist in the recovery location.
Security Settings
Allows you to restore permissions to the data being recovered.
Question: How are copies of recovered files distinguished from the existing version?
Sep 7 2011 9:58PM

Nova 4, LLC
14-18
Updating Backup and Recovery Policy
Key Points
You should review, improve, and update all of your policies and working practices to ensure that you
continue to meet the requirements of your business.
By increasing the frequency of backups, you can provide access to recent changes in documents for users.
Windows Server 2008 simplifies scheduling backup tasks by using Volume Shadow Copy Service VSS. This
improved backup enables users to restore files without resorting to assistance from the IT team.
Backup policies should be reviewed:
After data is restored.
On a regular basis.
As technology changes.
As SLAs change.
As restore strategies change.
Question: How often do you update the backup and restore policy in your organization?
Sep 7 2011 9:58PM

Nova 4, LLC
14-19
Lab A: Implementing Windows Server Backup and

Recovery
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 - 4 for 6419B-NYC-SVR1.
Sep 7 2011 9:58PM

Nova 4, LLC
14-20
Exercise 1: Evaluating the Existing Backup Plan

Scenario
At Contoso. Ltd., data for several departments is stored across servers on the network. In the New York
office, several file servers are part of a domain-based Distributed Files System DFS namespace and host
the following shares:
Sales. This share holds the shared data for the Sales department. The Sales department updates it
regularly with budgets, forecasts, and sales figures.
Finance. This share holds important data for the Finance department that supplements the Finance
application database. The Finance database should not form part of your backup plan.
Human Resources. This share holds highly confidential data for the Human Resources department. You
have encrypted some of this data by using Encrypting File System (EFS).
Technical Library. This share holds technical information, such as white papers and guidance documents,
for the IT department. The IT department updates this information infrequently.
Projects. This share holds documents that relate to any projects that are running at the New York office,
and changes frequently.
In addition to the file servers, you are responsible for ensuring that four intranet Web servers and two
domain controllers can have the data or server restored in the event of a disaster. Web pages on the
intranet Web sites do not change frequently.
Currently, there is a scheduled weekly backup of the volumes that contain the shares on the file servers
and the volumes that contain the Web page content on the Web servers.
In this exercise, you must review the existing backup plan against requirements that the management
team at Contoso, Ltd. have specified.
1.
2.
3.
4.
5.
Review an existing backup plan.

Propose changes to the plan based upon scenario requirements.
Install the Windows Server Backup feature.
Schedule a full server backup.
Back up an individual folder.
Task 1: Review an existing backup plan.

Scenario
1.
You have agreed that no more than one day's critical data should be lost in the event of a disaster.
Critical data includes the Sales, Finance, and Projects data. Does the current backup plan meet this
requirement?
2.
Currently, you copy the Human Resources confidential data onto a removable hard disk that is
attached to a computer in the Human Resources office. This task is performed weekly by using a
script to preserve the encryption on the files. What are the consequences of this process and how
would you deal with them?
3.
You have also agreed that if a server fails, you should be able to restore that server, including all
installed roles, features, applications, and security identity, in six hours. Does the current backup plan
enable you to restore the servers in this way?
Sep 7 2011 9:58PM

Nova 4, LLC
14-21
Task 2: Propose changes to the backup plan.

Scenario
1.
Propose an appropriate backup frequency for the shares in the following table.
Backup
Frequency
Sales
Finance
Human Resources
Technical Library
Projects
2.
How would you fulfill the requirement to restore the servers and how frequently would you back up
the servers?
Task 3: Install Windows Server Backup Feature.

1. On NYC-DC1, use Server Manager to install the Windows Server Backup feature with the
Command-line tools.
Task 4: Use the backup wizard to schedule a backup.

1.
Start the Windows Server Backup MMC.
2.
Use the Backup Schedule Wizard to create a backup with the following configurations:
Backup configuration: Full server
Backup time: Daily at 1:00 A.M.
Destination type: Back up to a shared network location
Remote shared folder: \\NYC-SVR1\Backup
Credentials: Contoso\Administrator, with the password, Pa$$w0rd
Task 5: Back up an individual folder.

1.
Use the Backup Once wizard to back up with the following configurations:
Backup Options: Different options
Backup configuration: Custom
Items for Backup: C:\MarketingTemplates
Destination Type: Remote shared folder
Remote Folder: \\NYC-SVR1\Backup
Results: After completing this exercise, you should have reviewed an existing backup plan and
proposed changes to that plan. You will also have configured backups to become familiar with the
Windows Server Backup feature.
Sep 7 2011 9:58PM

Nova 4, LLC
14-22
Exercise 2: Implementing a Backup Plan

Scenario
The management team at Contoso, Ltd. has decided that an SLA should be put in place for the missioncritical data stored on the intranet file servers and Web servers. The SLA will specify availability for data
and the recovery of deleted items.
In addition, Contoso, Ltd. must also comply with legal regulations that state how long the customer and
financial data must be retained. Failure to comply with these requirements entails heavy fines and
penalties for the company. You must keep Human Resources and financial information for a minimum of
seven years. In the event of an audit, you must provide access to this data within three working days.
In this exercise, you will examine the SLA and legal requirements, and propose solutions to ensure
compliance.
1.
Review an existing recovery plan.
2.
Propose changes to the plan.
3.
Perform a test recovery.
Task 1: Create a backup strategy to comply with the SLA.

1.
You should be able to restore critical data, which includes the Sales, Finance, and Projects shares, as
quickly as possible in the event of a disaster. What factors affect how quickly you can restore data?
2.
Given that you have a limited budget to meet the SLA requirements, how can you maximize your
budget while providing backup for the entire network data for which you are responsible?
Task 2: Create a backup strategy to comply with legal requirements.

1.
How will you ensure that the required data is stored for the minimum legal requirement period and
that the data is available for audit purposes when it is required?
Task 3: Use the Recovery Wizard to restore the data.

