Vous êtes sur la page 1sur 752

Nova 4, LLC

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6419B
Configuring, Managing, and Maintaining
Windows Server 2008-based Servers

Volume 1

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
ii Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
2011 Microsoft Corporation. All rights reserved.

Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
All other trademarks are property of their respective owners.

Product Number: 6419B


Part Number: X17-53274
Released: 04/2011

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers iii

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
iv Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers v

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
vi Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers vii

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
viii Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.

Andrew J. WarrenContent Developer


Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many of
which have been spent in writing and teaching. He has been involved as the subject matter expert (SME)
for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. He
also has been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in the United
Kingdom, he runs his own IT training and education consultancy.

Conan KezemaContent Developer


Conan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems architect, and author who
specializes in Microsoft technologies. As an associate of S.R.Technical Services, Conan has been a subject
matter expert, instructional designer, and author on numerous Microsoft courseware development
projects.

Gary DunlopContent Developer


Gary Dunlop is a Microsoft Trainer and consultant in Winnipeg, Canada since 1997. He has authored or
co-authored several MOC courses. He specializes in Windows Server and Client systems. He is currently a
Senior Systems Engineer for Broadview Networks.

Jason KellingtonContent Developer


Jason Kellington is a trainer, consultant and author who specializes in several Microsoft products. He has a
broad range of experience in the IT industry as an administrator, developer, educator and technical writer.
Jason is an MCT, MCITP and MCSE and has been involved in a number of Microsoft Learning courseware
development projects.

William StanekTechnical Reviewer


William R. Stanek (http://www.williamstanek.com/) is a leading technology expert, a pretty-darn-good
instructional trainer, and the award-winning author of over 100 books. Current or forthcoming books
include Active Directory Administrators Pocket Consultant, Group Policy Administrators Pocket
Consultant, SQL Server 2008 Administrators Pocket Consultant 2nd Edition, Windows 7: The Definitive
Guide, and Windows Server 2008 Inside Out. Follow William on Twitter at
http://www.twitter.com/WilliamStanek.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers ix

Contents
Module 1: Overview of the Windows Server 2008 Management Environment
Lesson 1: Understanding the Windows Server 2008 Environment 1-3
Lesson 2: Overview of Windows Server 2008 Server Roles and Features 1-11
Lesson 3: Windows Server 2008 Administration Tools 1-20
Lesson 4: Managing Windows Server 2008 Server Core 1-28

Lab: Managing Server Roles in a Windows Server 2008 Environment 1-35

Module 2: Managing Windows Server 2008 Infrastructure Roles


Lesson 1: Understanding IPv6 Addressing 2-3
Lesson 2: Overview of the DNS Server Role 2-18
Lesson 3: Configuring DNS Zones 2-29
Lab A: Installing and Configuring the DNS Server Role 2-41
Lesson 4: Overview of the DHCP Server Role 2-46
Lesson 5: Configuring DHCP Scopes and Options 2-53
Lab B: Installing and Configuring the DHCP Server Role 2-65

Module 3: Configuring Access to File Services


Lesson 1: Overview of Access Control 3-3
Lesson 2: Managing NTFS File and Folder Permissions 3-13
Lesson 3: Managing Permissions for Shared Resources 3-23
Lesson 4: Determining Effective Permissions 3-36
Lab: Managing Access to File Services 3-43

Module 4: Configuring and Managing Distributed File System


Lesson 1: Distributed File System Overview 4-3
Lesson 2: Configuring DFS Namespaces 4-14
Lesson 3: Configuring DFS Replication 4-20
Lab: Installing and Configuring Distributed File System 4-28

Module 5: Managing File Resources Using File Server Resource Manager


Lesson 1: Overview of File Server Resource Manager 5-3
Lesson 2: Configuring Quota Management 5-11
Lab A: Installing FSRM and Implementing Quota Management 5-19
Lesson 3: Implementing File Screening 5-22
Lesson 4: Managing Storage Reports 5-28
Lab B: Configuring File Screening and Storage Reports 5-33

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
x Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 5: Implementing Classification Management and


File Management Tasks 5-36

Lab C: Configuring Classification and File Management Tasks 5-49

Module 6: Configuring and Securing Remote Access


Lesson 1: Configuring a Virtual Private Network Connection 6-3
Lesson 2: Overview of Network Policies 6-16
Lab A: Implementing a Virtual Private Network 6-26
Lesson 3: Integrating Network Access Protection with VPNs 6-31
Lesson 4: Configuring VPN Enforcement Using NAP 6-39
Lab B: Implementing NAP into a VPN Remote Access Solution 6-48

Lesson 5: Overview of DirectAccess 6-56

Module 7: Managing Active Directory Domain Services


Lesson 1: Overview of the Active Directory Infrastructure 7-4
Lesson 2: Working with Active Directory Administration Tools 7-17
Lesson 3: Managing User Accounts 7-26
Lesson 4: Managing Computer Accounts 7-36
Lab A: Creating and Managing User and Computer Accounts 7-45
Lesson 5: Managing Groups 7-50
Lesson 6: Using Queries to Locate Objects in AD DS 7-63
Lab B: Managing Groups and Locating Objects in AD DS 7-68

Module 8: Configuring Active Directory Object Administration and Domain Trust


Lesson 1: Configuring Active Directory Object Administration 8-3
Lab A: Configuring Active Directory Delegation 8-15
Lesson 2: Configuring Active Directory Trusts 8-20

Lab B: Administering Trust Relationships 8-29

Module 9: Creating and Managing Group Policy Objects


Lesson 1: Overview of Group Policy 9-3
Lesson 2: Configuring the Scope of Group Policy Objects 9-14
Lab A: Creating and Configuring GPOs 9-22
Lesson 3: Managing Group Policy Objects 9-26
Lab B: Creating and Configuring GPOs 9-35
Lesson 4: Evaluating and Troubleshooting Group Policy Processing 9-39

Lab C: Troubleshooting Group Policy 9-53

Module 10: Using Group Policy to Configure User and Computer Settings
Lesson 1: Using Group Policy to Configure Folder Redirection and Scripts 10-3

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring, Managing, and Maintaining Windows Server 2008-based Servers xi

Lab A: Using Group Policy to Configure Scripts and Folder Redirection 10-14
Lesson 2: Using Administrative Templates to Manage Users and
Computers 10-17
Lab B: Configuring Administrative Templates 10-24
Lesson 3: Deploying Software Using Group Policy 10-27
Lab C: Deploying Software Using Group Policy 10-37
Lesson 4: Deploying Group Policy Preferences 10-39

Lab D: Deploying Group Policy Preferences 10-46

Module 11: Implementing Security Settings Using Group Policy


Lesson 1: Overview of Security Settings 11-3
Lesson 2: Implementing Fine-Grained Password Policies 11-14
Lab A: Implementing Security by Using Group Policy 11-21
Lesson 3: Restricting Group Membership and Access to Software 11-26

Lab B: Configuring Restricted Groups and Application Control Policies 11-36

Module 12: Providing Efficient Network Access for Remote Offices


Lesson 1: Overview of Remote Office Requirements 12-3
Lesson 2: Implementing Read-Only Domain Controllers 12-6
Lab A: Deploying a Read-Only Domain Controller 12-16
Lesson 3: Implementing BranchCache 12-21
Lab B: Deploying BranchCache 12-34

Module 13: Monitoring and Maintaining Windows Server 2008


Lesson 1: Planning Monitoring Tasks 13-3
Lesson 2: Calculating a Server Baseline 13-9
Lesson 3: Interpreting Performance Counters 13-18
Lesson 4: Selecting Appropriate Monitoring Tools 13-26

Lab: Creating a Baseline of Performance Metrics 13-33

Module 14: Managing Window Server 2008 Backup and Recovery


Lesson 1: Planning and Implementing File Backups on
Windows Server 2008 14-3
Lesson 2: Planning and Implementing File Recovery 14-14
Lab A: Implementing Windows Server Backup and Recovery 14-19
Lesson 3: Recovering Active Directory 14-23
Lesson 4: Troubleshooting Windows Server Startup 14-29

Lab B: Recovering Active Directory Objects 14-37

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
xii Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Appendix A: Implementing DirectAccess


Exercise 1: Configuring the AD DS domain controller and DNS A-4
Exercise 2: Configuring the PKI environment A-6
Exercise 3: Configuring the DirectAccess clients and test Intranet Access A-9
Exercise 4: Configuring the DirectAccess server A-11

Exercise 5: Verifying DirectAccess functionality A-13

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
About This Course xiii

About This Course


This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.

Course Description
This course is designed to provide foundation skills in networking and Windows Server security, network
services, and administration.

Audience
Candidates for this course are information technology (IT) professionals who work in medium to large
organizations. The primary candidate is a Windows Server administrator who operates Windows Servers
on a daily basis and who requires the skills for configuring, managing, and maintaining servers installed
with Windows Server 2008, including the Release 2 (R2) edition. Candidates are typically responsible for
day-to-day management of the server operating system and various server roles such as Dynamic Host
Configuration Protocol (DHCP), Domain Name System (DNS), file and print services, directory services, and
software distribution. This course may also be considered in combination with other exam preparation
materials for candidates wishing to prepare for Microsoft Certified Technology Specialist (MCTS) and
Microsoft Certified IT Professional (MCITP) certification in Windows Server 2008.

Student Prerequisites
This course requires that you meet the following prerequisites:
At least one year experience in operating Windows Servers in the area of account management,
server maintenance, server monitoring, or server security
Certification related to the Microsoft Technology Associate (MTA) Networking Fundamentals, Security
Fundamentals, and Windows Server Administration Fundamentals designations, or equivalent
knowledge as outlined in course 6419B: Fundamentals of Windows Server 2008
A+, Server+, hardware portion of Network+, or equivalent knowledge
Working knowledge of networking technologies
Intermediate understanding of network operating systems
Basic knowledge of Active Directory
An understanding of security concepts and methodologies (for example, corporate policies)
Basic knowledge of TCP/IP
Basic knowledge of scripting tools such as PowerShell and WMI

Course Objectives
After completing this course, students will be able to:
Describe the Windows Server 2008 environment including the roles, features, and tools used to
perform effective server management.
Describe IPv6 addressing and how to install and configure the DNS and DHCP server infrastructure
roles.
Configure secure and efficient access to file services.
Configure and manage a Distributed File System infrastructure.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
xiv About This Course

Use File Server Resource Manager to assist in data storage capacity management.
Secure remote access by using features such as Virtual Private Networks, Network Access Protection
(NAP), and DirectAccess.
Describe Active Directory infrastructure and how to manage AD DS objects.
Configure and manage AD DS object permissions, and configure trust between AD DS domains.
Create and manage Group Policy Objects (GPOs).
Understand the specific settings that can be managed by using Group Policy.
Secure network clients by using Group Policy.
Describe solutions that can be implemented to provide efficient remote office network access.
Plan for and implement performance baselines and perform server monitoring by using monitoring
tools.
Plan for and identify backup and restore strategies and identify steps needed to recover from server startup
issues.

Course Outline
This section provides an outline of the course:
Module 1, Overview of the Windows Server 2008 Management Environment In this module, you
will gain familiarity with the components of the operating system and the concepts and terminology
found within the Windows Server 2008 environment.

Module 2, Managing Windows Server 2008 Infrastructure Roles In this module, students will learn
the benefits and technologies associated with IPv6. You will learn the features and configuration options
available to implement the DNS and DHCP server roles.

Module 3, Configuring Access to File Services In this module, you will learn the concepts and
terminology involved in file services, and also provide guidance in the practical management of a file
services infrastructure within the Windows Server 2008 environment.

Module 4, Configuring and Managing Distributed File System In this module, you will learn about
the Distributed File System (DFS) solution that you can use to meet challenges by providing fault-tolerant
access and WAN-friendly replication of files located throughout an enterprise.
Module 5, Managing File Resources Using File Server Resource Manager In this module, you will
learn about the various options available for installing Windows Server, and complete an installation. You
will also launch a local media setup and then perform the post-installation configuration of a server.

Module 6, Configuring and Securing Remote Access In this module, you will understand how to
configure and secure your remote access clients by using network policies, and where appropriate,
Network Access Protection (NAP).

Module 7, Managing Active Directory Domain Services In this module, you will learn how to review
key concepts and directory services structure. You will take a high-level look at the major components of
AD DS and how they fit together. You will also receive hands-on experience working with these
components and their associated tools.

Module 8, Configuring Active Directory Object Administration and Domain Trust In this module,
you will learn how to configure permissions and delegate administration for Active Directory objects. This
module also describes how to configure and manage Active Directory trusts.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
About This Course xv

Module 9, Creating and Managing Group Policy Objects In this module, you will understand how
administrators deliver and maintain customized desktop configurations, ensure the security of a
geographically and logistically dispersed collection of computers, and provide administration and
management for an increasingly complex and growing computing environment.

Module 10, Using Group Policy to Configure User and Computer Settings In this module, you will
learn the skills and knowledge that you need to use Group Policy to configure Folder Redirection, and
how to use scripts.

Module 11, Implementing Security Settings Using Group Policy In this module, you will
understand security-related components that can assist you in implementing security policies in your
environment.

Module 12, Providing Efficient Network Access for Remote Offices In this module, you will learn
how to provide fast and secure logons at remote offices and place a read only domain controller (RODC)
at the remote office. You will also learn how to use BranchCache to speed up access to data across the
WAN and reduce WAN utilization.

Module 13, Monitoring and Maintaining Windows Server 2008 In this module, you will learn how
to identify components that require additional tuning, and improve the efficiency of your servers.

Module 14, Managing Window Server 2008 Backup and Recovery In this module, you will learn
necessary planning for backup and restore procedures, and startup issues, to ensure that you protect data
and servers sufficiently against disasters.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
xvi About This Course

Course Materials
The following materials are included with your kit:

Course Handbook A succinct classroom learning guide that provides all the critical technical information in a
crisp, tightly-focused format, which is just right for an effective in-class learning experience.

Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.

Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.

Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.

Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:


Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.

Modules: Include companion content, such as questions and answers, detailed demo steps and additional
reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module
Reviews and Takeaways sections, which contain the review questions and answers, best practices, common
issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most up-to-
date premium content on TechNet, MSDN, Microsoft Press

Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the


Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.

Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation
to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail
to mcphelp@microsoft.com.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
About This Course xvii

Virtual Machine Environment


This section provides the information for setting up the classroom environment to support the business
scenario of the course.

Virtual Machine Configuration


In this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save any
changes. To close a virtual machine without saving the changes, perform the following steps: 1. On
the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you
want the virtual machine to do? list, click Turn off and delete changes, and then click OK.

The following table shows the role of each virtual machine used in this course:

Virtual machine Role


6419B-NYC-DC1 Windows Server 2008 R2 domain controller in the Contoso.com
domain

6419B-NYC-DC2 Windows Server 2008 R2 domain controller in the Contoso.com


domain

6419B-NYC-SVR1 Windows Server 2008 R2 member server in Contoso.com

6419B-NYC-EDGE1 Windows Server 2008 R2 member server in Contoso.com

6419B-INET1 Windows Server 2008 R2 standalone server

6419B-NYC-CL1 A Windows 7 computer in the Contoso.com domain

6419B-NYC-CL2 A Windows 7 computer in the Contoso.com domain

6419B-NYC-SVRCORE Windows Server 2008 R2 standalone server with core installation

6419B-VAN-DC1 Windows Server 2008 R2 domain controller in the Adatum.com domain

Software Configuration
The following software is installed on each VM:
Windows Server 2008 R2 Enterprise
Windows 7

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All the virtual
machines are deployed on each student computer.

Course Hardware Level


To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
xviii About This Course

Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V) processor


Dual 120 GB hard disks 7200 RM SATA or better*
4 GB RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-1

Module 1
Overview of the Windows Server 2008 Management
Environment
Contents:
Lesson 1: Understanding the Windows Server 2008 Environment 1-3
Lesson 2: Overview of Windows Server 2008 Server Roles and Features 1-11
Lesson 3: Windows Server 2008 Administration Tools 1-20
Lesson 4: Managing Windows Server 2008 Server Core 1-28
Lab: Managing Server Roles in a Windows Server 2008 Environment 1-35

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-2 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Module Overview

Familiarity with the operating system of your servers is the first and most important step towards
effectively managing a server infrastructure. Knowledge of the operating system structure, key
components, common management tools, versions and editions, features, and even its limitations will
help you to configure your server infrastructure in a way that best utilizes the capabilities of your servers
to serve your business needs.

This module will provide you with an overview of all of the above areas as they pertain to Windows
Server 2008. You will gain familiarity with the components of the operating system and the concepts
and terminology found within the Windows Server 2008 environment.