1.
On NYC-DC1, open Windows Explorer, navigate to C:\MarketingTemplates, and delete the contents
in the folder.
2.
Use the Recovery Wizard to recover the contents of the MarketingTemplates folder.
3.
Close all open windows on NYC-DC1.
Question: List at least one example of how administrators can create an effective backup policy.
Results: After completing this exercise, you should have reviewed an existing recovery plan and
proposed changes to that plan. You should also have tested data recovery.
Sep 7 2011 9:58PM

Nova 4, LLC
14-23
Lesson 3
Recovering Active Directory
It is possible for a domain controller to fail, or for Active Directory to be damaged or corrupted,
intentionally or accidentally. In such an event, you must be prepared to restore the domain controller, the
directory, or objects within the directory. In this lesson, you will learn about the various methods and tools
to restore AD DS and domain controllers.
After completing this lesson you will be able to:
Describe the methods used to recover Active Directory.
Describe the Active Directory database mounting tool.
Describe how to recover objects by using the Active Directory Recycle Bin.
Sep 7 2011 9:58PM

Nova 4, LLC
14-24
Methods Used to Recover Active Directory
Key Points
AD DS is one of the most critical systems in any enterprise. Windows Server 2008 R2 provides new ways to
recover Active Directory. Prior to Windows Server 2008 R2, there were only three methods of recovering
Active Directory. You could perform a non-authoritative restore or an authoritative restore or a
tombstone reanimation.
Non-Authoritative Restore
A non-authoritative restore will restore the entire AD DS database from a system state, critical-volume, or
full server backup. A non-authoritative restore returns the domain controller to its state at the time of
backup. Normal replication will then update AD DS on the restored domain controller with any changes
that occurred since the backup was performed. The most common scenario for a non-authoritative
restore is to recover a domain controller after a full server failure or AD DS database corruption.
Authoritative Restore
If you need to recover specific objects from AD DS because of accidental deletion, you can perform an
authoritative restore. As in non-authoritative restore, AD DS is restored, but the items that need to be
recovered are marked as being authoritative. This prevents the tombstoned version of the item on other
domain controllers from overwriting the restored version. Authoritative restores have the following
characteristics:
You can restore specific items or collections of items from AD DS, such as a user or an entire
organization unit (OU).
The Ntdsutil command-line utility is required.
AD DS service must be stopped during the recovery process.
Sep 7 2011 9:58PM

Nova 4, LLC
14-25
Tombstone Reanimation
You can also recover deleted Active Directory objects through tombstone reanimation. When objects are
deleted, they are not physically removed from the AD DS database immediately. Objects are converted to
tombstones and marked for deletion after 180 days. Tombstones can be reanimated any time before that
period runs out. Reanimation is the mechanism for restoring a tombstoned object back into a normal
object. After reanimation, the object has the same objectGUID and objectSid attributes it originally had.
An advantage of tombstone reanimation is that it does not require the domain controller to be taken
offline. A disadvantage is that some attributes of the object are stripped when an object is deleted, such
as forward-linked or backward-linked attributes, and these attributes are not recovered with tombstone
reanimation.
Active Directory Recycle Bin

Windows Server 2008 R2 introduces a new recovery method for AD DS, the Active Directory Recycle Bin.
The Active Directory Recycle Bin allows you to restore deleted Active Directory objects without restoring
Active Directory data from backups, AD DS, or rebooting domain controllers.
Question: One of your three domain controllers has experienced a full server failure. What type of restore
would be appropriate in this situation?
Sep 7 2011 9:58PM

Nova 4, LLC
14-26
What Is the Database Mounting Tool?
Key Points
The Active Directory Database Mounting Tool (Dsamain.exe) allows administrators to view the contents of
a snapshot of AD DS. A snapshot captures the exact state of the directory service at the time of the
snapshot. Unlike a backup, a snapshot cannot be used to restore data.
By taking regular snapshots, you can compare data that was present in AD DS on specific dates and
determine which backup data needs to be restored. This tool only allows administrators to view data; it
cannot be used to restore data. You will need to use other tools to perform the actual restore.
You use the Ntdsutil Snapshot operation to take a point-in-time snapshot of AD DS. You can then use
Ntdsutil to mount the snapshot to a location. You then expose the data stored in the snapshot. Use the
database mounting tool (Dsamain.exe) to expose the snapshot as an LDAP server. Then, you can use any
existing LDAP tools, such as the built-in Ldp.exe, to view the data.
Note: You are not required to run the ntdsutil snapshot operation to use Dsamain.exe. You can
instead use a backup of AD DS or Active Directory Lightweight Directory Services (AD LDS) database
or another domain controller or AD LDS server. The ntdsutil snapshot operation simply provides a
convenient data input for Dsamain.exe.
Question: What permissions are required to take an AD DS snapshot?
Sep 7 2011 9:58PM

Nova 4, LLC
14-27
Recover Objects Using the Active Directory Recycle Bin
Key Points
Windows Server 2008 R2 introduces the Active Directory Recycle Bin. This tool allows you to restore
deleted Active Directory objects without restoring Active
Directory data from backups, restarting AD DS, or rebooting domain controllers. Objects in the Active
Directory Recycle Bin can be restored within the deleted object lifetime (180 days by default) with all linkvalued and non-link-valued attributes of the deleted objects preserved. Objects are restored in their
entirety to the same state that they were in immediately before deletion. For example, a security group
would be restored with its membership list, and its rights and permissions intact.
The Active Directory Recycle Bin has no graphical interface. PowerShell commands are used to manipulate
deleted objects.
Requirements for the Active Directory Recycle Bin

To use the Active Directory Recycle Bin, there are certain requirements that must be met.
The forest functional level must be set to Windows Server 2008 R2. All domain controllers must be
running Windows Server 2008 R2. You can use the LDP.exe utility or use the Set-ADForestMode
PowerShell cmdlet to raise the forest level. This step is irreversible.
Important: If you are performing a clean installation of a Windows Server 2008 R2 Active Directory
forest, you do not have to run Adprep; your Active Directory schema will automatically contain all the
necessary attributes for Active Directory Recycle Bin to function properly. If, however, you are
introducing a Windows Server 2008 R2 domain controller into your existing Windows Server 2003 or
Windows Server 2008 forest, and subsequently upgrading the rest of the domain controllers to
Windows Server 2008 R2, you must run Adprep. By running Adprep, you update your Active Directory
schema with the attributes that are necessary for Active Directory Recycle Bin to function properly.
Sep 7 2011 9:58PM

Nova 4, LLC
14-28
The Active Directory Recycle Bin must be specifically enabled. You can use the LDP.exe utility or use
the Enable-ADOptionalFeature PowerShell cmdlet to enable the Active Directory Recycle Bin. This
step is irreversible.
Question: What permissions are required to enable Active Directory Recycle Bin?
Sep 7 2011 9:58PM

Nova 4, LLC
14-29
Lesson 4
Troubleshooting Windows Server Startup
Sometimes a problem can arise that will prevent Windows from starting properly. This lesson will discuss
the common causes of startup problems, review startup process that may be affected, and explore
different troubleshooting techniques that you can use depending on when the failure occurs.
Describe common causes of startup issues.
Describe troubleshooting procedures before the Windows logo appears.
Describe troubleshooting procedures after the Windows logo appears.
Describe troubleshooting procedures after logon.
Sep 7 2011 9:58PM

Nova 4, LLC
14-30
Common Causes of Startup Problems
Key Points
Diagnosing and correcting hardware and software problems that affect the startup process requires
different tools and techniques than troubleshooting problems that occur after the system has started,
because the person troubleshooting the startup problem does not have access to the full suite of
Microsoft Windows Server 2008 troubleshooting tools. Resolving startup issues requires a clear
understanding of the startup process, the core operating system components, and the tools used to
isolate and resolve problems.
Startup failure can result from a variety of problems, such as user error, driver problems, application faults,
hardware failures, disk or file corruption, system misconfiguration, or virus activity. If the condition is
serious enough, you might need to reinstall Windows.
Question: Can you think of situations where you had to troubleshoot a Windows startup problem? If so,
how did you resolve it?
Sep 7 2011 9:58PM

Nova 4, LLC
14-31
Troubleshooting Startup Before the Windows Logo Appears
Key Points
In earlier versions of Windows, a file called, boot.ini, contained information about the Windows operating
systems installed on the computer. In Windows Server 2008, the boot.ini file has been replaced with Boot
Configuration Data (BCD). This file is more versatile than boot.ini, and it can apply to computer platforms
that use means other than basic input/output system (BIOS) to start the computer. The Windows Boot
Manager uses information from the BCD to manage the operating system startup process.
The boot environment is loaded before the operating system, making the boot environment independent
of the operating system. A boot loader, in its most basic form, loads the initial files required to start an
operating system. In a default installation of Windows Server 2008 R2, there is one boot loader reference
stored in Windows Boot Manager called Windows Boot Loader, which launches the Windows Server 2008
R2 operating system. The Windows Boot Loader is stored in \Windows\System32\winload.exe and when
started by Windows Boot Manager, it begins the initial load process of the operating system. Windows
Boot Manager controls the boot process using the information in the boot configuration data (BCD) store.
The BCD can be edited with the BCDEdit.exe command-line utility. This utility is found in the
Windows\System32 directory. BCDEdit has parameters that allow you to add, modify, delete, export, and
import entries to the data store. Running the BCDEdit command without any parameters displays the
current Windows Boot Manager information and the current Windows Boot Loader information.
In some cases you may need to repair the boot sector and master boot record (MBR), or replace the
startup files entirely. This can be done in the Windows Recovery Environment (WinRE) by booting from
the Windows Server 2008 installation disc.
If these measures fail to correct the problem, it may be a hardware issue. For example, check the physical
memory by removing the memory sticks one by one in turn to see if one is corrupted.
Use this flow chart to see how to troubleshoot startup problems that occur before the Windows Server
2008 logo appears.
Sep 7 2011 9:58PM

Nova 4, LLC
14-32
Question: Based on this flowchart, what would you say are the most common causes of Windows failing
to start before the Windows logo appears?
Sep 7 2011 9:58PM

Nova 4, LLC
14-33
Troubleshooting Startup After the Windows Logo Appears
Key Points
If your computer displays the graphical Windows Server 2008 logo before failing, use the process
illustrated in the flowchart below to identify and disable the failing software component to allow Windows
to start successfully. This type of problem is commonly caused by a device driver or potential corruption
of registry information. After Windows starts, you can further troubleshoot the problem with the
component, if necessary.
If the startup problem occurs immediately after updating or installing a startup application, try
troubleshooting the startup application.
When you are troubleshooting, the method for determining which services and processes to temporarily
disable varies from one computer to the next. The most reliable way to determine what you can disable is
to gather more information about the services and processes enabled on your computer.
Windows Server 2008 includes several tools and features to generate a variety of logs that can provide
you with valuable troubleshooting information:
Event Viewer
Sc.exe
System Information
Error Reporting Service
MSConfig
Boot logs
If startup fails after Windows Server 2008 logo appears on screen, refer to the following flowchart:
Sep 7 2011 9:58PM

Nova 4, LLC
14-34
Question: Based on the flowchart, what would you say are the most common causes of Windows failing
to start after the Windows logo appears?
Sep 7 2011 9:58PM

Nova 4, LLC
14-35
Troubleshooting Startup Problems After Logon
Key Points
If your computer fails immediately after a user logs on, use the process shown below to identify and
disable the failing startup application to enable successful logon. If the problem occurs immediately after
updating or installing an application, try uninstalling the application.
If a problem occurs after installing new software, you can temporarily disable or uninstall the application
to verify that the application is the source of the problem.
Problems with applications that run at startup can cause logon delays or even prevent you from
completing Windows startup in Normal mode. The following section provides techniques for temporarily
disabling startup applications.
Disabling Startup Applications by Using the SHIFT Key

One way you can simplify your configuration is to disable startup applications. By pressing the SHIFT key
during the logon process, you can prevent the operating system from running startup programs or
shortcuts.
If startup fails after logon, refer to the following flowchart:
Sep 7 2011 9:58PM

Nova 4, LLC
14-36
Question: Based on the flowchart, what would you say are the most common causes of Windows failing
to start after logon?
Sep 7 2011 9:58PM