Objectives
After completing this module, you will be able to:
Describe the considerations for implementing and managing a Windows Server 2008 environment.
Explain Windows Server 2008 server roles and features.
Describe Windows Server 2008 administration tools.
Manage Windows Server 2008 Server Core.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-3

Lesson 1
Understanding the Windows Server 2008
Environment

Windows Server 2008 builds upon the familiar Windows operating system features that most users and
administrators are familiar with. The initial release of Windows Server 2008 shares its core build
fundamentals and its look and feel with Windows Vista. Windows Server 2008 R2 shares the same
aspects with Windows 7.

However, unlike the desktop client operating systems, Windows Server 2008 is designed to provide a
robust and complete server platform to meet all the server-based needs of most network environments.

Objectives
After completing this lesson, you will be able to:
Describe the Windows Server 2008 Editions.
Describe the considerations for implementing Windows Server 2008 R2.
Describe the factors for choosing between physical vs. virtual implementations.
Describe the factors to consider for server management.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-4 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Overview of Windows Server 2008 Editions

Key Points
Windows Server 2008 is available in different editions to support the various server and workload needs of
network environments. Each edition of Windows Server 2008 is packaged with a unique set of features
that target that edition to a particular environment or even a specific role. The seven editions of Windows
Server 2008 deal with almost every possible type of server implementation you would find or require in a
network environment.

Note: This course covers functionality for both releases of Windows Server 2008. The initial release of
Windows Server 2008 was made available in early 2008. A second release, Windows Server 2008 R2,
came available in the middle of 2009. These two releases are treated as distinct versions of Windows
Server. When discussing the Windows Server 2008 operating system, three separate terms will be used
to differentiate which release is being referenced.
The term Windows Server 2008 initial release will be used to refer the initial, early 2008 release of the
operating system.
The term Windows Server 2008 R2 will be used to refer to the 2009 second release.
The term Windows Server 2008 will be used to refer to features or discussion relating to both releases
and as a general term for the Windows Server 2008 operating system.

The following table lists the most commonly used Windows Server 2008 R2 editions.

Edition Description

Windows Server A cost-effective advanced server platform that targets small business owners and
2008 R2 Foundation information technology (IT) generalists. Windows Server Foundation is designed
operating system to provide core server features at a low cost. Windows Server Foundation is
capable of supporting only one processor and up to 8 gigabytes (GB) of Random
Access Memory (RAM).

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-5

Edition Description

Windows Server The Windows Server Standard edition offers the most commonly used features in
2008 R2 Standard Windows Server 2008 and is designed to meet almost all general server
operating system computing requirements. It adds features like Server Core, Hyper-V, and
DirectAccess to the functionality of Windows Server Foundation. Windows Server
Standard supports up to 4 processors and up to 32 GB of RAM.

Windows Server Windows Server Enterprise expands upon Windows Server Standard, adding
2008 R2 Enterprise enterprise-level capabilities such as clustering, extended remote access, and
operating system increased virtualization capabilities. In addition, Windows Server Enterprise
provides support for up to 8 processors and 2 terabytes of RAM.

Windows Server Windows Server Datacenter provides the full capabilities of the Windows
2008 R2 Datacenter Server 2008 platform. Designed for business critical applications and large scale
operating system virtualization implementations, Windows Server Datacenter provides everything
required for complex server solutions. Windows Server Datacenter supports up to
64 processors and 2 terabytes of RAM, and support for hot-swappable processors
and memory.

The following specialized editions of Windows Server 2008 are also available.

Edition Description
Windows Web A Web application and services platform, Windows Web Server 2008 includes
Server 2008 R2 Internet Information Services (IIS) 7.5 and is designed as an Internet-facing server.
operating system Windows Web Server 2008 includes Web server and Domain Name System (DNS)
server roles.

Windows Server Provides an enterprise-class platform for high-performance computing (HPC). It


2008 R2 HPC can scale to thousands of processing cores and includes management consoles
Edition that help you to proactively monitor and maintain system health and stability.
Job scheduling interoperability and flexibility enables integration between
Windows and Linux-based HPC platforms.

Windows Server Built specifically to support Itanium-based IA64 processor architecture, Windows
2008 for Itanium- Server 2008 for Itanium-based Systems provides the same feature set as Windows
based Systems Server Datacenter, and it is designed for high workload scenarios.
operating system

Note: When discussing processor support, it is important to note that the numbers provided here refer
to physical processors, not processor cores. A single physical processor may have multiple cores that
allow for multiple applications or threads to use the processor at the same time in a co-operative
manner.

These charts list the editions available for the most recent version of Windows Server, Windows Server
2008 R2. The Foundation edition is not available in the initial release of Windows Server 2008.
Additionally, the initial release of Windows Server 2008 is available with or without Hyper-V, which is the
Windows Server 2008 virtualization platform. Windows Server 2008 R2 ships with Hyper-V included by
default.

Note: Windows Server 2008 R2 is available only for 64-bit hardware platforms. 32-bit hardware
platforms are no longer supported.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-6 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Windows Server 2008 R2 Considerations

Key Points
Windows Server 2008 R2, the most recent version of the Windows Server platform, provides a number of
improvements and new features not found in the initial release of Windows Server 2008.

While the improvements and features provide a more robust and powerful operating system,
implementing Windows Server 2008 R2 in your environment requires special considerations.

64-bit Hardware Architecture


First, and most critical from a deployment and upgrade perspective, is the requirement for 64-bit
hardware platform architecture. When upgrading to Windows Server 2008 R2 on older servers, it is
important to examine and catalog hardware architecture to ensure that your existing servers are based on
the 64-bit architecture.

Windows Server 2008 R2 operates on two separate 64-bit hardware architectures.


x64 is the industry standard architecture found in most AMD and Intel-based platforms. The x64
architecture is the most common 64-bit architecture found in 64-bit servers.
Itanium-based systems are built around Intel 64-bit Itanium (IA64) processors and are most
commonly used for mathematically complex or intensive application such as large databases.
Windows Server 2008 R2 will be the last version of Windows Server to support the Itanium processor
architecture.

Because of the 64-bit requirement, servers being upgraded or migrated to Windows Server 2008 R2 will
need to be examined to ensure they are based on a 64-bit platform.

There may be instances in you environment where a 32-bit version of Windows Server 2003 or the initial
release of Windows Server 2008 is running on a 64-bit hardware platform. These systems are capable of
running Windows Server 2008 R2. However, there is no direct upgrade path between 32-bit and 64-bit
versions of Windows Server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-7

Upgrade Paths
When directly upgrading a previous version of Windows Server, only specific upgrade paths are supported
between versions. Keep in mind that because of the 64-bit requirement of Windows Server 2008 R2, all
previous versions of Windows Server operating systems must be 64-bit operating systems.

The following tables illustrate the most common supported upgrade paths.

Windows Server 2003 (SP2, R2) Windows Server 2008 R2 Version


Standard Standard, Enterprise

Enterprise Enterprise, Datacenter

Datacenter Datacenter

Windows Server 2008 (RTM, SP1, SP2) Windows Server 2008 R2 Version
Standard Standard, Enterprise

Enterprise Enterprise, Datacenter

Datacenter Datacenter

Web Standard, Web

Operating System Consistency


In some instances, the new features and functionality that Windows Server 2008 R2 provides may not be
required on pre-existing servers in your environment. It is important to note, however, that Windows
Server 2008 and Windows Server 2008 R2 are different versions of the Windows Server operating system.
Enhancements, bug fixes, and service packs are developed and released separately for each operating
system. If you operate in an environment where consistency and a unified environment are important, you
should consider upgrading all capable (64-bit) servers to Windows Server 2008 R2. It is important to note
that if you still have 32-bit hardware in your environment, you will not be able to upgrade all of your
servers to Windows Server 2008 R2.

Migration and Server Roles


The functionality contained in Windows Server 2008 R2 has changed since the original version of
Windows Server 2008 and even more so since Windows Server 2003. As a result, the functionality
provided by previous versions of the operating system need to be examined and mapped to the features
and functionality provided by Windows Server 2008 R2.

Microsoft provides a number of documents covering this migration process called, Role Migration Guides.
These guides provide information to assist you in planning a smooth transition between the services
provided by your existing server infrastructure and your new Windows Server 2008 R2 infrastructure and
are downloadable from the Microsoft website.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-8 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Physical vs. Virtual Server Implementations

Key Points
Server virtualization enables you to configure one or more virtual machines that emulate a physical
computer. Multiple virtual machines can run on one physical server, with all the virtual machines sharing
the resources available on the physical server.

Windows Server 2008 introduces Hyper-V as the first integrated virtualization platform of Windows
Server. Hyper-V provides software infrastructure and basic management tools that you can use to create
and manage a virtualized server computing environment.

Server virtualization can overcome the limitations of physical server and provide a solution for challenges
that organizations face with their physical environments. The following list describes common
organization challenges:
Data Centers Are Reaching Capacity
In many organizations, data centers quickly reach capacity for power and space. These organizations
frequently deploy new servers for every new project or requirement. The data centers also require
large amounts of power for cooling and running the servers. Virtualization often results in
significantly fewer physical servers which require less space and less power.
Server Resource Utilization Is Very Low
Many servers run at very low utilization, which is a problem that often aggravates data center
capacity. It is common for some servers to run at less than ten percent of processor capacity.
Virtualization combines several virtual servers onto a single physical server, thereby making more
efficient use of physical resources.
Managing Servers Requires Significantly More Effort
As organizations deploy more servers running many different roles, the effort required to deploy,
support and secure the servers also increases. If several servers can be virtualized and run on a single
physical server, there are fewer physical objects in your environment to support and maintain.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-9

Supporting Legacy Systems Is Difficult


Legacy hardware and systems become increasingly costly to maintain. Many organizations have
business applications that were developed many years ago and have not been upgraded to run on
new operating systems (OS) or on new hardware. Often, a virtualized environment can overcome
physical constraints and allow legacy systems to be integrated into your server environment
The factors that make a server a good candidate vary, but any server facing one of the above challenges
should be assessed for potential virtualization.

The Microsoft Assessment and Planning (MAP) Toolkit provides the ability to assess your current IT
infrastructure for a variety of Windows Server 2008 migration projects, including virtualization. The MAP
Toolkit is a powerful inventory, assessment, and reporting tool that can be used to simplify the migration
planning process for a virtualized environment.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-10 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Server Management Considerations

Key Points
When configuring a server, many aspects of server management need to be considered to ensure that
your server environment is functioning in the most efficient and consistent manner possible.

The following questions should be answered when configuring and managing a Windows Server 2008
server:
What roles does the server perform within the network infrastructure? The functionality of a server is
determined by the operating system software components that are installed and configured.
Are there specific security needs associated with this server? If a server has specific security needs or is
being located in a physical or network environment where the threat of unauthorized malicious use is
high, steps need to be taken to ensure that users with malicious intent have the fewest areas of the
operating system exposed to them.
How will the server be managed? As you will learn, Windows Server 2008 has a number of different
tools that allow you to manage a Windows Server 2008 server. Different tools allow different
management tasks and capabilities, such as scripting, remote access, high level overviews, or multiple
administrators.
Is there a requirement for server availability? Depending on the role of your Windows Server 2008
server, server availability may be a requirement. Your server may be required by policy or business
logic to provide its services in a consistently available manner. Larger organizations and public
organizations such as emergency services, hospitals, phone and power companies, and many others
cannot afford even a few seconds a year of downtime for important services. The servers providing
these services need to be configured in some type of redundant or fault-tolerant configuration to
ensure consistent availability.

Question: Does your organization manage servers that may have some of the requirements in this topic?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-11

Lesson 2
Overview of Windows Server 2008 Server Roles and
Features

The usefulness and functionality of a server are determined by the set of components installed and
configured on the server.

In a production environment, determining what components of an operating system need to be installed,


activated, and configured to provide a specific piece of functionality can be an imposing task. In previous
versions of Windows Server, the responsibility was placed on the administrator to determine this list of
components, ensure they were configured correctly, and provide a method of effectively managing these
components.

Windows Server 2008 changes all this with server roles and server features.

Objectives
After completing this lesson, you will be able to:
Describe server roles.
Describe Infrastructure and Application Services roles.
Describe Active Directory server roles.
Describe server features.
Install server roles and features by using Server Manager.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-12 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are Server Roles?

Key Points
Windows Server 2008 uses a role-based configuration. Operating system functionality is controlled
primarily through server roles.

Server Roles
A server role is a collection of operating system components that work together to provide a specific
aspect of server functionality. Rather than having to determine the components required to provide some
type of functionality, as in previous versions, a Windows Server 2008 server administrator can simply
install the role associated with that functionality. Installing a role prompts Windows Server 2008 to enable
the necessary operating system components required to perform the functionality associated with the
role. This ensures that all the components required are enabled when a role is installed. Also, those
components will be disabled if the role is removed from the server.

Role Services
Server roles comprise one or more role services that represent the individual aspects of functionality that a
role provides. Depending on how a role is being implemented, some role services may or may not be
installed as part of the overall role functionality. Role services allow administrators to build onto the
functionality of a role, depending on the requirements.

For example, Print and Document Services is composed of the following role services:
Print Server
LPD Service
Internet Printing
Distributed Scan Server

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-13

If you are configuring a Windows Server 2008 server to function as a print server, but do not specifically
require scan services, you should not select the Distributed Scan Server role service to be installed as part
of the Print and Document Services Role.

Multiple Roles
While some roles are typically installed as the only role on a server and provide the core of that server
functionality, multiple roles are often installed to work together to provide multiple aspects of
functionality; or they can be combined to better utilize server hardware resources.

When deploying multiple server roles on a single computer, consider the following:
The capacity of the computer should be sufficient for all the installed roles.
The security requirements for the roles you plan to install must co-exist on a single computer.
The security settings should be configured appropriately for all installed roles.
Possible migration paths should be planned in advance, if the computer becomes overloaded.

Question: How do server roles and role-based configuration make it easier to configure functionality on a
Windows Server 2008 server? Are there ways that role-based configuration makes configuration more
difficult?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-14 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Infrastructure and Application Services Server Roles

Key Points
Windows infrastructure services roles are used to form the underlying framework of software and services
that are used by other applications within the organization and provide application-based services to the
rest of the network.

The following table describes Windows Server 2008 infrastructure and application services roles:

Role Description

Application Server Provides a solution for hosting and managing distributed applications

DHCP Server Automatically allocates IP addresses and IP configuration information


to clients

DNS Server Provides name resolution for TCP/IP networks

Fax Server Sends and receives faxes electronically rather than requiring paper-
based copies of documents

File Services Provides technologies for storage management, file replication, and
file searching

Hyper-V Provides server virtualization functionality

Network Policy and Access Provides support for LAN or WAN routing, network access policy
Services enforcement, VPN connections, and dial-up connections

Print and Document Services Enables and manages network printing, scanning, and document
routing

Remote Desktop Services Allows users to run programs on a remote server but view the results in
a Remote Desktop window

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-15

Role Description

Web Services (IIS) Enables the capability to act as a web server, installing Internet
Information Server (IIS) and related components

Windows Deployment Services Deploys Windows operating systems to computers over the network

Windows Server Update Allows network administrators to control Microsoft Update distribution
Services (WSUS) to clients and servers

Windows Server 2008 R2 Considerations


The WSUS server role is new in Windows Server 2008 R2.

Also, the following server roles have been renamed from the initial release of Windows Server 2008 to
Windows Server 2008 R2.

Window Server 2008 Server Role Windows Server 2008 R2 Server Role

Print Services Print and Document Services

Terminal Services Remote Desktop Services

Also, the Universal Description, Discovery, and Integration Services (UDDI) server role has been removed
from Windows Server 2008 R2. UDDI provides capabilities for sharing information about Web services
between servers, but the server role is unsupported on 64-bit platforms, the only platform on which
Windows Server 2008 R2 will run. A new, stand-alone version of UDDI that supports 64-bit platforms is
available for download from the Microsoft website.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-16 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Active Directory Server Roles

Key Points
Active Directory roles form the core of identity and access management within a Windows Server-ased
network. The various Active Directory roles allow for full control over management and access to various
server-based network resources, including users, computers files, folders, and printers. Also, the Active
Directory server roles allow separate Active Directory infrastructures to seamlessly integrate, allowing for
secured unified administration and information exchange.

The following table lists the Active Directory server roles.

Role Description
Active Directory Stores information about users, computers, and other devices on the network.
Domain Services (AD AD DS helps administrators securely manage this information and facilitates
DS) resource sharing and collaboration between users and organizations.

Active Directory Provides customizable services for issuing and managing certificates in software
Certificate Services security systems that use public key technologies.
(AD CS)

Active Directory Provides Web single sign-on (SSO) technologies to authenticate a user to
Federation Services multiple Web applications that use a single user account.
(AD FS)

Active Directory Organizations that have applications which require a directory for storing
Lightweight Directory application data can use AD LDS as the data store. AD LDS runs as a non-
Services (AD LDS) operating-system service.