Nova 4, LLC
14-37
Lab Setup
1.
Manager.
2.
In Hyper-V Manager, click 6419B-NYC-DC1 and in the Actions pane, click Start.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat steps 2 - 4 for 6419B-NYC-DC2. Be sure to start 6419B-NYC-DC2 after DC1 has fully started.
Sep 7 2011 9:58PM

Nova 4, LLC
14-38
Exercise 1: Enabling Active Directory Recycle Bin

Scenario
The Contoso, Ltd. domain controller also acts as a file and print server. In the past, the company has
occasionally had to restore Active Directory objects that were accidentally deleted. This has caused loss of
productivity because of server downtime. Contoso, Ltd. wants the ability to be able to restore Active
Directory objects without causing any downtime of the domain controller.
In this exercise, you will:
Raise the forest functional level.
Enable the Active Directory Recycle Bin.
Task 1: Raise the forest functional level.

1.
On NYC-DC1, start the Active Directory Module for Windows PowerShell.
2.
Run the following command.
Set-ADForestMode Identity contoso.com -ForestMode Windows2008R2Forest
Task 2: Enable the Active Directory Recycle Bin.
In the Active Directory Module for Windows PowerShell, run the following command.
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature, CN=Optional Features,
CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=contoso,DC=com
Scope ForestOrConfigurationSet Target contoso.com
Results: After completing this exercise, you should have raised the forest functional level and enabled
Active Directory Recycle Bin.
Sep 7 2011 9:58PM

Nova 4, LLC
Exercise 2: Restoring a Deleted Active Directory Object

Scenario
You will test the effectiveness of restore methods by restoring Active Directory objects from the Active
Directory Recycle Bin by using different methods.
In this exercise, you will:
Delete an Active Directory object.
Use LDP.exe to display the deleted objects container.
Restore a deleted AD object by using LDP.exe.
Use Windows PowerShell to restore a deleted AD object.
Task 1: Delete Active Directory Objects.
Use Active Directory Users and Computers to delete the following users:
Dylan Miller
Allan Brewer
Task 2: Use LDP.exe to display the deleted objects container.

1.
Start an Administrative command prompt and then start LDP.exe.
2.
Configure the LPD to return deleted objects.
3.
Connect and bind to the local server.
4.
View the Contoso.com tree.
5.
Expand the tree to expose the Deleted Objects container.
Task 3: Restore a deleted AD object by using LDP.exe.

1.
2.
In the Deleted Objects container, modify Dylan Miller as follows:
Delete the isDeleted attribute.
Replace the distinguishedname attribute with

CN=Dylan Miller,OU=Research,DC=Contoso,DC=Com
Select the Extended check box.
Ensure that Dylan Millers user account has been restored to Active Directory.
Task 4: Use Windows PowerShell to restore a deleted Active Directory object.

1.
Start the Active Directory Module for Windows PowerShell as Administrator.
2.
Run the following command.
Get-ADObject -Filter {displayName -eq "Alan Brewer"} -IncludeDeletedObjects | RestoreADObject
3.
Ensure that Alan Brewers user account has been restored to Active Directory.
Results: After completing this exercise, you should have used LDP.exe to view deleted objects, and
restored objects by using both LDP.exe and Windows PowerShell.
Sep 7 2011 9:58PM

14-39
Nova 4, LLC
14-40
To revert the virtual machines.

following steps:
1.
2.
3.

Note: Repeat steps 2 - 3 for 6419B-NYC-SVR1 and 6419B-NYC-DC2.
Sep 7 2011 9:58PM

Nova 4, LLC
14-41
Review Questions
1.
How do you know whether your backups are successful?
2.
What provisions should you make for backup storage?
3.
What must the forest functional level be to use the Active Directory Recycle Bin?
Common Issues Related to Backup and Recovery Technologies

Identify the causes for the following common issues related to backup and recovery technologies, and fill
in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue
Troubleshooting tip
The system will not start

and does not even get to
the Power On Self Test
(POST) in the startup
process. What can be the
issue?
When the system cannot even run the POST, the issue can be a corrupt
memory.
The system will not start

The probable cause is a hardware failure. The disk may be unrecoverable.
and displays a message
stating that the operating
system could not be
located. What can be the
issue?
Sep 7 2011 9:58PM

Nova 4, LLC
14-42

1.
Your company has upgraded all servers to Windows Server 2008 R2 and is now investigating the use
of the Windows Server Backup feature. The company already has a large investment in robotic tape
libraries and tape media that they wish to use. What should you recommend?
2.
The domain controller at a branch office has suffered a hardware failure. What type of restore should
be performed
Best Practices Related to Backup and Recovery Technologies

Verify that access to restored data is only available to authorized users.
Review backup log files after each backup.
Verify that the restoration of all files has been successful by reviewing the associated log files.
Regularly review your backup policy by performing a trial restore of data.
At a minimum, back up two domain controllers in each domain, one of which should be an
operations master role holder.
Store backup data offsite.
Tools
Tool
Use for
Where to find it
Windows Server
Backup Console
Scheduling backups of the On the Administrative Tools menu, after you have
Windows Server 2008
installed the Backup feature
operating system data
Performing manual
backups of Windows
Server 2008 data
Wbadmin.exe
Scripting Windows Server

2008 backup tasks
Database
Mounting Tool
Exposing AD DS snapshots At the command prompt, Dsamain.exe

as LDAP servers
Ntdsutil
Creating snapshots of AD
DS
Many other AD DS
management functions
At the command prompt
Active Directory
Recycle Bin
Restoring deleted
Active Directory objects
After it is enabled, you can use the LDP.exe or

PowerShell cmdlets to manage deleted objects
At the command prompt, after you have installed

the Backup feature
Sep 7 2011 9:58PM

Nova 4, LLC
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential, and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
Sep 7 2011 9:58PM

14-43
Nova 4, LLC
14-44
Sep 7 2011 9:58PM

Nova 4, LLC
Implementing DirectAccess
Appendix A
Contents:
A-4
A-6
Exercise 3: Configuring the DirectAccess Clients and testing Intranet Access
A-9
A-11
A-13
Sep 7 2011 9:58PM

A-1
Nova 4, LLC
A-2
Lab: Implementing DirectAccess
Lab Setup
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps 2 to 4 for 6419B-NYC-SVR1, 6419B-NYC-EDGE1, 6419B-INET1, and 6419BNYC-CL1.
Lab Scenario
You are the server administrator at Contoso, Ltd. Your organization consists of a large mobile workforce
that carries laptops to stay connected. Your organization wants to provide a secure solution to protect
data transfer. To do this, you will use DirectAccess to enable persistent connectivity, central
administration, and management of remote computers.
Sep 7 2011 9:58PM

Nova 4, LLC
Configure AD DS and DNS to support DirectAccess.
Configure the PKI environment.
Configure the DirectAccess clients and test intranet and Internet access.
Configure the DirectAccess server.
Verify DirectAccess functionality.
Sep 7 2011 9:58PM

A-3
Nova 4, LLC
A-4

Task 1: Create a security group for DirectAccess computers.
1.
Switch to NYC-DC1.
2.
Click Start, point to Administrative Tools, and then click Active Directory Usersand Computers.
3.
In the Active Directory Users and Computers console tree, expand Contoso.com, right-click Users,
point to New, and then click Group.
4.
In the New Object - Group dialog box, under Group name, type DA_Clients.
5.
Under Group scope, select Global, under Group type, choose Security, and then click OK.
6.
In the details pane, double-click DA_Clients.
7.
In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
8.
In the Select Users, Contacts, Computers, or Groups dialog box, click ObjectTypes, click
Computers, and then click OK.
9.
Under Enter the object names to select (examples), type NYC-CL1, and then click OK.
10. Verify that NYC-CL1 is displayed below Members, and then click OK.
11. Close the Active Directory Users and Computers console.
Task 2: Configure firewall rules for ICMPv6 traffic.

1.
Click Start, click Administrative Tools, and then click Group Policy Management.
2.
In the console tree, open Forest: Contoso.com\Domains\contoso.com.
3.
In the console tree, right-click Default Domain Policy, and then click Edit.
4.
In the console tree of the Group Policy Management Editor, open Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security.
5.
In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
6.
On the Rule Type page, click Custom, and then click Next.
7.
On the Program page, click Next.
8.
On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
9.
In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
10. Click Next.

11. On the Scope page, click Next.
12. On the Action page, click Next.
13. On the Profile page, click Next.
14. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.
15. In the console tree, click Outbound Rules, right-click Outbound Rules, and then click New Rule.
16. On the Rule Type page, click Custom, and then click Next.
17. On the Program page, click Next.
18. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
Sep 7 2011 9:58PM

Nova 4, LLC
19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
20. Click Next.
21. On the Scope page, click Next.
22. On the Action page, click Allow the connection, and then click Next.
23. On the Profile page, click Next.
24. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.
25. Close the Group Policy Management Editor and Group Policy Management consoles.
Task 3: Create required DNS records on NYC-DC1.

1.
Click Start, point to Administrative Tools, and then click DNS.
2.
In the console tree of DNS Manager, expand NYC-DC1\Forward Lookup Zones\contoso.com.
3.
Right click contoso.com, and then click New Host (A or AAAA).
4.
In the Name box, type nls. In the IP address box, type 10.10.0.11. Click Add Host, click OK.
5.
In the New Host dialog box, type CRL in Name (uses parent domain name if blank). In the IP
address box, type 10.10.0.15, and then click Add Host.
6.
In the DNS dialog box informing you that the record was created, click OK.
7.
Click Done in the New Host dialog box.
8.
Close the DNS Manager console.
Task 4: Remove ISATAP from DNS global query block list.

1.
Click Start, click All Programs, click Accessories, and then click Command Prompt.
2.
In the Command Prompt window, type the following command, and then press Enter.
dnscmd /config /globalqueryblocklistwpad
3.
Close the Command Prompt window.
Sep 7 2011 9:58PM

A-5
Nova 4, LLC
A-6

Task 1: Configure the CRL distribution settings.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority.
In the details pane, right-click ContosoCA, and then click Properties.
In the ContosoCAProperties dialog box, click the Extensions tab.
On the Extensions tab, click Add. In the Location box, type http://crl.contoso.com/crld/.
In Variable, click <CAName>, and then click Insert.
In Variable, click <CRLNameSuffix>, and then click Insert.
In Variable, click <DeltaCRLAllowed>, and then click Insert.
In Location, type .crl at the end of the Location string, and then click OK.
Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP
extension of issued certificates, and then click Apply. Click No in the dialog box asking you to
restart Active Directory Certificate Services.
Click Add.
In Location, type \\nyc-Edge1\crldist$\.
In Variable, click <CaName>, and then click Insert.
In Variable, click <CRLNameSuffix>, and then click Insert.
In Variable, click <DeltaCRLAllowed>, and then click Insert.
In Location, type .crl at the end of the string, and then click OK.
Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.
Click Yes to restart Active Directory Certificate Services.
Close the Certification Authority console.
Task 2: Install the web server role on Edge1.

1.
Switch to NYC-Edge1.
2.
On the taskbar, click Server Manager.
3.
In the console tree of Server Manager, click Roles. In the details pane, click AddRoles, and then click
Next.
4.
On the Select Server Roles page, click Web Server (IIS), and then click Next three times.
5.
Click Install.
6.
Verify that all installations were successful, and then click Close.
7.
Leave the Server Manager window open.
Task 3: Create CRL distribution point on NYC-EDGE1.