Active Directory Information protection technology that works with AD RMS-enabled


Rights Management applications to help safeguard digital information from unauthorized use.
Services (AD RMS)

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-17

What Are Server Features?

Key Points
Server features are Windows Server 2008 components that do not specifically fall into the scope of one of
the server roles. Although they are not directly part of a server role, server features can support or add a
complementary functionality to one or more roles, or improve the functionality of the server, regardless of
which roles are installed.
Server features are typically installed individually, independent of other server features and server roles.
Similar to server roles, server features are installed, configured, and managed primarily through the Server
Manager console in Windows Server 2008 R2.

Windows Server 2008 R2 Considerations


The following features are available in Windows Server 2008 R2, but not in the initial release of Windows
Server 2008:
Windows BranchCache
Direct Access Management Console
Ink and Handwriting Services
Windows Biometric Framework
Windows Server Migration Tools
Windows Remote Management (WinRM) IIS Extension
XPS Viewer
Remote Server Administration Tools now includes Active Directory Administrative Center, Remote
Desktop (RD) Connection Broker tools, and BitLocker Recovery Password Viewer.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-18 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Note: Windows 2000 Client Support has been removed from Message Queuing in Windows Server
2008 R2

Also, several features are available only to certain editions of Windows Server 2008. Enterprise level
capabilities like BranchCache Hosted Server and Failover Clustering are not available in the Foundation or
Standard editions. Additionally, DirectAccess Management is not available in the Foundation edition.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-19

Demonstration: How to Install Server Roles and Features

Key Points

Server Manager is the key tool used in Windows Server 2008. This demonstration will show you how both
server soles and server features are managed within Server Manager.

In this demonstration, you will learn how to:


Add a server role by using Server Manager.
Add a server feature by using Server Manager.
Configure a server role by using Server Manager.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-20 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 3
Windows Server 2008 Administration Tools

Windows Server 2008 is a robust and powerful operating system that contains a large number of
components and capabilities.
To harness the power of Windows Serer 2008, you need to be familiar with the management tools
available, which allow you to effectively manage and administer your Windows Server 2008 servers.

Objectives
After completing this module, you will be able to:
Describe the methods used to manage a server environment.
Manage Windows Server 2008 by using Server Manager.
Describe how to use Remote Server Administration Tools (RSAT).
Describe the use and advantages of Windows PowerShell.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-21

Methods Used to Manage a Windows Server 2008 Environment

Key Points
There are a variety of methods used to manage a Windows Server 2008 environment. The specific tool or
tools that you will use with Windows Server 2008 may vary, according to you how you are managing your
servers.

The most common management tools are briefly described as follows:

Server Manager
Server Manager is the core tool for management of a Windows Server 2008 server. Built on the Microsoft
Management Console (MMC), Server Manager contains console add-ins for all installed server roles and
server features, and a unified collection of tools and operating system information useful in managing
Windows Server 2008, including the following:
Event Viewer
Services console
Performance monitoring
Device Manager
Task Scheduler
Disk Management
Windows Server 2008 R2 introduces several enhancements to Server Manager that are not available in the
initial release of Windows Server 2008.
Server Manager can now connect to remote servers.
Server Manager has built in Best Practice Analyzers (BPAs) from Microsoft to help administrators
ensure their servers are configured in the most secure and optimal manner possible.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-22 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

New PowerShell cmdlets have been added that allow you to install, remove, or view information
about available roles by using Windows PowerShell.

Command-Line Tools
Windows Server 2008 has a huge number of command-line tools for use by administrators directly from
the command line or for inclusion in administrative scripts batch files or scripting languages such
VBScript.

RSAT
The RSAT download is available for Windows client operating systems (Windows Vista, and Windows 7)
and allows for the remote management of Windows Servers from desktop computers.

Windows PowerShell
Windows PowerShell is a task-based command-line shell and scripting language designed specifically for
system administration. It allows administrators to automate and control the management of Windows
computers and applications that run on Windows.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-23

Demonstration: Overview of Server Manager

Key Points
This demonstration will show you the Server Manager interface, highlighting the most commonly used
tools and console windows.

In this demonstration, you will learn how to:


Describe how Server Manager unifies administrative consoles for server roles, server features, and
other operating system components.
Navigate the Server Manager console.
Find commonly used management tools and console windows within Server Manager.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-24 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are the Remote Server Administration Tools?

Key Points
RSAT enables administrators to remotely manage server roles, server features and other operating system
functionality for a Windows Server 2008 server.

Essentially, RSAT installs MMC consoles for server components on the client operating systems and uses
those consoles to connect remotely to Windows Server 2008 computers to perform management tasks.
When you install RSAT onto the client operating system, you will be given a choice of which consoles you
want to install.

RSAT is typically installed on a Windows client operating system used by someone requiring
administrative access to a Windows Server 2008 server. RSAT is available for both Windows Vista and
Windows 7 client operating systems and offers varying functionality, depending on both the operating
system of the client RSAT is installed on and the version of Windows Server 2008 that is being managed.

When running RSAT on a Windows 7 computer, and connecting to a Windows Server 2008 R2 server, the
following remote management tools are available.

Server Administration Tools:


Server Manager

Role Administration Tools:


Active Directory Certificate Services (AD CS) Tools
Active Directory Domain Services (AD DS) Tools
Active Directory Lightweight Directory Services (AD LDS) Tools
DHCP Server Tools
DNS Server Tools
File Services Tools

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-25

Hyper-V Tools
Terminal Services Tools

Feature Administration Tools:


BitLocker Password Recovery Viewer
Failover Clustering Tools
Group Policy Management Tools
Network Load Balancing Tools
SMTP Server Tools
Storage Explorer Tools
Storage Manager for SANs Tools
Windows System Resource Manager Tools

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-26 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is Windows PowerShell?

Key Points

Windows PowerShell is a task-based command-line shell and scripting language designed specifically for
system administration. Built on the .NET framework, PowerShell allows administrators to automate and
control the management of Windows computers and applications that run on Windows.
Windows PowerShell was introduced as part of Windows Vista and the initial release of Windows Server
2008. PowerShell comprises a large number of single instance commands, called cmdlets.

Cmdlets are the core building block of PowerShell. They are typically very narrow in scope, performing
only a single task. This provides for a large number of cmdlets with relatively simple syntax and options,
rather than a smaller list with more complex syntax and methods for use.

Cmdlets
Cmdlets in PowerShell are composed by using a verb-noun syntax that makes it relatively easy to
determine the intended purpose of a cmdlet simply by knowing the cmdlet name. The following list
provides some examples of PowerShell cmdlets:
Get-Date
Start-Service
Restart-Computer
Set-ItemProperty
Get-Help
Clear-Eventlog
PowerShell cmdlets allow the management of almost any aspect of the Windows operating system, and
any installed applications that support PowerShell.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-27

PowerShell 2.0
PowerShell 2.0, introduced with Windows Server 2008 R2 and Windows 7, adds a number of important
new features and improvements in functionality over the original version of PowerShell shipped with the
initial release of Windows Server 2008 and Windows Vista. The following is a list of the new features
available with PowerShell 2.0:
Integrated Script Editor (ISE)
The new Integrated Scripting Environment (ISE) is a multi-tabbed graphical PowerShell development
platform that features color-coded syntax, debugging capabilities, and script-output management
capabilities.
Remoting
Remoting is one of the most important changes in PowerShell 2.0, and it provides support for
running scripts on remote systems. PowerShell Remoting lets you run scripts on remote networked
systems in a one-to-one, or one-to-many configuration. This new remoting support requires that
PowerShell 2.0 be installed on both the local and remote systems.

Note: PowerShell remoting relies on Windows Remote Management (WinRM). In order for remoting
to work, WinRM must be enabled on the remote computer.
To enable WinRM with its default configuration, you can execute the following command from the
command prompt on the remote computer.
winrm qc

Eventing
PowerShell Eventing lets you respond to the notifications that many PowerShell objects support.
Added cmdlets, functions, and modules
PowerShell 2.0 adds a host of new cmdlets and other features that make server management by using
PowerShell far more powerful. The following areas have been given new or improved functionality in
PowerShell 2.0.
Active Directory
AppLocker
Best Practices Analyzer
Background Intelligent Transfer Service (BITS)
Failover Cluster
Group Policy
Server Manager
Windows Server Backup
Windows Server Migration Tools

Note: The additional modules mentioned are installed with their corresponding server role or server
feature. They are not part of the default installation of Windows PowerShell V2. For example, the
Active Directory module and its corresponding cmdlets are installed when the Active Directory
Domain Services server role is installed.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-28 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 4
Managing Windows Server 2008 Server Core

The Server Core installation option was first introduced in the initial release of Windows Server 2008. It
introduces a stripped down, streamlined version of Windows Server 2008.
This lesson will look at Server Core, its features, capabilities, and limitations, and the tools used to manage
a Server Core installation of Windows Server 2008.

Objectives
After completing this lesson, you will be able to:
Describe the benefits of a Server Core installation.
Describe server roles that are supported by Server Core.
Describe features that are supported by Server Core.
Manage Windows Server 2008 Server Core.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-29

Benefits of a Server Core Installation

Key Points
The Server Core installation option in Windows Server installs Windows Server 2008 with a minimal
feature set.

Server Core offers a smaller subset of server roles and features than the full installation of Windows Server
2008. Additionally, Server Core does not include the Windows Explorer graphical interface. All local
interaction with a Server Core installation must be done by using command-line tools.
The Server Core minimal feature set provides the following benefits:
The attack surface is minimized because of limited roles and features.
Malicious users must be familiar with the command line to make changes to the operating system
when accessing a Server Core installation locally.
Hardware requirements are less restrictive for a Server Core installation because of the stripped down
nature of the operating system.
A Server Core installation requires less maintenance than a full installation. The reduced number of
services and applications require fewer updates than a full-featured operating system. Fewer updates
mean fewer restarts of the operating system. This, in turn, leads to increased availability of the server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-30 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Roles Supported by the Server Core Installation Option

Key Points
Server Core supports a subset of the standard Windows 2008 roles, primarily roles that are designed to
provide core network infrastructure.

Server Core supports the following server roles in Windows Server 2008:
Active Directory Domain Services
Active Directory Lightweight Directory Services
DHCP Server
DNS Server
File Services
Print Server
Streaming Media Services
Hyper-V
Windows Server 2008 R2 adds the following role changes:
Active Directory Certificate Services
File Server Resource Manager component of the File Services Role
A subset of ASP.NET in the Web Server role
Streaming Media Services has been removed

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-31

Features Supported by the Server Core Installation Option

Key Points
Similar to server roles, Server Core supports a subset of standard Windows Server 2008 features.
Server Core supports the following server features in Windows Server 2008:
Windows Server Backup
Bitlocker Drive Encryption
Failover Clustering
Multipath input\output
Network Load Balancing
Removable Storage
Subsystem for UNIX-based applications
Telnet client
WINS
Windows Server 2008 R2 adds the following feature changes:
.NET Framework
Windows PowerShell
Windows-on-Windows 64-bit (WoW64)
Removable storage feature removed
Ability to be remotely configured by using Server Manager

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-32 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Methods Used to Manage the Server Core Installation Option

Key Points
Server Core management is a slightly more complicated task than managing a full installation of Windows
Server 2008.

For the initial release of Windows Server 2008, manually entering command-line executables is the only
method available to configure a Server Core installation of Windows Server 2008. While this method is a
deterrent to users with malicious intent who gain access to the server, it also means a more complicated
and tedious work load for those who manage the servers.

Adding and Removing Server Roles and Server Features


Managing the roles and features installed on your computer requires you to work from the command
line. The following tools will allow you to manage installed server roles and server features in Windows
Server 2008.
Ocestup.exe and Oclist.exe
Ocsetup is the default tool used to manage the addition and removal of server roles and server
features in Windows Server 2008. The ocestup.exe command is issued from the command line,
followed by argument that determine which role or feature is being added or removed. For example,
the following command installs the DHCP role on a Server Core installation.

ocsetup DHCPServerRole

To uninstall the role, execute the following command.

ocsetup DHCPServerRole /uninstall

Oclist.exe can be executed to show a list of roles and features available on the current server, along
with the current installation status of those roles.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-33

Dism.exe
Dism.exe is the Deployment Image Servicing Management Tool, included with Windows Server 2008
R2. This tool has a wide number of applications to Windows image and configuration management.
One of those applications is the installation removal of Server Core server roles and server features.
Issuing the following command using Dism.exe wil install the DHCP role on a Server Core installation.

Dism /online /enable-feature /featurename:DHCPServerRole

In the line of code above, the command line switches perform the following actions.
The /online switch forces Dism.exe to perform the operation on the currently running
installation of windows. Dism.exe can be used to perform operations on offline images of
Windows as well.
The /enable-feature switch ensures that the feature specified will be installed or enabled. It is
important to note that the word feature in this switch does not refer only to server features.
/enable-feature is used to install both server roles and server features. The /disable-feature
switch will remove an installed role.
The /featurename switch is used to specify the server role or server feature to be installed or
removed. In the case of our example, we are performing our operation on the DHCP server role.

To determine the current status of server roles and features, execute the following command.

Dism /online /get-features

Note: The role and feature names used for ocsetup and dism are the same. DHCPServerCore is used to
refer to the DCHP server role for both tools. It is important to note that these names are also case
sensitive. For example, using dhcpservercore as a feature name will result in an error using either tool.

Other Improvements in Windows Server 2008 R2


In Windows Server 2008 R2, two very important changes have been made to the Server Core installation
option that greatly decrease the administrative workload required for Server Core computers.
Sconfig.exe
Sconfig is a command-line executable that starts a text-based menu for administering a Server Core
installation. Common administration tasks are available in a numbered list for execution. When an
administrator chooses a number from the list, sconfig carries out the configuration command by
using command-line programs without the administrator having to manually enter code.
Sconfig supports the following configuration areas on a Server Core installation of Windows Server
2008 R2.
Computer name and domain/workgroup membership
Add local Administrative users
Configure Remote Management
Windows Update Settings
Configure Remote Desktop
Network Settings

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-34 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Date and Time Settings


Shutdown/Restart server

Server Manager and RSAT


In Windows Server 2008 R2, Server Manager on Windows Server 2008 R2 computers and the RSAT on
Windows Vista or Windows 7 computers can be used to remotely connect to a Server Core
installation and manage the server by using familiar graphical-based tools. This is a great
improvement over previous management methods, because it allows a Server Core installation to be
managed alongside full installations of Windows Server 2008 R2 remotely for a more unified
management environment.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-35

Lab: Managing Server Roles in a Windows Server 2008


Environment

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-36 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 1: Determine Server Roles and Installation Types


Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1.
6. Repeat steps 2 and 3 for 6419B-NYC-SVRCORE. Do not log on until directed to do so.

Lab Scenario
You have been asked to complete the final configuration for a server being deployed to the Contoso,
Ltd.s New York City location. Your supervisor, Ed Meadows, has sent you an email detailing the
requirements for the final configuration steps that need to be taken on the server.

The main tasks for this exercise are as follows:

1. Review the supporting documentation.


2. Determine the server roles, server features, and installation types, and record them in the answers to
the questions in the deployment plan document.

Task 1: Review the supporting documentation.


1. Review the following email message received from Ed Meadows.
To: You
From: Ed Meadows [Ed@contoso.com]
Sent: Apr 20 2010 14:20
To: you@contoso.com
Subject: NYC-SVR1 deployment

Hi,

Weve arranged to have the new server for the New York City location physically deployed while you are
onsite there.

The server name is NYC-SVR1 and its to be configured as a print server for the New York office. Theyve
just deployed Windows 7 to all desktops in that location and theyre switching away from users having
printers connected directly to their machines and setting up network printers in various locations in the
office, instead.

After youve completed the initial configuration, the server administration team in New York will take over
the management of the server. Theyre located on the fifth floor and this server will be on the eighth floor,
so theyd like to have some type of remote access to the server to perform their management tasks. I
believe there are four of them who will be working together to manage the server; Ill leave the solution
for this up to you.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-37

One more thing, the New York admins would also like to be able to back up the server on a regular basis,
so Id like you to configure the server to give them the ability to do local backups.

Thats it for now, let me know if you need anything, and enjoy New York.

Regards,

Ed

Task 2: Determine the server roles, server features, and installation types.
1. Complete the requirements document by answering the following questions:

New York Location New Server Final Configuration Plan

Document Reference Number: CW010210/1

Document You
Author Apr 24, 2011
Date

Requirements Overview
To determine the server roles and features to be installed on the newly deployed NYC-SVR1

Additional Information
The server must be able to provide network printing capabilities for the New York City office.
Administrators in New York will manage the server from their desktop computers and will also be
responsible for ensuring the new server is backed up.