1.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager
2.
In the console tree, browse to NYC-EDGE1\Sites\Default Web Site, right-click Default Web Site,
and then click Add Virtual Directory.
In the Add Virtual Directory dialog box, in the Alias box, type CRLD. Next to Physical path, click the
ellipsis button.
In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
Type CRLDist, and then press Enter. Click OK in the Browse for Folder dialog box.
Click OK in the Add Virtual Directory dialog box.
In the middle pane of the console, double-click Directory Browsing, and in the details pane, click
Enable.
In the console tree, click the CRLD folder.
3.
4.
5.
6.
7.
8.
Sep 7 2011 9:58PM

Nova 4, LLC
A-7
9. In the middle pane of the console, double-click the Configuration Editor icon.
10. Click the down-arrow for the Section drop-down list, and then browse to
system.webServer\security\requestFiltering.
11. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value
from False to True.
12. In the details pane, click Apply.
Task 4: Share and secure the CRL distribution point.

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.

Double-click Local Disk (C:).
In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties.
In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
In the Advanced Sharing dialog box, select Share this folder.
In Share name, add a $ to the end so that the share name is CRLDist$.
In the Advanced Sharing dialog box, click Permissions.
In the Permissions for CRLDist$ dialog box, click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
In the Object Types dialog box, select Computers, and then click OK.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select box, type NYC-DC1, and then click Check Names. Click OK.
In the Permissions for CRLDist$ dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the
Group or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control.
Click OK.
In the Advanced Sharing dialog box, click OK.
In the CRLDist Properties dialog box, click the Security tab.
On the Security tab, click Edit.
In the Permissions for CRLDist dialog box, click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
In the Object Types dialog box, select Computers. Click OK.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select box, type NYC-DC1, click Check Names, and then click OK.
In the PermissionsforCRLDist dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Group
or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control, and then
click OK.
In the CRLDist Properties dialog box, click Close.
Close the Windows Explorer window.
Task 5: Publish the CRL to NYC-EDGE1.

1.
Switch to NYC-DC1.
2.
Click Start, point to Administrative Tools, and then click Certification Authority.
3.
In the console tree, open ContosoCA, right-click RevokedCertificates, point to All Tasks, and then
click Publish.
4.
In the Publish CRL dialog box, click New CRL, and then click OK.
5.
Click Start, type \\NYC-EDGE1\CRLDist$, and then press ENTER.
6.
In the Windows Explorer window, you should see the ContosoCA and ContosoCA+ files.
7.
Close the Windows Explorer window.
8.
Close the Certification Authority console.
Sep 7 2011 9:58PM

Nova 4, LLC
A-8
Task 6:Configure permissions on the web server certificate template.

1.
Click Start, type certtmpl.msc, and then press ENTER.
2.
In the contents pane, right-click the Web Server template, and then click Properties.
3.
Click the Security tab, and then click Authenticated Users.
4.
In the Permissions for Authenticated Users window, click Enroll under Allow, and then click OK.
5.
Close the Certificate Templates console
Task 7: Configure computer certificate auto-enrollment.

1.
2.
3.
4.
5.
6.
7.
8.
Click Start, click Administrative Tools, and then click Group Policy Management.
In the console tree, expand Forest: Contoso.com, expand Domains, and then click Contoso.com.
In the details pane, right-click Default Domain Policy, and then click Edit.
In the console tree of the Group Policy Management Editor, open Computer
Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click
Automatic Certificate Request.
In Automatic Certificate Request Wizard, click Next.
On the Certificate Template page, click Computer, click Next, and then click Finish.
Close the Group Policy Management Editor and close the Group Policy Management console.
Sep 7 2011 9:58PM

Nova 4, LLC
A-9
Exercise 3: Configuring the DirectAccess Clients and testing Intranet

Access.
Task 1: Create a shared folder.
1.
Switch to NYC-SVR1.
2.
3.
Double-click Local Disk (C:).
4.
Click New folder, type Files, and then press ENTER. Leave the Local Disk window open.
5.
Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as
administrator.
6.
In the Untitled Notepad window, type This is a shared file.
7.
Click File, click Save, double-click Computer, double-click Local Disk (C:), and then double-click the
Files folder.
8.
In File name, type example.txt, and then click Save. Close the Notepad window.
9.
In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific
people.
10. Click Share, and then click Done.

11. Close the Local Disk window.
Task 2: Request a certificate for NYC-SVR1.

1.
On the taskbar, click Server Manager.
2.
In the console tree of Server Manager, click Roles. In the details pane, click AddRoles, and then click
Next.
3.
On the Select Server Roles page, click Web Server (IIS), and then click Next three times.
4.
Click Install.
5.
Verify that all installations were successful, and then click Close.
6.
Click Start, type mmc, and then press ENTER.
7.
Click File, and then click Add/Remove Snap-in.
8.
Click Certificates, click Add, select Computer account, click Next, select Localcomputer, click
Finish, and then click OK.
9.
In the console tree of the Certificates snap-in, open Certificates

(LocalComputer)\Personal\Certificates.
10. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
11. Click Next twice.
12. On the Request Certificates page, click Web Server, and then click More information is required
to enroll for this certificate.
13. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select
Common Name.
14. In Value, type nls.contoso.com, and then click Add.
15. Click OK, click Enroll, and then click Finish.
Sep 7 2011 9:58PM

Nova 4, LLC
A-10
16. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.contoso.com was enrolled with Intended Purposes of Server Authentication.
Task 3: Change the HTTPS bindings.

1.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager.
2.
In the console tree of Internet Information Services (IIS) Manager, open NYC-SVR1/Sites, and then
click Default Web site.
3.
In the Actions pane, click Bindings. Click Add.
4.
In the Add Site Bindings dialog box, click https, in SSL Certificate, click the certificate with the
name nls.contoso.com, click OK, and then click Close.
5.
Close the Internet Information Services (IIS) Manager console.
Task 4: Install a certificate on the client computer.

1.
Switch to NYC-CL1.
2.
3.
Click File, and then click Add/Remove Snap-in.
4.
Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
5.
In the console tree, expand Certificates (Local Computer)\Personal\Certificates.
6.
In the details pane, verify that a certificate with the name NYC-CL1.contoso.com is present with
Intended Purposes of Client Authentication and Server Authentication.
7.
Close the console window. When you are prompted to save settings, click No.
Task 5: Test the intranet access.

1.
2.
From the taskbar, click the Internet Explorer icon.

In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites
window, click No, dont turn on, and then click Next. In the Choose your settings dialog box, click
Use express settings, and then click Finish.
3. On the toolbar, click Tools, and then click Internet Options. On Home page, click Use blank, and
then click OK.
4. In the Address bar, type http://nyc-svr1.contoso.com/, and then press ENTER. You should see the
default IIS 7 web page for NYC-SVR1.
5. In the Address bar, type https://nls.contoso.com/, and then press ENTER. You should see the
default IIS 7 web page for NYC-SVR1.
6. Leave the Internet Explorer window open.
7. Click Start, type \\NYC-SVR1\Files, and then press ENTER.
8. You should see a folder window with the contents of the Files shared folder.
9. In the Files shared folder window, double-click the Example.txt file. You should see the contents of
the Example.txt file.
10. Close all open windows.
Sep 7 2011 9:58PM

Nova 4, LLC
A-11

Task 1: Obtain required certificates for NYC-EDGE1.
1.
Switch to NYC-Edge1.
2.
3.
Click File, and then click Add/Remove Snap-ins.
4.
Click Certificates, click Add, click Computer account, click Next, select LocalComputer, click Finish,
and then click OK.
5.
In the console tree of the Certificates snap-in, open Certificates

(LocalComputer)\Personal\Certificates.
6.
Right-click Certificates, point to All Tasks, and then click Request New Certificate.
7.
Click Next twice.
8.
On the Request Certificates page, click Web Server, and then click More information is required
to enroll for this certificate.
9.
On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select
Common Name.
10. In the Value box, type nyc-edge1.contoso.com, and then click Add.
11. Click OK, click Enroll, and then click Finish.
12. In the details pane of the Certificates snap-in, verify that a new certificate with the name nycedge1.contoso.com was enrolled with Intended Purposes of Server Authentication.
13. Right-click the certificate, and then click Properties.
14. In Friendly Name, type IP-HTTPS Certificate, and then click OK.
15. Close the console window. If you are prompted to save settings, click No.
Task 2: Install the DirectAccess feature on NYC-EDGE1.

1.
Click Start, point to Administrative Tools, and then click Server Manager.
2.
In the main window, under Features Summary, click Add features
3.
On the Select Features page, select DirectAccess Management Console.
4.
In the Add Features Wizard window, click Add Required Features.
5.
On the Select Features page, click Next.
6.
On the Confirm Installation Selections page, click Install.
7.
On the Installation Results page, click Close.
Task 3: Run DirectAccess setup wizard on NYC-EDGE1.

1.
Open a command prompt and type GPUpdate /force. Close the command prompt.
2.
Click Start, point to Administrative Tools, and then click DirectAccessManagement.
3.
In the console tree, click Setup. In the details pane, click Configure for step 1.
4.
On the DirectAccess Client Setup page, click Add.
5.
In the Select Group dialog box, type DA_Clients, click OK, and then click Finish.
6.
Click Configure for step 2.
Sep 7 2011 9:58PM

Nova 4, LLC
A-12
7.
On the Connectivity page, for Interface connected to the Internet, select the interface named
Public. For Interface connected to the internal network, select Local Area Connection, and then
click Next.
Note: If you receive a warning that the local area connection network adapter must be connected to
a domain network, close the Direct Access Management console. Open Server Manager, and click
Configure Network Connections. Disable Local Area Connection, and re-enable it. Restart the Direct
Access Management console.
8.
On the Certificate Components page, for Select the root certificate to which remote client
certificates must chain, click Browse. In the list of certificates, click the ContosoCA root certificate,
and then click OK.
9.
For Select the certificate that will be used to secure remote client connectivity over HTTPS,
click Browse. In the list of certificates, click the certificate named IP-HTTPS Certificate, click OK, and
then click Finish.
10. Click Configure for step 3.

11. On the Location page, click Network Location server is run on a highly available server, type
https://nls.contoso.com, click Validate, and then click Next.
12. On the DNS and Domain Controller page, note the entry for the name contoso.com with the IPv6
address 2002:836b:2:1:0:5efe:10.10.0.10. This IPv6 address is assigned to NYC-DC1 and is
composed of a 6to4 network prefix (2002:836b:2:1::/64) and an ISATAP-based interface identifier
(::0:5efe:10.0.0.1). Click Next.
13. On the Management page, click Finish.
14. Click Configure for step 4. On the DirectAccess Application Server Setup page, click Finish.
15. Click Save, and then click Finish.
16. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration
message box, click OK.
Sep 7 2011 9:58PM

Nova 4, LLC
A-13

Task 1: Create DNS records on INET1.
1.
Switch to INET1.
2.
Click Start, point to Administrative Tools, and then click DNS.
3.
In the console tree, right-click contoso.com, and then click New Host (A or AAAA).
4.
In the Name box, type crl. In IP address, type 131.107.0.2.
5.
Click Add Host, click OK, and then click Done.
6.
Close the DNS console.
Task 2: Update IPv6 configuration on NYC-SVR1 and NYC-DC1.

1.
Switch to NYC-SVR1.
2.
3.
net stop iphlpsvc
4.
net start iphlpsvc
5.
At the command prompt, type the following command, and then press ENTER. Verify that the server
has been issued an ISATAP address that ends with 10.10.0.11.
ipconfig
6.
Close the Command Prompt window.
7.
Switch to NYC-DC1.
8.
9.
net stop iphlpsvc
10. At the command prompt, type the following command, and then press ENTER.
net start iphlpsvc
11. At the command prompt, type the following command, and then press ENTER. Verify that the server
ipconfig
12. Close the Command Prompt window.
Task 3: Update GPO and IPv6 settings on NYC-CL1.

1.
Switch to NYC-CL1.
2.
Restart NYC-CL1 and then log back on as Contoso\Administrator with the password of Pa$$w0rd.
This is to ensure that the NYC-CL1 computer connects to the domain as a member of the DA_Clients
security group.
Sep 7 2011 9:58PM

Nova 4, LLC
A-14
3.
4.
gpupdate
5.
net stop iphlpsvc
6.
net start iphlpsvc
7.
At the command prompt, type the following command and then press ENTER. Verify that the server
ipconfig
8.
Gpresult -R
9.
Verify that one Direct Access Group Policy object is being applied to the client computer. If the policy
is not being applied, run the gpupdate command again. If the policy is still not being applied, restart
NYC-CL1. After the computer restarts, log on as Administrator, and run the Gpresult R command
again.
Task 4: Verify ISATAP connectivity.