Questions
1. What server role(s) should be installed on NYC-SVR1? How should the server role(s) be
configured?
2. What additional server features will be needed to fulfill the requirements specified by Ed?
3. Are there any additional management considerations that need to be considered for the
ongoing management of NYC-SVR1?

Results: After completing this exercise, you should have determined the server roles, server features,
and installation types to install on NYC-SVR1, according to the requirements document.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-38 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 2: Install Windows Server 2008 Server Roles and Features


Lab Scenario
You have read the requirements document and determined what server roles and features need to be
installed on NYC-SVR1. Using your implementation proposal, you have been asked to implement the
recommended server roles and server features on NYC-SVR1 and report to Ed regarding which
management tools need to be installed on the desktop computers of the Server Admins group.

The main tasks for this exercise are as follows:

1. Use Server Manager to install the Print and Document Services Server Role.
2. Use Server Manager to install the Windows Server Backup Features.

Task 1: Use Server Manager to install the Print and Document Services Server Role.
1. Connect to the 6419B-NYC-SVR1 virtual machine and log on with a user name, Administrator, and
the password, Pa$$w0rd.
2. Open Server Manager from the Start Menu.
3. Open the Roles node in Server Manager and add the Print and Document Services server role.

Task 2: Use Server Manager to install the Windows Server Backup Features.
1. Within Server Manager, select the Features node.
2. Add the Windows Server Backup feature.
3. Close Server Manager.

Result: After completing this exercise, you will have used Server Manager to install server roles and
server features.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-39

Exercise 3: Manage Windows Server 2008 Server Core


Lab Scenario
You have been asked to complete the configuration for another server in the New York location.

A new server running the Windows 2008 R2 Server Core installation has been installed in the New York
location. You have been asked to finalize the network configuration on the server and configure the newly
named NYC-SVRCORE to enable Server Manager access for remote management.

The network information is as follows.

NYC-SVRCORE Configuration Spec Sheet

IP State STATIC
IP Address 10.10.0.20
Subnet Mask 255.255.0.0
Default Gateway 10.10.0.1
Primary DNS 10.10.0.10
Secondary DNS None

Domain membership Contoso.com


Computer name NYC-SVRCORE

Please install the Windows Server Backup feature on this server so the New York IT staff can perform
backup and recovery operations.
Please enable remote administration to allow the New York IT staff to manage this server remotely by
using Server Manager.

The main tasks for this exercise are as follows:


1. Use Sconfig to configure Server Core installation options.
2. Use Dism to enable the Windows Server Backup feature.
3. Configure Server Core to enable Server Manager remote administration.
4. Use Server Manager connect to Server Core

Task 1: Use Sconfig to configure Server Core installation options.


1. Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2. Start Sconfig and use the menu options to configure the IP address settings according to the
information supplied.
3. Join the computer to the Contoso.com domain and rename it to NYC-SVRCORE.

Task 2: Use Dism to install the Windows Server Backup feature


1. Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator,
and the password, Pa$$w0rd.
2. Run the Dism command using the /online and /get-features switches to confirm that the
WindowsServerBackup feature is not installed..
3. Run the Dism command using the /online, /enable-feature and /featurename: switches to install
the WindowsServerBackup feature.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-40 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

4. Run the Dism command using the /online and /get-features switches to verify the Windows Server
Backup feature has been installed.

Task 3: Use Sconfig to configure Server Core remote management


1. Start Sconfig and navigate to the Configure Remote Management screen,
2. Enable both Windows Powershell and Server Manager remote administration options. Restart
when prompted and log back on as Administrator with the password of Pa$$w0rd.

Task 4: Use Server Manager to connect to Server Core


1. Connect to the 6419B-NYC-DC1 virtual machine and log on with the user name, Administrator, and
the password, Pa$$w0rd.
2. Open Server Manager from the Administrative Tools section on the Start Menu.
3. In Server Manager, connect to NYC-SVRCORE.
4. View the Server Manager nodes available.

Result: After completing this exercise, you should have performed management tasks on a Server Core
installation of Windows Server 2008.

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.


2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-SVRCORE.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Overview of the Windows Server 2008 Management Environment 1-41

Module Review and Takeaways

Review Questions
1. Why would an organization want to limit the server roles installed on a server?

2. What management tool would you recommend for a new junior administrator who has been asked to
manage a Server Core installation of Windows Server 2008 R2?

Common Issues Related to Using Server Manager Remotely


Issue Troubleshooting Tip

Cannot connect to
remote servers by using
Server Manager

Tools
Tool Use for Where to find it

Windows Determining how to


Server 2008 R2 migrate server roles
Server Role from previous versions
Migration of the Windows Server
Guides operating system

Microsoft Simplifying and


Assessment and streamlining the IT
Planning(MAP) infrastructure
Toolkit planning by assessing
existing environments

Server Manager Managing a Windows Start Menu

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
1-42 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Tool Use for Where to find it

Server 2008 server

Remote Server Managing Windows


Administration Server 2008 R2 servers
Tools (RSAT) for remotely
Windows 7

Ocsetup.exe Adding and removing Command-line


Server Core roles and
features

Dism.exe Adding and removing Command-line


Server Core roles and
features in Windows
Server 2008 R2

Sconfig.exe Managing a Server Type Sconfig.exe at the command line


Core installation of
Windows Server 2008
(R2 only)

New Features and Changes


Feature Version Module Reference

Foundation Edition licensing option

64-bit hardware support only

New Server Roles available

New Features Available

Server Manager remote management

New RSAT

New Server Core Roles available

New Server Core Features available

Administer Server Core remotely by using


Server Manager

Deployment Image Servicing Management


Tool (Dism.exe)

Sconfig configuration tool for Server Core

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-1

Module 2
Managing Windows Server 2008 Infrastructure Roles
Contents:
Lesson 1: Understanding IPv6 Addressing 2-3
Lesson 2: Overview of the DNS Server Role 2-18
Lesson 3: Configuring DNS Zones 2-29
Lab A: Installing and Configuring the DNS Server Role 2-41
Lesson 4: Overview of the DHCP Server Role 2-46
Lesson 5: Configuring DHCP Scopes and Options 2-53
Lab B: Installing and Configuring the DHCP Server Role 2-65

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-2 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Module Overview

To effectively manage a Windows Server 2008 network, you need to understand the server roles used to
resolve and manage IP addressing. To assist with IP addressing requirements, your network environment
should include two critical server roles, the Domain Name System (DNS) and the Dynamic Host
Configuration Protocol (DHCP). To support many of the new features included with Windows Server 2008,
you need a basic knowledge of not only IPv4, but also IPv6 concepts and transition methods.

This module provides an overview of the benefits and technologies associated with IPv6. You will learn the
features and configuration options available to implement the DNS and DHCP server roles.

Objectives
After completing this module, you will be able to:
Describe IPv6 addressing.
Describe the features and concepts related to the DNS server role.
Configure DNS zones.
Describe the features and concepts related to the DHCP server role.
Configure DHCP scopes and options.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-3

Lesson 1
Understanding IPv6 Addressing

Internet Protocol (IP) version 4 is the most commonly used communication protocol for both the Internet
and internal network environments. Although IPv4 is robust and scalable, new technologies and higher
demand have paved the way for the eventual adoption of IPv6.

To use the various Windows Server 2008 features, such as Network Discovery and DirectAccess (Windows
Server 2008 R2), you need a better understanding of the IPv6 address space and its integration with the
existing IPv4 networks through transition and tunneling technologies.

Objectives
After completing this lesson, you will be able to:
Describe the differences between IPv4 and IPv6.
Describe the benefits of using IPv6.
Describe the IPv6 address space.
Describe the types of IPv6 addresses.
Describe the IPv6 address autoconfiguration process.
Describe IPv6 over IPv4 tunneling.
Describe IPv6 tunneling technologies.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-4 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Differences Between IPv4 and IPv6

Key Points
Traditionally, IPv4, due to its simplicity and interoperability, has been used to meet the growing demands
of both internal networks and the Internet. However, it is quickly becoming outdated in both public
address space availability and supported functionality.

The various challenges faced by IPv4 include:


Unavailability of the IPv4 address space. With IPv4 public address spaces becoming scarce, many
organizations have started implementing the network address translator (NAT) technology to map
multiple private IP addresses to a single public IP address. NAT decreases the number of public IP
addresses required for internal networks, but it does not support standards-based network layer
security or map all high layer protocols. This can cause connectivity issues between organizations that
use private IP addressing schemes. In addition, the rise of IP-based devices, such as mobile assistants
and household appliances, has increased the need for an efficient method for IP streaming, security,
and address allocation.
Need for simpler configuration. IPv4 relies on manual configuration or automatic configuration
through DHCP. The auto-address configuration of DHCP and IPv4 supports only a local subnet. With
the need to manage and communicate with Internet-based devices, automatic configuration of
addresses and settings that do not rely on a DHCP infrastructure has become important.
Need for more efficient real-time data delivery. The increased use of multimedia streaming over
the Internet has paved the way for quality of service (QoS) requirements that are only efficiently
addressed when integrated within the IP protocol itself.
Security requirements at the IP level. Security over a public network, such as the Internet, requires
encryption services that protect data from being viewed or modified during transit. IPv4 supports the
Internet Protocol Security (IPsec) standard. However, implementation of IPsec in IPv4 is optional and
is typically implemented by using a variety of solutions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-5

Note: To address many of these concerns, the Internet Engineering Task Force (IETF) has developed
IPv6 as described in Request for Comments (RFC) 4291.

IPv4 and IPv6 Comparison


The following table lists the differences between IPv4 and IPv6:

IPv4 IPv6

Source and destination addresses are Source and destination addresses are 128 bits (16 bytes) in
32 bits (4 bytes) in length length

IPsec support is optional IPsec support is required

The IPv4 header does not include any Packet-flow identification for QoS handling by routers is
packet flow identification for QoS included in the IPv6 header that uses the Flow Label field

Fragmentation is done by routers and Fragmentation is only by the sending host


the sending host

Header includes a checksum Header does not include a checksum

Header includes options All optional data is moved to IPv6 extension headers

Address Resolution Protocol (ARP) ARP Request frames are replaced with multicast Neighbor
uses broadcast ARP Request frames Solicitation messages
to resolve an IPv4 address to a link-
layer address

Internet Group Management Protocol IGMP is replaced with Multicast Listener Discovery (MLD)
(IGMP) is used to manage local messages
subnet group membership

Internet Control Message Protocol ICMP Router Discovery, which is required, is replaced with
(ICMP) Router Discovery, which is ICMPv6 router solicitation and router advertisement messages
optional, is used to determine the
IPv4 address of the best default
gateway

Broadcast addresses are used to send There are no broadcast addresses in IPv6, their function being
traffic to all nodes on a subnet superseded by multicast addresses. Link-Local Unicast addresses
are designed to be used for addressing on a single link for
purposes such as automatic address configuration,
neighbor discovery, or when no routers are present. Link-Local
multicast scope spans the same topological region as the
corresponding unicast scope.

Must be configured either manually Does not require manual configuration or DHCP
or through DHCP

Uses host address (A) resource Uses host address (AAAA) resource records in DNS to map host
records in the DNS to map host names to IPv6 addresses
names to IPv4 addresses

Uses pointer (PTR) resource records in Uses PTR resource records in the IP6.ARPA DNS domain to map
the IN-ADDR.ARPA DNS domain to IPv6 addresses to host names
map IPv4 addresses to host names

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-6 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

IPv4 IPv6

Must support a 576-byte packet size Must support a 1280-byte packet size (without fragmentation)
(possibly fragmented)

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-7

Benefits of Using IPv6

Key Points
The IPv6 standard introduces several benefits to the networking infrastructure such as the following:
Large address space. IPv6 uses a 128-bit address space, which allows for 3.4x1038 or
340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space is designed to be more
efficient for routers, which means that even though there are many more addresses, routers can
process data much more efficiently because of address optimization.
Stateless and Stateful address configuration. Stateless address configuration refers to host IP
configuration without a DHCP server. Stateful address configuration refers to host IP configuration
that uses a DHCP server. IPv6 supports both stateless and stateful address configuration. With
stateless address configuration, hosts automatically configure themselves with IPv6 link-local
addresses along with additional addresses advertised by local routers.
Built-in security. IPv6 has built-in IP security, which facilitates configuration of secure network
connections.
Prioritized delivery. IPv6 contains a field in the packet that allows network devices to determine the
specified rate at which the packet should be processed. This allows traffic prioritization or QoS. For
example, when streaming video traffic, it is critical that the packets arrive in a timely manner. You can
set this field to ensure that network devices determine that the packet delivery is time-sensitive.
Neighbor detection. IPv6 uses the Neighbor Discovery protocol to manage the interaction between
nodes within the same network link. Neighbor Discovery replaces the broadcast-based Address
Resolution Protocol (ARP) with more efficient multicast and unicast communication within the same
network segment.

Extensibility. IPv6 has been designed so that it can be extended with fewer constraints than IPv4.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-8 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

IPv6 Address Space

Key Points
A traditional IPv4-based IP address is expressed in four groups of decimal numbers, such as 192.168.1.1.

Each set of numbers represents a binary octet. In the binary system, the preceding number is:

11000000.10101000.00000001.00000001

(4 octets = 32 Bits)

The size of an IPv6 address is 128 bits, which is four times the larger than an IPv4 address. IPv6 addresses
are expressed as hexadecimal addresses. For example, an IPv6 address may look like:

2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

This may seem counterintuitive for end users. However, the average user relies on DNS name resolution
and seldom types IPv6 addresses manually.

Hexadecimal Numbering System (Base 16)


The hexadecimal system (Hex) uses a base 16 represented by sixteen distinct symbols. These symbols
include:
0-9 Represent values 0 to 9
A-F Represent values 10 to 15
For example, if you convert the decimal number 9 to Hex, the result will be Hex 9. However if you
continue and convert the decimal number 10 to Hex, the result will be Hex A. Similarly, the decimal
number 11 will result in Hex B.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-9

Using Letters to Represent Numbers


Letters represent numbers, because in the Hex system (base 16), there must be 16 unique symbols for
each position. Because 10 symbols (0 through 9) already exist, the new six symbols for the Hex system is A
through F.

To convert an IPv6 binary address, which is 128 bits in length, to hexadecimal, perform the following
steps:

0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010

1. Organize the 128-bit address into eight groups of 16 bits.

0010000000000001 0000110110111000 0000000000000000


0010111100111011 0000001010101010 0000000011111111
1111111000101000 1001110001011010

2. Break down each set of 16 bits into sets of four bits and assign a value of 1, 2, 4, or 8 to each of
the four binary numbers starting from the right and moving left.

If the first bit, starting on the right, has a value of 1 assign a value of 1. If the second bit has a
value of 1 assign of a value of 2. If the third bit has a value of 1, assign a value of 4. If the fourth
(and leftmost) bit has a value of 1, assign a value of 8.

To derive the hexadecimal value for this section of four bits, add up the values assigned to each
bit where the bits are set to 1. For the first group [0010], the only bit that is set to 1 is the bit
assigned the 2 value. The rest are set to zero. Thus, the hex value of this set of four bits is 2.

The first 16 bits in the example is equal to Hex 2001.

Student Exercise
In the given table, calculate the Hex values for the given binary numbers the 128-bit address. The first one
is done for you.

Binary Hexadecimal

0010 0000 0000 0001 2001

0000 1101 1011 1000

0000 0000 0000 0000

0010 1111 0011 1011

0000 0010 1010 1010

0000 0000 1111 1111

1111 1110 0010 1000

1001 1100 0101 1010

Each 16-bit block, expressed as four Hex characters, is delimited by using colons. The result is as follows:

2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-10 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

3. You can simplify IPv6 representation by removing the leading zeros within each 16-bit block.
However, each block must have at least a single digit. After you remove the leading zeros, the
result is as follows:

2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

4. To further simplify IPV6 notation, a contiguous sequence of 16-bit blocks that are set to 0 can be
compressed by using the double colon (::). The computer recognizes :: and substitutes the colon
sequence with the number of zeros necessary to make the appropriate IPv6 address.

In the following example, the address is expressed by using zero compression:

2001:DB8::2F3B:2AA:FF:FE28:9C5A

To determine how many 16-bit blocks are represented by the (::), you can count the number of blocks in
the compressed address, subtract this number from eight. Using the above example, there are seven
blocks. Subtract seven from eight and the result is one. Thus, there's one block of zeros in the address
where the double colon is located.
In a given address, you can use zero compression only once. Otherwise, you cannot determine the
number of 0 bits represented by each instance of a double colon (::).

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-11

Types of IPv6 Addresses

Key Points
There are three main types of IPv6 addresses:
Unicast. Identifies a single interface within the address scope. Packets that are addressed to this
address are delivered to a single interface.
Multicast. Identifies multiple interfaces and delivers packets to all interfaces that are identified by the
address. It is used for one-to-many communication over a network infrastructure.
Anycast. Identifies multiple interfaces, but delivers packets to the nearest interface. It is used for one-
to-many communication, with delivery to a single interface.