1.
Ipconfig /flushdns
2.
ping 2002:836b:2:1::5efe:10.10.0.10
3.
ping 2002:836b:2:1::5efe:10.10.0.11
4.
ping NYC-DC1.contoso.com
5.
ping NYC-SVR1.contoso.com
6.
All these commands should result in a successful response.
Task 5: Move NYC-CL1 to the Internet.

1.
ON NYC-CL1, click Start, click Control Panel and then click Network and Internet.
2.
Click Network and Sharing Center.
3.
Click Change Adapter Settings.
Sep 7 2011 9:58PM

Nova 4, LLC
A-15
4.
Right-click Local Area Connection 3, and then click Properties.
5.
In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).
6.
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically. Click Obtain DNS server address automatically, and then click OK.
7.
In the Local Area Connection Properties dialog box, click Close.
8.
In the Set Network Location dialog box, click Public network, and then click Close.
9.
Switch to the command prompt, type IPCONFIG, and then press ENTER. The IP address should start
131.107.
Task 6: Verify connectivity to Internet resources.

1.
ping inet1.isp.example.com
2.
From the taskbar, click the Internet Explorer icon.
3.
In the Address bar, type http://inet1.isp.example.com/, and then press ENTER. You should see the
default IIS 7 Web page for INET1.
Task 7: Verify access to web-based and shared folder resources.

1.
ping NYC-SVR1
2.
In Internet Explorer, in the Address bar, type http://NYC-SVR1.contoso.com/, press ENTER, and
then press F5. You should see the default IIS 7 Web page for NYC-SVR1.
3.
Close Internet Explorer.
4.
Click Start, type \\NYC-SVR1\files, and then press ENTER. You should see a folder window with the
contents of the Files shared folder.
5.
In the Files shared folder window, double-click the Example.txt file.
6.
Close the example.txt - Notepad window and the Files shared folder window.
Task 8: Examine NYC-CL1 IPv6 configuration.

1.
ipconfig
2.
From the display of the Ipconfig.exe tool, notice that an interface named Tunnel adapter 6TO4
Adapter has an IPv6 address that begins with 2002:836b:. This is a 6to4 address based on an IPv4
address that begins with 131.107. Notice that this tunnel interface has a default gateway of
2002:836b:2::836b:2, which corresponds to the 6to4 address of EDGE1 (131.107.0.2 in colonhexadecimal notation is 836b:2). NYC-CL1 uses 6to4 and this default gateway to tunnel IPv6 traffic to
EDGE1.
Results: In this exercise, you successfully implemented DirectAccess.
Sep 7 2011 9:58PM

Nova 4, LLC
A-16

following steps:
1.
2.
3.
4.

Repeat these steps for 6419B-NYC-SVR1, 6419B-NYC-EDGE1, 6419B-NYC-INET1, and 6419BNYC-CL1.
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM

Nova 4, LLC
Notes
Sep 7 2011 9:58PM


6419B ENU StudentHandbook Vol1 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

6419B ENU StudentHandbook Vol1 PDF

Transféré par

Droits d'auteur :

Formats disponibles

Nova 4, LLC

Configuring, Managing, and Maintaining

Sep 7 2011 9:58PM

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Product Number: 6419B

Sep 7 2011 9:58PM

Sep 7 2011 9:58PM

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Sep 7 2011 9:58PM

Sep 7 2011 9:58PM

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Sep 7 2011 9:58PM

Sep 7 2011 9:58PM

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Andrew J. WarrenContent Developer

Conan KezemaContent Developer

Gary DunlopContent Developer

Jason KellingtonContent Developer

William StanekTechnical Reviewer

Sep 7 2011 9:58PM

Lesson 2: Overview of Windows Server 2008 Server Roles and Features

Lesson 3: Windows Server 2008 Administration Tools

Lesson 4: Managing Windows Server 2008 Server Core

Lab: Managing Server Roles in a Windows Server 2008 Environment

Module 2: Managing Windows Server 2008 Infrastructure Roles

Lesson 2: Overview of the DNS Server Role

Lesson 3: Configuring DNS Zones

Lab A: Installing and Configuring the DNS Server Role

Lesson 4: Overview of the DHCP Server Role

Lesson 5: Configuring DHCP Scopes and Options

Lab B: Installing and Configuring the DHCP Server Role

Module 3: Configuring Access to File Services

Lesson 2: Managing NTFS File and Folder Permissions

Lesson 3: Managing Permissions for Shared Resources

Lesson 4: Determining Effective Permissions

Lab: Managing Access to File Services

Module 4: Configuring and Managing Distributed File System

Lesson 2: Configuring DFS Namespaces

Lesson 3: Configuring DFS Replication

Lab: Installing and Configuring Distributed File System

Module 5: Managing File Resources Using File Server Resource Manager

Lesson 2: Configuring Quota Management

Lab A: Installing FSRM and Implementing Quota Management

Lesson 3: Implementing File Screening

Lesson 4: Managing Storage Reports

Lab B: Configuring File Screening and Storage Reports

Sep 7 2011 9:58PM

Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 5: Implementing Classification Management and

Lab C: Configuring Classification and File Management Tasks

Module 6: Configuring and Securing Remote Access

Lesson 2: Overview of Network Policies

Lab A: Implementing a Virtual Private Network

Lesson 3: Integrating Network Access Protection with VPNs

Lesson 4: Configuring VPN Enforcement Using NAP

Lab B: Implementing NAP into a VPN Remote Access Solution

Lesson 5: Overview of DirectAccess

Module 7: Managing Active Directory Domain Services

Lesson 2: Working with Active Directory Administration Tools

Lesson 3: Managing User Accounts

Lesson 4: Managing Computer Accounts

Lab A: Creating and Managing User and Computer Accounts

Lesson 5: Managing Groups