Types of Unicast IPv6 Addresses


Unicast addresses can consist of the following scopes:
Global. Global unicast addresses can be compared with public IPv4 addresses. This type of address is
globally routable throughout the IPv6 portion of the Internet. The global address starts with 2000: or
is typically written as 2000:/3. The first three bits are always set to 001 to identify and distinguish this
type of address from other IPv6 addresses.
Link-Local. Link-Local addresses can be compared with the IPv4 Automatic Private IP Addressing
(APIPA) that uses 169.254.0.0/16. IPv6 link-local addresses can communicate with hosts on the same
link, and are not routable. Link-local addresses are automatically assigned and always begin with FE80
or FE80::/64.
Unique-Local. Unique-local addresses represent an entire organizational site or a portion of the site.
This type of IPv6 address can be compared with IPv4 private address spaces 10.0.0.0/8, 172.16.0.0./12,
and 192.168.0.0/16. Unique-local addresses are routable throughout an organization, but are not
configured to be routed outside of the organization network. These types of addresses are not
automatically generated, and must be assigned by using auto-assignment methods, which are
supported by IPv6. Unique-local addresses are always expressed as FC00::/7 or FD00::/8.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-12 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Note: Unique-Local replaces a previous IPv6 type called Site-local addresses, which were defined for
block FEC0::/10. For more information on the deprecating of site local addresses, read RFC 3879 at
http://tools.ietf.org/html/rfc3879.

Loopback Address. A loopback address is used to identify a loopback interface, which allows a node
to send packets to itself. The IPv6 loopback address is expressed as 0:0:0:0:0:0:0:1 or ::1. This can be
compared with the IPv4 loopback address of 127.0.0.1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-13

Address Autoconfiguration for IPv6

Key Points
A network client proceeds through several states as it goes through the autoconfiguration process, and
there are several ways to assign an IP address and additional options. Based on how the router is set up, a
client may use stateless configuration (no DHCP service) or stateful configuration with the DHCP server
involved. Stateful configuration can be used to assign an IP address and additional network settings or
only assign options such as DNS server references and router IP addresses.
During autoconfiguration, the client computer proceeds through the following high-level process:

1. The IPv6 client autoconfigures a link-local address for each interface used to communicate with other
hosts on the same link.
2. IPv6 Neighbor Discover performs neighbor solicitation to ensure that there are no address conflicts.

3. Router discovery takes place to determine the local routers on an attached link.

4. It is determined whether the node should use a stateful address protocol, such as DHCPv6, for
addresses and other configuration parameters. A host uses stateful address configuration when a
router advertisement is received with either the Managed Address Configuration flag or the Other
Stateful Configuration flag is set to 1. Stateful address configuration is also performed if there are no
routers on the local link.

5. All network prefixes defined for the link are obtained from the router. Prefixes include the range of
addresses for nodes on the local link and the valid and preferred lifetimes. If the appropriate stateful
flags are set, information may be obtained from DHCP.

Communication with DHCP


When an IPv6-based host attempts to communicate with a DHCP server, it uses its link-local, self-assigned
IP address. This is different from the IPv4, which uses ARP broadcasts.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-14 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Using stateful configuration allows organizations to control how IP addresses are assigned by using
DHCPv6. By default, an IPv6 host uses stateless autoconfiguration, but will use stateful address
autoconfiguration, if the following is configured in the Router Advertisement message that a neighboring
router sends:
Managed Address Configuration flag. This flag is also known as the M flag. If this flag is
configured, it instructs the IPv6 host to use DHCPv6 to obtain an IP address.
Other Stateful Configuration flag. This flag is also known as the O flag. If this flag is configured, it
instructs the IPv6 host to use DHCPv6 to obtain other configuration settings such as DNS Server IP
addresses. If your organization wants to leverage technologies such as Network Access Protection
(NAP), you must configure clients with additional options that integrate into DHCP. If there are any
specific scope options that you need to configure, you needs a DHCP server.
It is possible to use a combination of both stateless and stateful configuration. In such a case, you can use
the router to assign IP address ranges and then use DHCPv6 to assign other configuration settings.

Note: On Windows Server 2008-based routers, you can use the following command to configure the M
and O flags:
netsh interface ipv6 set interface Local Area Connection managedaddress=enabled
otherstateful=enabled

Autoconfigured Address States


Autoconfigured addresses are in one or more of the following states:
Tentative. Verification occurs to determine whether the address is unique. This verification is called
duplicate address detection. A node cannot receive unicast traffic to a tentative address. It can,
however, receive and process multicast Neighbor Advertisement messages sent in response to the
Neighbor Solicitation message, which is been sent during the duplicate address detection. This
ensures that the interface can validate that its address is unique.
Valid. The address has been verified as unique, and can send and receive unicast traffic. The valid
state covers the preferred and deprecated states. The Valid Lifetime field in the Prefix Information
option of a Router Advertisement message determines the time that an address remains in the
tentative and valid states. The valid lifetime must be greater than or equal to the preferred lifetime. A
valid address is either preferred or deprecated.
Preferred. The address enables a node to send and receive unicast traffic. The Preferred Lifetime
field in the Prefix Information option of a Router Advertisement message determines the time that
an address can remain in the tentative and preferred states.
Deprecated. The address is valid, but its use is discouraged for new communication. Existing
communication sessions can continue to use a deprecated address. A node can send and receive
unicast traffic to and from a deprecated address.
Invalid. The address no longer allows a node to send or receive unicast traffic. An address enters the
invalid state after the valid lifetime.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-15

IPv6 over IPv4 Tunneling

Key Points
As organizations transition from an IPv4-only network to IPv6, hosts must be able to communicate by
using both IP standards. Windows Vista, Windows 7, and Windows Server 2008 support a dual layer IP
architecture that contains both IPv4 and IPv6 Internet layers with a single implementation of the protocol
stack. This dual layer architecture allows for IPv4 packets, IPv6 packets, and IPv6 over IPv4 packets.
Windows Server 2003 and Windows XP use a dual stack architecture that contains a separate
implementation of TCP and UDP for both IPv4 and IPv6. The dual stack architecture provides the same
functionality as dual layer IP architecture to provide support for legacy operating systems.
To communicate over an IPv4 infrastructure, IPv4 tunneling can be used. IPv6 over IPv4 tunneling
encapsulates IPv6 packets within an IPv4 header so that IPv6 packets can be sent over an IPv4
infrastructure.

Within the IPv4 header:


The IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.
The Source and Destination fields are set to IPv4 addresses of the tunnel endpoints. You can
configure tunnel endpoints manually as part of the tunnel interface. Otherwise, they are derived
automatically from the next-hop address of the matching route for the destination and the tunneling
interface.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-16 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Overview of IPv6 Tunneling Technologies

Key Points
The tunneling technologies used for IPv6 over IPv4 tunneling include:
ISATAP. Local intranets can use Intra-site Automatic Tunnel Addressing Protocol (ISATAP), which
takes advantage of neighbor discovery and autoconfiguration, and it is the primary way in which
internal IPv6 nodes communicate over IPv4. ISATAP uses the interface identifier ::0:5EFE:w.x.y.z,
where w.x.y.z is the private IPv4 address. For public IPv4 addresses, the identifier is written as
::200:5EFE:w.x.y.z.

To allow for ISATAP hosts to communicate between subnets, an ISATAP router can be deployed. An
ISATAP router is an IPv6-based router, which can be used to advertise address prefixes, forward
packets between subnets, and act as a default router for ISATAP hosts.

Note: Windows Server 2008, Windows Vista Service Pack 1, and later do not automatically configure
link-local ISATAP addresses, unless the name ISATAP can be resolved to an ISATAP-based router.

6to4. 6to4 tunneling allows IPv6 routers to communicate over the IPv4 Internet. 6to4 is also
autoconfigured on the host and may require the manual configuration of a 6to4 router. 6to4
addressing converts a standard IPv4 address to an equivalent 6to4 address. For example, IPv4 address
157.60.0.1 would be converted to 2002:9D3C:1::/48. A 6to4 address always starts with 2002.
Teredo. Teredo is a tunneling technology that traverses IPv4 NATs to allow IPv6 networks to
communicate.

IPv6 changes in Windows Server 2008 R2 and Windows 7

Note: The content in this section only applies to Windows Server 2008 R2 and Windows 7.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-17

Windows Server 2008 R2 and Windows 7 introduces additional support for IPv6. New features include:
IP-HTTPS. As discussed earlier, 6to4 and Teredo are used to tunnel IPv6 traffic across the IPv4
Internet. However, there may be situations where firewalls or web proxy servers are configured to
block this type of traffic. Windows 7 and Windows Server 2008 R2 can use IP-HTTPS to establish
connectivity through firewalls or web proxy servers. IP-HTTPS tunnels IPv6 packets inside an IPv4-
based secure HTTPS session. You can configure IP-HTTPS by using Netsh.exe or Group Policy settings.
Teredo Server and Relay. Windows Server 2008 R2 includes support for configuring a Teredo server
and relay functionality. When implemented, a client communicates with a Teredo server to configure
a Teredo-based IPv6 address and initiate communication with other Teredo clients on the Internet.
Windows Server 2008 R2 DirectAccess uses the Teredo server functionality to facilitate DirectAccess
with Internet-based clients.
Group Policy Settings for Transition Technologies. Windows Server 2008 R2 and Windows 7
provide Group Policy settings related to IP-HTTPS, Teredo, 6to4, and ISATAP. You can find these
settings in the Group Policy Management Editor at:
Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6
Transition Technologies

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-18 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 2
Overview of the DNS Server Role

The DNS server role is a critical component of a Windows Server 2008 domain infrastructure. DNS
provides name resolution and service location to clients on the network. This lesson provides general
information about the DNS server role and how the DNS name space works. This lesson also provides
details about what has changed for the DNS server role in Windows Server 2008 and Windows Server
2008 R2.

Objectives
After completing this lesson, you will be able to:
Describe DNS enhancements for Windows Server 2008.
Describe the types of DNS Resource Records that are available.
Describe how name resolution works in DNS.
Describe how DNS Forwarding works.
Describe how Conditional Forwarding works.
Configure DNS Forwarding

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-19

DNS Enhancements in Windows Server 2008

Key Points
Windows Server 2008 and Windows Server 2008 R2 both provide enhancements to DNS that improve the
performance of DNS.

DNS Improvements in Windows Server 2008


Windows Server 2008 includes several enhanced features that improve the DNS server role. These features
include:
Background zone loading. DNS servers that host large DNS zones that are stored in AD DS are able
to respond to client queries quicker during restarts, because zone data is now loaded in the
background during the startup process.
IP version 6 support. The DNS server role fully supports IPv6, which includes IPv6 host records
(AAAA records) and IPv6 reverse lookup zones.
Support for read-only domain controllers. The DNS Server role in Windows Server 2008 provides
support for primary read-only zones on read-only domain controllers (RODCs). The RODC is a new
type of domain controller that is typically deployed to remote sites that lack physical security. An
RODC is not allowed to write information back to the full Active Directory servers and DNS servers.
When you install the DNS Server service on an RODC, a read-only copy of the Domain DNS zone
(DomainDNSZones) and the Enterprise DNS zone (ForestDNSZones) is replicated to the RODC. Clients
can query DNS on an RODC but cannot update information directly..
Global single names. The DNS Server service in Windows Server 2008 provides a new zone type
called the GlobalNames zone (GNZ), which you can use to hold unique, single-label names across an
entire forest. This eliminates the need to use the NetBIOS-based Windows Internet Name Service
(WINS) to provide support for single-label names. The GNZ provides single-label name resolution for
large enterprise networks that do not deploy WINS. Some networks may require the ability to resolve
static, global records with single-label names that WINS currently provides. These single-label names
refer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manually
created and does not support dynamic registration of records. The GNZ is intended to help

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-20 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

organizations migrate to from WINS to DNS for all name resolution requirements. To create a GNZ,
simple create an AD DS- integrated forward lookup zone called GlobalNames. After the zone is
created, it can be enabled by using the following command on every authoritative DNS server in the
forest:

Dnscmd <ServerName> /config /enableglobalnamesupport 1

Global query block list. By default, well-known host names for services such as Web Proxy Auto-
Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are
listed in a global query block list. This is to help reduce the chance of malicious users from
dynamically registering host computers that pose as legitimate servers for these services. If you need
to use these services, you have to specifically remove the WPAD or ISATAP name from the global
query block list. To modify the block list, you can use the dnscmd command-line tool.

Note: For more information about the DNS server global query block list, read the DNS server global
query block list.DNS Improvements in Windows Server 2008 R2

Note: The content in this section applies only to Windows Server 2008 R2 and Windows 7.

In addition to the enhancements listed above, Windows Server 2008 R2 and the Windows 7 client support
several additional features. These features include:
DNS Security Extensions (DNSSEC). DNSSEC provides the ability for a DNS zone and all records in
the zone to be cryptographically signed. DNS is often subject to various attacks, such as man-in-the-
middle, spoofing, and cache-poisoning. DNSSEC helps protect against these threats and provides a
more secure DNS infrastructure. When a DNS server hosting a signed zone receives a query, it returns
the digital signatures in addition to the records queried for. A resolver or another server can obtain
the public key of the public/private key pair and validate that the responses are authentic and have
not been tampered with. To do so, the resolver or server must be configured with a trust anchor for
the signed zone, or for a parent of the signed zone. The DNSSEC implementation in Windows Server
2008 R2 DNS server provides the ability to sign both file-backed and Active Directoryintegrated
zones through an offline zone signing tool. This signed zone will then replicate or zone transfer to
other authoritative DNS servers. When configured with a trust anchor, a DNS server is capable of
performing DNSSEC validation on responses received on behalf of the client.
DNS Devolution. Devolution is a feature of the DNS client that allows network hosts to resolve server
names by appending portions of the primary DNS domain suffix. For example, when a client that is a
member of corp.contoso.com attempts to resolve the name fileserver, the client will attempt to
resolve fileserver.corp.contoso.com and fileserver.contoso.com. In previous versions of Windows, DNS
devolution is always set to 2. This can cause problems with organizations that use more than two
labels for their root domain. Windows Server 2008 and Windows 7 change this default configuration
so that the devolution level is automatically set to the number of labels in the forest root domain. For
example, if the forest root domain is corp.contoso.com, the devolution level is set to 3. When a client
attempts to resolve the name fileserver, it will only attempt fileserver.corp.contoso.com and not
attempt to resolve the second level domain name of contoso.com.
DNS Cache Locking. When a recursive DNS server responds to a query, it will cache the results
obtained so that it can respond quickly if it receives another query requesting the same information.
The period of time the DNS server will keep information in its cache is determined by the Time to Live
(TTL) value for a resource record. Until the TTL period expires, information in the cache might be
overwritten if updated information about that resource record is received. When you enable cache
locking, the DNS server will not allow cached records to be overwritten for the duration of the TTL
value. Cache locking provides for enhanced security against cache-poisoning attacks.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-21

DNS Socket Pool. When the DNS service starts, the server will pick a source port from a pool of
available sockets to be used for issuing queries. Instead of using a predicable source port, the DNS
server uses a random port number selected from the socket pool. The socket pool makes cache-
poisoning attacks more difficult because an attacker must correctly guess the source port of a DNS
query in addition to a random transaction ID to successfully execute the attack.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-22 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DNS Resource Records

Key Points
Many organizations implement DNS to support both an internal Active Directory scope as well as an
external Internet presence. With both types of implementations, resource records are used to provide the
name and service resolution requirements for your network.

Resource records contain information about the resources that are managed within a specific DNS zone.
They include information such as the owner of the record, the resource record type, how long the
resource record can remain in the cache, and data specific to the resource record, such as a host IP
address.
Resource records can be added manually, or they can be added automatically by using a process called
dynamic update.

The following table describes the most common types of resource records:

DNS Resource Record Description

SOA Start of authority resource record identifies the primary name server for a
DNS zone

NS Name Server resource record identifies all the name servers in a domain

A Host (A) resource record Is the main record that maps a host name to an IP
address

AAAA IPv6 Hostresource record is usedto map host names to IPv6 IP addresses

CNAME Alias (CNAME) resource record is an alias record type used to point more
than one name to a single host
For example, www can be used to point to a DNS host name called Server1

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-23

DNS Resource Record Description

MX Mail exchanger resource record is used to specify an email server for a


particular domain

SRV Service location resource record identifies a service that is available in the
domain, such as a domain controller or global catalog server. Active Directory
uses these records extensively

PTR Pointer resource record is used to look up and map an IP address to a


domain name. The reverse lookup zone stores the addresses

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-24 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

How DNS Name Resolution Works

Key Points
DNS name resolution begins with a query from a client to a DNS server. A DNS query can be of two types:
Recursive and iterative.
Recursive. By default, when a DNS server receives a query request from a client, the query is
recursive. Recursion is where the DNS server either answers the query or continues to query other
DNS servers on behalf of the requesting client. The recursive query has one of two possible outcomes,
the IP address of the host is returned to the requesting client or an error message stating that the
server cannot resolve the IP address is sent to the requesting client

Note: If a DNS server is not intended to receive recursive queries, recursion should be disabled on that
server by using the DNS Manager or the dnscmd command-line utility. If you disable recursion on a
DNS server, root hints will not be queried, and you will not be able to use forwarders to other DNS
servers for name resolution.

Iterative. When a DNS server receives a request from a client that it cannot answer by using its local
or cached information, it forwards the request to another DNS server by using an iterative query.
When a DNS server receives an iterative query, it may answer with either the IP address for the
requested host name (if known) or by referring the request to the DNS servers that are responsible for
the domain being queried.
A DNS server can be either authoritative or nonauthoritative for the querys namespace.
Authoritative. A DNS server is authoritative when it hosts a primary or secondary copy of a DNS
zone. If the DNS server is authoritative for the querys namespace, the DNS server will check the zone
and either return the requested address or return an authoritative denial of the request because the
name does not exist in the zone.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-25

Nonauthoritative. If the local DNS server is nonauthoritative for the querys namespace, the DNS
server will do one of the following:
Check its cache and return a cached response.
Forward the unresolvable query to a specific server called a forwarder.
Use root hints to well-known addresses of multiple root servers to find an authoritative DNS
server to resolve the query.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-26 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DNS Forwarding

Key Points
DNS Forwarding can be used to manage name resolution for names outside your network. Using a
forwarder, you can minimize the work and traffic that results from your DNS server performing its own
iterative queries.

When you designate a server as a forwarder, that server is responsible for all external queries. Many
organizations designate an external DNS forwarder located at an ISP, which contains a large cache of
external DNS information due to the extensive amount of DNS queries that are resolved through it.

When a DNS server sends a request to a forwarder, the request is a recursive query. This is different from
the standard name resolution, which uses iterative queries to other DNS servers.

Note: By default, root hints will be used if no forwarders are available. You can use DNS Manager to
modify this default setting on the properties of the DNS server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-27

What Is Conditional Forwarding?

Key Points
You can use a conditional forwarder to provide more efficient name resolution between specific DNS
namespaces.

For example, you can configure a DNS server to forward all queries that it receives for names ending with
adatum.com to the IP address of a specific DNS server, or to the IP addresses of multiple DNS servers. Any
query that is specific to the adatum.com domain will be forwarded directly to the appropriate DNS server
instead of the standard iterative query process.

Windows Server 2008 also provides the ability to store conditional forwarders in Active Directory. If you
configure a conditional forwarder to be stored in Active Directory, you can choose to replicate it to all
DNS servers in the forest, all DNS servers in the domain, or all domain controllers in the domain.

Note: If you have conditional forwarders defined for a specific domain, the conditional forwarders will
be used instead of server-based forwarders.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-28 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: How to Configure DNS Forwarding

Key Points
In this demonstration, you will see how to:
Configure a DNS Forwarder.
Configure a Conditional Forwarder.

Demonstration Steps:
1. Open the DNS Manager.

2. Right-click the server name and then click Properties.

3. In the server properties dialog box, click the Forwarders tab, and then configure a forwarder. Click
OK to close the properties dialog box.

4. To configure a conditional forwarder, click the Conditional Forwarders node.

5. Right-click the Conditional Forwarders node and click New Conditional Forwarder. Configure the
conditional forwarder by providing the DNS domain and IP address of the authoritative server.

6. Configure the conditional forwarder to be stored in Active Directory and configure replication
requirements.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-29

Lesson 3
Configuring DNS Zones

A DNS zone hosts all or a portion of a DNS domain. A zone is typically configured to be a forward or a
reverse lookup zone and can be replicated to additional DNS servers for redundancy. Zone data can be
stored in a local file that contains the mapping information, or a zone can be integrated into Active
Directory to provide enhanced security and availability. This lesson provides information on the types of
DNS zones and how zones can be replicated between DNS servers.

Objectives
After completing this lesson, you will be able to:
Describe forward and reverse lookup zones.
Describe DNS zone types.
Describe the use and requirements for Active Directory integrated zones.
Create forward and reverse lookup zones.
Describe DNS zone transfer.
Manage DNS zone settings.
Identify tools used to troubleshoot DNS.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-30 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are Forward and Reverse Lookup Zones?

Key Points
You can configure a DNS server to host both forward lookup zones and reverse lookup zones. Each of
these zone types provides name resolution capabilities as described below.

Forward Lookup Zone


DNS clients use a forward lookup zone to resolve an IP address to a DNS domain name or a network
service. This zone hosts the common DNS records such as the Start of Authority (SOA), Name Server (NS),
Host (A) records, and Active Directory-based SRV records.

Reverse Lookup Zone


DNS can also be configured to support a reverse lookup process called a Reverse Lookup zone. When
configured, a DNS client can use a known IP address and look up a computer name based on its address.

To support reverse lookup queries, two special domains have been standardized for DNS:
In-addr.arpa. The in-addr.arpa domain is reserved in the DNS namespace to provide a way to
perform reverse queries for IPv4-based IP addresses. The reverse namespace consists of subdomains
within the in-addr-arpa domain, which uses the reverse ordering of the number of an IP address.
Ip6.arpa. The Ip6.arpa domain provides reverse lookup for IPv6-based IP addresses.
A reverse lookup zone is optional. However, you may need to configure a reverse lookup zone if you have
applications that rely on looking up hosts by their IP addresses. Many applications will log this information
in security or event logs. If you see suspicious activity from a particular IP address, you can resolve the
host by using the reverse zone information. In addition, many email security gateways use reverse lookups
to validate that the IP address sending messages is associated with an authorized and approved domain.

To support reverse lookup functionality, perform the following tasks:

1. Create a reverse lookup zone that corresponds to the subnet network address.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-31

2. In the reverse lookup zone, add a pointer record that maps the IP address to the host name.

DNS Dynamic Update


Forward and reverse lookup zones both support the ability to perform dynamic updates. These updates
enable DNS clients to automatically register and update their resource records whenever changes occur.

Dynamic updates take place in the following instances:


At startup time when the computer is turned on.
When the ipconfig/registerdns command is used to manually force a refresh of the client name
registration.
When an IP address lease changes or is renewed.
When an IP address is added, removed, or modified in the TCP/IP properties of the client.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-32 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are DNS Zone Types?

Key Points
A forward or reverse lookup zone can be configured to support one of three main types of zones:
Primary zone
Secondary zone
Stub zone

Primary Zone
With a standard primary zone, all DNS records are stored in a zone data file located on the DNS server
called zone_name.dns (where zone_name is the name of the zone) which is stored in the
%windir%\System32\Dns folder. When a zone file is used, the server hosting the Primary zone is the only
server that has a writable copy of the DNS database. If the DNS server is a writable domain controller, you
can also choose to store the zone data in Active Directory Domain Services to provide efficient replication
and increased security of the DNS infrastructure. With Active Directory-integrated primary zones, all data
for a zone resides in the directory.

Secondary Zone
A secondary zone is a copy of a primary zone that is hosted on another DNS server. A secondary zone
must be obtained from another DNS server, and is used to provide load balancing and redundancy for
name resolution.

Secondary zones cannot be stored in AD DS.

Stub Zone
A stub zone is a specific type of zone that only provides information about the authoritative name servers
for the zone. When you create a stub zone, you specify one or more authoritative DNS servers that hosts
the zone. The stub zone replicates data from the authoritative server such as the SOA resource record, NS
resource records, and glue records (which are host (A) records) that are used to locate the name servers.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-33

Stub zones are quite useful when an organization contains a large AD DS forest structure consisting of
several parent and child domains. Stub zones are used in this scenario to:
Improve name resolution. When a DNS client queries the DNS server hosting a stub zone, the DNS
server performs recursion by using the stub zones list of name servers. This minimizes the need to
query the Internet or root hints to perform name resolution.
Maintain delegated zone information. The stub zone is updated regularly to ensure that the
current list of authoritative name servers is provided in the stub zone.
Minimize zone transfer traffic. You can use stub zones to distribute a list of authoritative DNS
servers for a zone without using secondary zones. This can minimize zone transfer traffic and improve
name resolution efficiency. However, stub zones do not enhance redundancy or provide load sharing
capabilities like secondary zones.

Note: A stub zone can be configured to store its zone data in Active Directory.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-34 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is an Active DirectoryIntegrated Zone?

Key Points

Primary and stub zones can be stored in the AD DS database when the DNS server is an AD DS
domain controller. This creates an Active Directoryintegrated zone. The benefits of Active
Directoryintegrated zones are significant:
Multimaster updates. Unlike standard primary zones, which can be modified only by a single
primary server, Active Directoryintegrated zones can be written to by any DC to which the zone is
replicated. This removes a single point of failure in the DNS infrastructure. It is particularly important
in geographically distributed environments that use dynamic update zones, because they allow clients
to update their DNS records without having to connect to a potentially distant primary server.
Replication of DNS zone data by using AD DS replication. One of the characteristics of Active
Directory replication is attribute-level replication, in which only changed attributes are replicated. An
Active Directoryintegrated zone can leverage these benefits of Active Directory replication, rather
than replicating the entire zone file as in traditional DNS zone transfer models.
Secure dynamic updates. An Active Directoryintegrated zone can enforce secure dynamic updates.
When you configure an Active Directory-integrated zone to support secure dynamic updates, you can
then use the access control list (ACL) to specify which users or groups have the ability to modify the
zone and the records in the zone. When you create a new Active Directory-integrated zone, it is
configured to use secure dynamic updates by default. Members of the Authenticated Users group are
able to create a new object in the zone. Also, by default, when an authenticated user or computer
creates an object in the zone, it is considered the owner of the object and has full control to modify
or remove the DNS registration as needed.
Granular security. As with other Active Directory objects, an Active Directoryintegrated zone allows
you to delegate administration of zones, domains, and resource records by modifying the access
control list (ACL) on the object.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-35

Demonstration: How to Create Forward and Reverse Lookup Zones

Key Points
In this demonstration, you will see how to:
Create a forward lookup zone.
Create a reverse lookup zone.

Demonstration Steps:
1. Open the DNS Manager.

2. Right-click the Forward Lookup Zones node and then click New Zone.

3. Use the New Zone Wizard to create the new forward lookup zone.

4. Right-click the Reverse Lookup Zones node and then click New Zone.

5. Use the New Zone Wizard to create the new reverse lookup zone.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-36 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Overview of DNS Zone Transfer

Key Points
A zone transfer occurs when a zone is transferred from one DNS server to another DNS server. Zone
transfers synchronize primary and secondary DNS server zones.

A full zone transfer occurs when the entire zone is copied from one DNS server to another. A full zone
transfers is known as an All Zone Transfer (AXFR).

An incremental zone transfer occurs when there is an update to the DNS server, and only the resource
records that were changed are replicated to the other server. This is an Incremental Zone Transfer (IXFR).

Windows Servers also perform fast transfers, which is a type of zone transfer that uses compression and
sends multiple resource records in each transmission.

Not all DNS server implementations support incremental and fast zone transfers. When integrating a
Windows 2008 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensure
that the features you need are supported by the BIND version that is installed.

You can configure zone transfers from the Zone Transfers tab of the zone properties dialog box.

DNS Notify
By default, secondary servers query for updated information every 15 minutes. To ensure that secondary
servers receive zone changes as quickly as possible, you can configure the source server to notify specified
secondary servers when a zone is updated.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-37

What Is Time Stamping, Aging, and Scavenging?

Key Points
DNS Dynamic update provides many advantages for automatically adding records to the DNS database.
However, there may be times when the records are not automatically removed when devices leave the
network. For example, if a device registers its own host (A) record and then is improperly disconnected
from the network, a stale resource record may remain in the DNS database.

Having a large number of stale resource records can lead to many problems such as out-of-date resource
records that cause clients to experience name resolution issues and unnecessarily long zone transfers.

The DNS Server service addresses this problem by using the following features:
Time Stamping. Any resource record that is dynamically added to a primary zone contains a time
stamp that is based upon the current date and time of the DNS server. This time stamp is used to
assist in the aging and scavenging process.

Note: If you manually add a resource record, a time stamp of 0 is used. This indicates that the record is
not affected by the aging or the scavenging process.

Aging You can configure a specified refresh time period for the entire DNS server or for specific
zones stored on the server. This refresh period is used to determine when scavenging can take place.
Scavenging. Any records that are beyond the specified refresh period can be automatically removed
by the scavenging process. You can configure scavenging to take place automatically, or you can
manually initiate scavenging.

Configuring Aging and Scavenging


By default, aging and scavenging are disabled. You can enable scavenging of stale resource records at the
server level or the zone level by using the following process:

1. In the DNS Manager console, open DNS server properties dialog box.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-38 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

2. On the Advanced tab, select the Enable automatic scavenging of stale records check box and
configure an appropriate scavenging period. The default is 7 days.

3. If you want to configure aging settings for all zones on the server, right-click the DNS server and click
Set Aging\Scavenging for All Zones. You can configure server-based settings in the Zone D:\rahul
m\MSL_SCD_COURSES\03_Production\03_Production\6_Integration\KonaH\6419Bdialog box.

4. If you want to configure aging settings for a specific zone, right-click the zone and click Properties.
On the General tab, click the Aging button. You can configure zone-based settings in the Zone
Aging/Scavenging Properties dialog box.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-39

Tools Used to Troubleshoot DNS

Key Points
DNS functionality may be affected by the following issues:
Network connectivity with other DNS servers. If your DNS server is configured to forward requests
to another DNS server, network connectivity must be maintained to the other DNS server. DNS root
hint queries also require appropriate network connectivity.
Missing records. If a record for a specific host is not registered in the DNS server, name resolution
will fail. This can be caused by incorrectly configured clients, or the records may have been scavenged
prematurely.
Incomplete records. Records require information. If the information is missing to locate the resource
they represent, it can cause clients requesting the resource to return invalid information. A service
record that does not contain a port address is an example of an incomplete record.
Incorrectly configured records. Records that point to an invalid IP address or have invalid
information in their configuration also cause problems when DNS clients try to locate resources.

Tools used to troubleshoot these and other configuration issues include:


IPconfig. Use this command to view and modify IP configuration details that the computer uses. This
utility includes additional command-line options that you can use to troubleshoot and support DNS
clients. You can view the clients local DNS cache by using the ipconfig /displaydns command, and
you can clear the local cache by using ipconfig /flushdns.
Monitoring. The Monitoring tab on the Server Properties dialog box can be used to verify the server
configuration by performing a simple query against the DNS server or a recursive query to other DNS
servers.
Global Logs. The Global Logs node in the DNS Manager provides a list of DNS events that have
taken place on the server. This can be useful to determine scavenging or zone transfer details.
Nslookup. Use this to query DNS information. The tool is very flexible and can provide a lot of
valuable information about DNS server status. You also can use it to look up resource records and

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-40 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

validate their configuration. You also can test zone transfers, security options, and MX record
resolution.
Dnscmd. Use this command-line tool to manage the DNS server. This tool is useful in scripting batch
files to help automate routine DNS management tasks or to perform simple unattended setup and
configuration of new DNS servers on your network.
Dnslint. Use this tool to diagnose common DNS issues. This command-line utility diagnoses
configuration issues in DNS quickly and can generate a report in the HTML format regarding the
domain status you are testing.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-41

Lab A: Installing and Configuring DNS Server Role

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.

2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. Log on by using the following credentials:


User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1.

Lab Scenario
You are the DNS administrator for Contoso.com. You need to perform the following DNS tasks to help
provide a more effective DNS infrastructure:
Install the DNS server role on NYC-SVR1.
Configure zone transfers for the Contoso.com zone.
Create a secondary zone for Contoso.com to be hosted on NYC-SVR1.
Create a reverse lookup zone for 10.10.0.0.
Configure aging and scavenging for the Contoso.com zone.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-42 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 1: Installing and Configuring DNS Server Role and Zones


Scenario
To support the latest DNS requirements, you need to install and configure the DNS server role on NYC-
SVR1. After you have installed the DNS server role, you will create a secondary zone and a reverse lookup
zone for Contoso.com.

The main tasks for this exercise are as follows:

1. Install the DNS Server role on NYC-SVR1.

2. Allow zone transfers for Contoso.com.

3. Configure a secondary zone for Contoso.com.

4. Configure a reverse lookup zone.

Task 1: Install the DNS Server role on NYC-SVR1.


1. On NYC-SVR1, open Server Manager and install the DNS Server role.

Task 2: Allow Zone Transfers for Contoso.com.


1. On NYC-DC1, open the DNS Manager.

2. For the Contoso.com zone, configure the following:


Allow zone transfers: enabled
Only to the following servers: 10.10.0.11
Automatically notify: 10.10.0.11

Task 3: Configure a Secondary Zone for Contoso.com.


1. On NYC-SVR1, open DNS Manager.

2. Configure a new Forward Lookup zone with the following parameters:


Zone Type: Secondary zone
Zone Name: Contoso.com
Master DNS Servers: 10.10.0.10
3. Verify that all of the resource records are available in the secondary zone.

Task 4: Configure a Reverse Lookup Zone.


1. On NYC-DC1, configure a new Reverse Lookup zone with the following parameters:
Zone Type: Primary zone (store the zone in Active Directory)
Active Directory Zone Replication Scope: All DNS servers running on domain controllers in
the Contoso.com domain
Reverse Lookup zone name: IPv4
Network ID: 10.10.0
Dynamic Update: Allow only secure dynamic updates
2. Update the associated pointer record for NYC-SVR1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-43

Results: At the end of this exercise, you will have installed the DNS Server role and configured
secondary and reverse lookup zones.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-44 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 2: Configuring Resource Records, Aging, and Scavenging


Scenario
You have been provided additional requirements for the Contoso.com DNS zone. You need to create an
alias for NYC-SVR1 called www. You also need to enable aging and scavenging.

The main tasks for this exercise are as follows:

1. Add resource records for Contoso.com.

2. Configure aging and scavenging for Contsoso.com.

Task 1: Add resource records for Contoso.com.


1. On NYC-DC1, use DNS Manager to add an alias for NYC-SVR1.Contoso.com called www.

Task 2: Configure aging and scavenging for Contoso.com.


1. On NYC-DC1, enable automatic scavenging of stale records to take place every 10 days.

2. Enable zone aging and scavenging for Contoso.com by using the default 7-day no-refresh and
refresh intervals.

Results: At the end of this exercise, you will have configured a resource record for Contoso.com and
enabled aging and scavenging.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-45

Exercise 3: Verifying DNS Settings


Scenario
You need to verify that the DNS settings work as expected. You also need to produce a report on the DNS
settings to verify that DNS is configured correctly.

The main tasks for this exercise are as follows:


1. Verify that the secondary zone is functional.
2. Verify records by using Nslookup and DNSlint.

Task 1: Verify that the secondary zone is functional.


1. Switch to the NYC-SVR1 virtual machine.

2. In DNS Manager, refresh the Contoso.com zone and verify that www has been transferred
successfully from the authoritative server.

3. Open the Local Area Network Properties and modify the TCP/IPv4 settings to use 10.10.0.11 as the
preferred DNS Server.
4. Ping www.contoso.com and verify that the name is resolved.

5. Close all open windows.

Task 2: Verify records by using Nslookup and DNSlint


1. Switch to the NYC-DC1 virtual machine.
2. Use NSlookup to verify the SOA information.
3. Run DNSLint from C:\Tools\Dnslint and create a zone report. Hint: use the following command.

Dnslint /s 10.10.0.10 /d contoso.com

4. Read through the report results and then close all open windows.

Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.

Note: Do not shut down the virtual machines; you will need them for the next lab.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-46 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 4
Overview of DHCP Server Role

DHCP is used to assign (also called a lease) IPv4-based or IPv6-based IP addresses and other network
settings to computers and devices, which are enabled as DHCP clients. This lesson provides information on
using DHCP and how DHCP is installed and configured to support IP allocation to network clients.

Objectives
After completing this lesson, you will be able to:
Describe new DHCP features for Windows Server 2008.
Describe DHCP Server Authorization.
Describe how DHCP lease generation works.
Describe how DHCP lease renewal works.
Add and authorize the DHCP Server role.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-47

New DHCP Features in Windows Server 2008

Key Points
The DHCP protocol simplifies the configuration of IP clients in a network environment. Before DHCP was
used widely, each time you added a client to a network, you had to configure it with information about
the network on which you installed it, including the IP address, the networks subnet mask, and the
default gateway for access to other networks.
With the DHCP server role, you can ensure that all clients are consistent with the same types of
configuration information, which eliminates human error during configuration. When key configuration
information changes in the network, you can update it on the DHCP Server without having to change the
information directly on each computer

The DHCP role on Microsoft Windows Server 2008 supports several new features:
Support for DHCPv6. Stateful and stateless configuration is supported for clients in an IPv6
environment. Stateful configuration occurs when the DHCPv6 server assigns the IP address to the
client, along with additional DHCP data. Stateless configuration occurs when the DHCPv6 IP is
assigned automatically by an IPv6-supported router without the need for a DHCP server.
Support for Network Access Protection (NAP). DHCP can be configured to integrate with NAP to
isolate unauthorized computers from the corporate network. NAP is part of a Windows Server 2008
based toolset that controls access to network resources to ensure that a client is compliant with
internal security policies. For example, a configured policy may require all network clients to have
Windows Firewall enabled and have a valid, up-to-date antivirus program installed.
Support for Windows Server 2008 Server Core. You can install DHCP as a role on a Windows
Server 2008 Server Core installation.

DHCP Improvements in Windows Server 2008 R2

Note: The content in this section applies only to Windows Server 2008 R2.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-48 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

In addition to these enhancements, Windows Server 2008 R2 supports several additional features, which
are listed as follows:
Link-Layer Filtering. Link-Layer filtering allows you to allow or deny DHCP leases based upon the
media access control (MAC) address presented by the client. You can specify either a full MAC
address, or you can specify a MAC address pattern by using the * as a wildcard. This feature is
currently available only for IPv4 networks.
DHCP Split-Scope Configuration Wizard. A DHCP split-scope configuration allows for increased
fault tolerance and redundancy by using two DHCP servers. The Split-scope Wizard provides an
automated method for configuring the scope properties and minimizes errors that are common
during a manual configuration. The split-scope configuration places part of the DHCP scope on a
secondary server with a time delay, which is configured in scope properties. The time delay on the
secondary server ensures that it will only respond to DHCP clients if the primary DHCP server
becomes unavailable. The secondary DHCP server distributes IP addresses until the primary server is
available again to service clients. This feature is only used for IPv4-based scopes.
DHCP Name Protection. Name protection prevents non-Windows-based computers from directly
registering a name and IP address in DNS. When you enable name protection in DHCP, the DHCP
server registers the A and PTR records into DNS on behalf of the client. If a client already exists with
the same registered name, the update fails. Name protection can be configured for both IPv4 and
IPv6 at the server or scope level and will only work for DNS zones that are configured to support
Secure Dynamic Updates.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-49

DHCP Server Authorization

Key Points
The DHCP Server role in Windows Server 2008 must be authorized in Active Directory before it begins
leasing IP addresses. It is possible to have a single DHCP server providing IP addresses for subnets that
contain multiple Active Directory domains. Therefore, an Enterprise Administrator account must authorize
the DHCP server.

A DHCP server that is part of the Active Directory domain queries Active Directory for a list of authorized
DHCP servers. If its own IP address is on the list, the DHCP services start, and the server begins to service
DHCP requests. If its IP address is not on the list, the DHCP service does not start and does not service
DHCP requests until it has been authorized.

Stand-Alone DHCP Server Considerations


A stand-alone DHCP server is a computer running Windows Server 2008 that is not part of an Active
Directory domain, and that has the DHCP Server role installed and configured on it. If the stand-alone
DHCP server detects an authorized DHCP server in the domain, it will not lease IP addresses and will shut
down automatically.

Rogue DHCP Servers


Many network devices and network operating systems have DHCP server services that might be enabled
unintentionally. These types of DHCP services will not check for authorization in Active Directory and will
be enabled on the network. In this case, clients may obtain incorrect configuration data.
To eliminate an unauthorized DHCP server, you must locate and disable it from communicating on the
network either physically or by disabling the DHCP service on the network device in which it is running.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-50 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

How DHCP Lease Generation Works

Key Points
The DHCP protocol lease-generation process includes four steps that enable a client to obtain an IP
address. :

1. The DHCP client broadcasts a DHCPDISCOVER packet. This message is broadcast to each computer in
the subnet. The only computer that responds is the computer that has the DHCP server role or if the
computer is running the DHCP server agent. In the latter case, the agent forwards the message to the
DHCP server with which it is configured.

2. Any DHCP Server in the subnet will respond by broadcasting a DHCPOFFER packet. This packet
provides the client with a potential address.
3. The client receives the DHCPOFFER packet. It may receive packets from multiple servers. If the client
receives offers from more than one server, it usually chooses the server that made the fastest
response to its DHCPDISCOVER. This typically is the DHCP server closest to the client. The client then
broadcasts a DHCPREQUEST. The DHCPREQUEST contains a server identifier. This informs the DHCP
servers that the client has chosen to accept the DHCPOFFER.

4. DHCP servers receive the DHCPREQUEST. The servers that the DHCPREQUEST message does not
accept use the message as notification that the client has declined that servers offer. The chosen
server stores the IP address client information in the DHCP database and responds with a DHCPACK
message. If for some reason the DHCP server cannot provide the address that was offered in the
initial DHCPOFFER, the DHCP server sends a DHCPNAK message.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-51

How DHCP Lease Renewal Works

Key Points
When the DHCP lease has reached 50 percent of the lease time, the client attempts to renew the lease.
This is an automatic process that occurs in the background. Computers may have the same IP address for
a long period of time if they operate continually on a network without being shut down.

To renew the IP address lease, the client sends a unicast DHCPREQUEST message to the original DHCP
server that provided the lease. The server that originally leased the IP address sends a DHCPACK message
back to the client that contains any new parameters that have changed since the original lease was
created.

If the client fails to receive a new IP address lease, it continues to use its previously assigned lease until
87.5 percent of the lease duration has expired. At this point, the client attempts to contact any available
DHCP server by broadcasting DHCPRequest messages and will start a new lease-generation process.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-52 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: Adding and Authorizing the DHCP Server Role

Key Points
In this demonstration, you will see how to:
Install the DHCP server role.
Verify that the DHCP server is authorized.

Demonstration Steps:
1. Open Server Manager and install the DHCP server role.

2. After the server role is installed, open the DHCP console, right-click DHCP, and then verify that the
server is listed as an authorized DHCP server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-53

Lesson 5
Configuring DHCP Scopes and Options

To effectively manage the DHCP server role, you need to understand scopes and options. This lesson
provides information on how to configure a scope, and the various types of options that can be
configured to support the scope. Finally, the lesson will introduce common issues that you may face and
how to address those issues.

Objectives
After completing this lesson, you will be able to:
Describe DHCP scope.
Configure a DHCP scope.
Describe DHCP options.
Describe DHCP class-level options.
Describe DHCP reservations.
Configure a DHCP option and a reservation.
Describe how DHCP options are applied.
Describe common DHCP troubleshooting issues.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-54 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are DHCP Scope?

Key Points
A DHCP scope is a group of IP addresses on a subnet that are available for lease to network clients.

Each scope will contain the following:


A scope name.
A range of IP addresses to include and exclude.
For IPv4 scopes: A subnet mask to determine the subnet for addresses.
For IPv6 scopes; a prefix and preference.
Lease duration values.
Reservations used to ensure that a DHCP client always is assigned the same IP address.
DHCP scope options such as the IP address of the DNS server and the IP address of the router.
To create a DHCP scope, you need to be a member of the Administrators group or the DHCP
Administrators group on the server.

What Are Superscopes and Multicast Scopes?


A superscope is a collection of scopes that are grouped together into a single administrative unit. This
allows clients to receive an IP address from multiple logical subnets, even when they are on the same
physical subnet.
A superscope is useful in several situations. For example, if a scope has been depleted of addresses, and
you cannot add additional addresses from the subnet, you can add a new scope to the DHCP server. This
scope leases addresses to clients in the same physical network, but clients will be in a separate network
logically. This is known as multinetting. You need to configure routers to recognize the new subnet to
ensure local communication on the physical network.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-55

A superscope is also useful when there is a need to move clients gradually into a new IP-numbering
scheme. By having both numbering schemes coexist for the original leases duration, you can move clients
into the new subnet transparently. When you have renewed all client leases in the new subnet, you can
retire the old one.

Multicast scopes
A multicast scope is a collection of IPv4 multicast addresses from the class D IP address range of 224.0.0.0
through 239.255.255.255. These addresses are used when applications need to efficiently communicate
with numerous clients simultaneously. A multicast scope is also known as a Multicast Address Client
Allocation Protocol (MADCAP) scope. Applications that request addresses from these scopes need to
support the MADCAP application programming interface (API).

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-56 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: Configuring a DHCPv4 Scope

Key Points
In this demonstration, you will see how to:
Create and activate a DHCP scope.

Demonstration Steps:
1. Open the DHCP console.

2. Right-click the IPv4 node and use the New Scope Wizard to create a new scope. Provide the Name,
IP Address Range, Exclusions, and Options.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-57

What Are DHCP Options?

Key Points
A DHCP server typically provides more than just an IP address to a client. DHCP also provides information
about network resources such as the IP address of DNS servers and the router. You can apply DHCP
options at the following levels:
Server Options. Scope options configured at the server level affect all scopes hosted on the server.
Scope Options. Scope options configured at the scope level only affect the scope that the options
are configured for.
An option code identifies the DHCP options, and most option code come from the RFC documentation
found on the IETF website.

The following table provides a list of sample IPv4 option codes:.

Option Code Option Name

003 Router

006 DNS servers

015 DNS domain name

023 Default IP Time-to-live

031 Perform router discovery

033 Static route option

043 Vendor-specific information

044 WINS/NBNS servers

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-58 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Option Code Option Name

046 WINS/NetBT node type

047 NetBIOS scope ID

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-59

What Are DHCP Class-Level Options?

Key Points
You may have a group of computers or users that require different configuration options than the rest of
the standard scope. For example, computers that access the network by using a VPN may need to
configure alternate router settings than users who access the network from an internal location.

Option classes provide the ability to receive configuration options based on the following:
User class. You can specify user-class options when you want to set options for a certain class of
users, such as users who connect by using Routing and Remote access or users who are affected by
NAP. You can also configure your own user-class category by using the ipconfig/setclassid
command on each client computer. For example, you may want to provide only laptop computers
with a specific option setting.
Vendor class. The DHCP server role supports the ability to distribute options based on the vendor
class. An example of using DHCP with a vendor class is disabling NetBIOS over TCP/IP for clients that
report a vendor class matching Windows 2000 or Windows XP. Another example is configuring
specific options for a certain computer brand.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-60 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is a DHCP Reservation?

Key Points
A DHCP reservation occurs when an IPv4 address within a scope is set aside for use with a specific DHCP
client.

It is often desirable to provide servers and printers with a reserved IP address. This ensures that IP
addresses in a predefined scope will not be assigned inadvertently to another device and cause an IP
address conflict. This also ensures that devices with reservations are guaranteed to have an IP address if a
scope is depleted of addresses. Configuring a reservation enables you to centralize the management of IP
addresses without resorting to manually configuring a static IP address.

Configuring a DHCP Reservation


You can configure custom DHCP options for reservations. These settings will override all other DHCP
options that you configure at higher levels.

To configure an IPv4 DHCP reservation, you must know the devices MAC or physical address. This address
indicates to the DHCP server that the device should have a reservation. You can acquire a network
interfaces MAC address by using the ipconfig /all command.

MAC addresses for network printers and other network devices are printed on the device itself. Some
laptop computers may also note this information on the lower part of their chassis.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-61

Demonstration: Configuring DHCP Options and Reservations

Key Points
In this demonstration, you will see how to:
Configure a DHCP scope option.
Configure a DHCP user class option
Enable scope and configure client computer user class.
Configure a DHCP reservation.

Demonstration Steps:
1. Open the DHCP console.

2. Expand the scope, and then click the Scope Options node.

3. Right-click the Scope Options node and click Configure Options.

4. Configure options as needed.

5. Under the scope, click Reservations.

6. Right-click Reservations, and click New Reservation.

7. Create a new reservation by providing the IP address and MAC address for the client.

8. Configure reservation-specific options for the client.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-62 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

How DHCP Options Are Applied

Key Points
If you have configured DHCP options at multiple levels (server, scope, class, and reservation levels), DHCP
applies options to client computers in the following order:

1. Server level

2. Scope level
3. Class level

4. Reserved-client level

For example, if you configure a specific router setting at the Server level, and a router setting is configured
at the Class level, the Class level will override the original setting. Also note that any options configured
for reserved clients will always take precedence over the other levels.

You need to understand these options when you are troubleshooting DHCP.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-63

Common DHCP Issues

Key Points
The following table describes and provides examples of common DHCP issues:

Issue Description Possible cause

DHCP service You install DHCP and configure a The DHCP server is not in the list of authorized
does not start scope but it will not start. DHCP servers.

Address The same IP address is offered to An administrator deletes a lease. However, the
conflicts two different clients. client who had the lease still believes the lease is
valid. If the DHCP server does not verify the IP, it
may release the IP to another machine, causing an
address conflict. This also can occur if two DHCP
servers have overlapping scopes.

Failure to The client does not receive a If a clients network adapter is configured
obtain a DHCP DHCP address and instead incorrectly, it may cause a failure to obtain a DHCP
address receives an APIPA self-assigned address.
address.

Address The client is obtaining an IP This often occurs because the client is connected to
obtained from address from the wrong scope, the wrong network.
incorrect scope causing it to experience
communications problems.

DHCP The DHCP database becomes A hardware failure can cause the database to
database unreadable or is lost due to a become corrupted.
suffers data hardware failure.
corruption or
loss

DHCP server The DHCP servers IP scopes have All IPs assigned to a scope are leased.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-64 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Issue Description Possible cause

exhausts its IP been depleted. Any new client


address pool requesting an IP address will be
refused.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-65

Lab B: Installing and Configuring DHCP Server Role

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. Log on by using the following credentials:


User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat the steps 2 through 4 for 6419B-NYC-SVR1.

Lab Scenario
You are the network administrator at Contoso, Ltd. You have just deployed a new subnet and have
decided to configure the DHCP service to provide IP addresses and configuration options. You need to
address the following requirements:
Install the DHCP server role on NYC-DC1.
Configure an IPv4-based scope for the IP range 10.10.0.50/16 to 10.10.0.100/16.
Lease duration for clients need to be 5 days.
Scope options need to include:
DNS Domain Name: Contoso.com

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-66 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DNS Servers: 10.10.0.10


Router: 10.10.0.1
A reservation needs to be configured for NYC-SVR1 to automatically assign 10.10.0.55 with the
default scope options.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-67

Exercise 1: Installing and Authorizing the DHCP Server Role


Scenario
You need to install the DHCP server role on NYC-DC1.

The main tasks for this exercise are as follows:

1. Install the DHCP server role on NYC-DC1.


2. Verify DHCP authorization.

Task 1: Install the DHCP Server role on NYC-DC1.


1. On NYC-DC1, open Server Manager and install the DHCP Server role.

Task 2: Verify DHCP Authorization.


1. On NYC-DC1, in the DHCP console, open the Manage authorized servers dialog box and verify that
nyc-dc1.contoso.com is an authorized DHCP server.

Results: At the end of this exercise, you will have installed the DHCP Server role and verified DHCP
authorization.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-68 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 2: Configuring DHCP Scopes, Options, and Reservations


Scenario
Now that you have installed the DHCP server role, you need to configure a valid DHCP scope. You also
need to configure the options as outlined in the requirements list. Finally, you need to configure the
reservation setting for NYC-SVR1.

The main tasks for this exercise are as follows:

1. Configure a DHCP scope.

2. Configure scope options.

3. Configure a DHCP reservation.

Task 1: Configure a DHCP Scope.


1. On NYC-DC1, in the DHCP console, use the New Scope Wizard to configure a scope with the
following settings:
Scope Name: ContosoScope1
Start IP Address: 10.10.0.50
End IP Address: 10.10.0.100
Length: 16
Lease Duration: 5 days
DHCP Options: Domain Name and DNS Servers set at default
Activate Scope: Yes

Task 2: Configure Scope Options.


1. On NYC-DC1, in the DHCP console, under Scope [10.10.0.0] ContosoScope1, click Scope Options.

2. Add a new scope option for 003 Router with an IP address of 10.10.0.1.

Task 3: Configure a DHCP Reservation.


1. On NYC-SVR1, open a command prompt and use ipconfig/all to determine the physical MAC address
for the server. Write down the MAC address here:
On NYC-SVR1, open the Local Area Properties dialog box and configure the network adapter to
obtain both the IP address and DNS server automatically.

2. On NYC-DC1, configure a DHCP reservation with the following settings:


Reservation name: NYC-SVR1
IP address: 10.10.0.55
MAC Address: [Enter the value entered for step 1. For example: 00-15-5D-01-71-71]
3. Switch back to NYC-SVR1 and use the ipconfig command to release and then renew the IP address
configuration.

4. Verify that NYC-SVR1 receives an IP address of 10.10.0.55 with valid scope options.

Results: At the end of this exercise, you will have configured a DHCP scope, scope options, and a DHCP
reservation.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-69

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.

2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.


4. Repeat these steps for 6419B-NYC-SVR1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-70 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Module Review and Takeaways

Review Questions
1. What are the different types of unicast IPv6 addresses?

2. What kind of IP address does an IPv6 client automatically assign itself?


3. What are the different tunneling technologies in IPv6?

4. You are presenting to a potential client the advantages of using Windows Server 2008. What are the
new features that you would point out when discussing the Windows Server 2008 DNS server role?
5. What are the differences between recursive and iterative queries?

6. What must you configure before a DNS zone that can be transferred to a secondary DNS server?

7. What are the four DHCP message broadcasts that are used when a successful address lease occurs?

8. At what point in a DHCP lease does the client usually renew the lease automatically?

9. Why would you use a superscope?

Windows Server 2008 R2 Features Introduced in this Module


Windows Server 2008 R2 feature Description

IP-HTTPS Tunnels IPv6 packets inside an IPv4-based secure HTTPS session.

Teredo Server and Relay Teredo server functionality for IPv6 communication over the
Internet.

Group Policy settings for IPv6 New Group Policy settings that can be used to assist in IPv6
Transition Technologies transition.

DNS Security Extensions (DNSSEC) Provides the ability for a DNS zone and all the records in the zone

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing Windows Server 2008 Infrastructure Roles 2-71

Windows Server 2008 R2 feature Description

to be cryptographically signed.

DNS Devolution Automatically set to the number of labels in the forest root
domain.

DNS Cache Locking When enabled, the DNS server will not allow cached records to be
overwritten for the duration of the TTL value.

DNS Socket Pool Uses a random port number for issuing queries.

Link-Layer Filtering Allows you to specifically allow or deny DHCP leases based on the
MAC address presented by the client.

DHCP Split-Scope Configuration The split-scope Wizard provides an automated method for
Wizard configuring a split-scope configuration.

DHCP Name Protection Prevents non-Windows-based computers from directly registering


a name and an IP address in DNS.

Tools
Tool Use for Where to find it

Server Manager Managing a Start Menu


Windows Server
2008 server

DHCP console Managing DHCP Administrative Tools

DNS Manager Managing a DNS Administrative Tools


server

DNSLint Generating DNS http://download.microsoft.com/download


configuration /2/7/2/27252452-e530-4455-846a-
reports dd68fc020e16/dnslint.v204.exe

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
2-72 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-1

Module 3
Configuring Access to File Services
Contents:
Lesson 1: Overview of Access Control 3-3
Lesson 2: Managing NTFS File and Folder Permissions 3-13
Lesson 3: Managing Permissions for Shared Resources 3-23
Lesson 4: Determining Effective Permissions 3-36
Lab: Managing Access to File Services 3-43

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-2 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Module Overview

File services is one of the core pieces of functionality in a Microsoft Windows Server 2008 network
environment. The files stored on your servers contain information that spans the entire scope of your
organization. This information may be available on a single server, or it may be shared on the network for
multiple users to access. This information must be safeguarded and protected from unauthorized use, as
well as made available to authorized users.

This module will not only introduce you to the concepts and terminology involved in file services, but also
provide guidance in the practical management of a file services infrastructure within the Windows Server
2008 environment.

Objectives
After completing this module, you will be able to:
Describe the concept of access control for file services.
Manage New Technology File System (NTFS) file and folder permissions.
Manage permissions for shared resources.
Determine effective permissions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-3

Lesson 1
Overview of Access Control

To manage access to resources, you must understand how the Windows Server 2008 operating system
uses a number of different objects and methods to control access to resources. You need to evaluate
certain aspects of the operating system environment to ensure that the level of access for any given
scenario is clearly defined.

This lesson helps you understand what these objects, methods, and operating system variables are and
how they work together to provide a secure and reliable access control mechanism for the Windows
Server environment.

Objectives
After completing this lesson, you will be able to:
Describe the concept of security principals and security identifiers.
Describe access tokens.
Describe how permissions control access to resources.
Describe how access control works.
Describe access-based enumeration.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-4 Configuring, Managing and Maintaining Windows Server 2008-based Servers

What Are Security Principals?

Key Points
In basic terms, a security principal defines who you are within the Windows Server environment.
Specifically, a security principal is represented by a user, group, or computer object that you can use for
authentication and assigning access to resources, such as files or folders, on an NTFS volume or objects
within an Active Directory domain.

In Windows Server 2008, a security principal is stored and managed in one of the following two locations:
Local Security Accounts Manager database
Each Windows Server 2008 computer maintains its own, local security database called the Security
Accounts Manager (SAM). You can use the security principals located in a computers local SAM to
manage access to resources on that specific computer.
Active Directory Domain Services database
When a Windows Server 2008 computer is joined to an Active Directory Domain, security principals
for users and groups using that computer are commonly stored in the Active Directory Domain
Services (AD DS) database, which functions as the primary container for storing objects within the
domain, like security principals. The AD DS database is typically replicated between multiple servers in
the domain, and is queried whenever information regarding a domain security principal or resource is
needed.
A security principal created and stored in the Active Directory can be used to manage access to
resources on any computer that belongs to the domain.

Note: The AD DS database is used for much more than storing security principal and resource
information. You will learn more about Active Directory and its various components later in this
course.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-5

Security Identifier
Each security principal created, whether stored in the local SAM or the Active Directory, is issued a security
identifier (SID).

A security principals SID is issued when the security principal is created. A SID is represented by an
alphanumeric value that uniquely identifies the security principal within the Windows environment,
whether in a local SAM database or within Active Directory.

When displayed in text, each SID begins with the letter S followed by its various numeric components,
separated by hyphens.

S-1-5-21-1673587447-2629168963-360789496-1000

In the above SID, a user account in a Windows Server 2008 domain is referenced. Like all SIDs, it starts
with the letter number. The second number, 1, refers to the SIDs revision number. The number 5
represents the SID authority value; in this case, the Windows security authority. The next four numbered
groupings represent the sub-authority values or what makes this particular SID unique. In the case of a
computer not joined to a domain, this represents the computer itself as a security principal. In a domain
environment, this number represents both the domain itself and the first computer that was declared as a
domain controller for the domain. The last value, in this case, 1000, is referred to as the relative identifier
or RID.

Relative Identifier
The relative identifier (RID) is used to uniquely identify user accounts or groups within an individual
computer or domain. Each user-created account and group is represented by a system-generated RID,
beginning with 1000. System-generated accounts and groups, such as the Administrator and Guest
accounts or the BUILTIN\Administrators group, are represented by constant value RIDs that remain the
same across any installation of Windows. For example, a RID of 500 will always be used to identify the
System Administrator account in any computer or domain. As such, the SID for the Administrator account
in the domain that the given SID belongs to appears as follows:
S-1-5-21-1673587447-2629168963-360789496-500

The following table illustrates the RID value for some other common Windows accounts and groups:
Relative Identifier(RID) Value Windows Account or Group Object

500 Administrator account

501 Guest account

512 Domain Admins group

544 BUILTIN\Administrators group

545 BUILTIN\Users group

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-6 Configuring, Managing and Maintaining Windows Server 2008-based Servers

What Are Access Tokens?

Key Points
An access token is a protected object that contains information about the identity and rights associated
with a user account.

How Access Tokens Are Created


When a user logs on, if authentication is successful, the logon process provides a SID that represents the
user and a list of SIDs for the security groups of which the user is a member. The Local Security Authority
(LSA) on the computer uses this information to create an access token that includes the SIDs and a list of
rights assigned by the local security policy to the user and the users security groups.

How Access Tokens Are Used to Verify User Rights


After LSA creates the primary access token, a copy of the access token is attached to every process and
thread that executes on the users behalf. Whenever a thread or process interacts with a shared resource
or tries to perform a system task that requires user rights, the operating system checks the access token
associated with the thread to verify the users access to the resource.

Note: A users access token is assembled during the logon process. If a user is added to or removed
from groups after the logon process, the new group membership will not be reflected in the users
access token until the user logs out and logs on again. At this point, the access token will be
reassembled by using the new group membership information.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-7

What Are Permissions?

Key Points
Permissions are the rules used to determine what operations can be performed on a specific object, such
as a file or a folder by a specific user. Permissions can be granted or denied by the owner of an object and
by anyone with rights to modify permissions for that object. Typically, this includes administrators on the
system and on the domain. If you own an object, you can grant any user or security group any permission
on that object, including the permission to take ownership.

Permissions are assigned in the Windows environment by either granting or denying a specific level of
access to a security principal; most often a user or a group. Local principals are used to assign permissions
for local resources, and domain-based principals are used to assign permissions for resources in an Active
Directory domain.

Permissions can be assigned to an object in one of two ways.

Explicit Permissions
When permissions are set directly on an object within the Windows environment, such as a file or folder,
the permissions are explicitly applied. The permissions have been assigned to the object directly by
modifying the security settings in the objects properties dialog box.

Inherited Permissions
Resources in a Windows environment, such as files and folders, are typically arranged in a nested or tree
structure. Typically, a folder contains other folders or files, and those folders may contain further files or
folders.

Permission inheritance allows for child objects to inherit the permissions settings of their parent object.
This behavior allows explicit permissions to be assigned to a small number of objects and have inheritance
pass those permissions settings down to child objects within the object structure.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-8 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Inheritance behavior can be controlled for each object, either choosing to inherit its parents permission
settings or to have its own explicitly defined set of permissions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-9

How Access Control Works

Key Points
The main idea behind access control is that principals, such as users, groups, or computers, request access
to resources, such as files, folders, and printers.

Access Control Essentials


The details of access control are complex. For example, consider a user named Adam Carter attempts to
open a document, Report.doc, in Microsoft Word. In this case, its not Adams account that requests access
to Report.doc. Rather, the Microsoft Word application process uses an internal object referred to as a
thread that requests access by using Adams access token. Provided that Adam is granted the appropriate
permissions, the document opens in Word and Adam is able to view and possibly edit the contents,
depending on the level of permission granted to his user and group accounts.

Access Control Components

Discretionary Access Control List


The Discretionary Access Control List (DACL) is the key component in managing access control to
Windows-based resources. For each resource, a DACL determines which principals have access to that
resource and exactly what level of access they have. Each DACL consists of zero or more Access Control
Entries.

Access Control Entry


Each Access Control Entry (ACE) that exists within the DACL defines a specific rule containing the
following three key elements:
Access type. This can either be allow or deny.
A SID for the principal to which the rule is applied. This is typically the SID of a user or group.
A list of the types of access controlled by the ACE. This list contains specific capabilities (read, write,
modify, and full control) that the SID is either allowed or denied.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-10 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Note: If a DACL contains no ACEs, access is denied to the object for everyone.

How Windows Uses DACLs and ACEs to Control Access


The following table represents a DACL for an object in Windows and two threads running under the
context of different users attempting to access the object.

Processing ACEs in a DACL


The ACEs within each DACL are processed in the following order:
1. All explicit ACEs are placed in a group before any inherited ACEs. This means that explicitly defined
permissions always override those inherited from a parent.
2. Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3. Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the child
object's parent come first, followed by ACEs inherited from the grandparent, and so on.
4. For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.
In general, according to these rules, explicitly defined permissions take priority over inherited permissions
and within those two groups, denied permissions take precedence over allowed permissions.
The results for the example below are as follows:
Thread 1 that uses Adam Carters access token is denied access to the object.
Thread 2 that uses Bobby Moores access token is permitted to Read, Write, and Execute the object in
question.

DACL

Deny Access
Thread 1
ACE
Adam Carter (SID) Access Token
1
Read, Write, Execute Adam Carter
Marketing Group
Production Group
Allow Access
Research Group
ACE Production Group
2 (SID)
Thread 2
Write
Access Token

Allow Access Bobby Moore


ACE Production Group
Everyone Group (SID)
3
Read, Execute

Although the example in the table does not specifically denote whether the permissions are explicitly
defined or inherited, you can see that the Deny Access for Read, Write, and Execute permissions takes
precedence over any of the Allow Access permissions, thereby denying Adams thread the access to this
object.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-11

Note: Objects also have System Access Control Lists (SACLs) that can contain ACEs just like a DACL.
However, the ACEs in an SACL are used to record access to an object for auditing purposes rather
than control access for security purpose like the DACL.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-12 Configuring, Managing and Maintaining Windows Server 2008-based Servers

What Is Access-Based Enumeration?

Key Points
Beginning in Windows Server 2003 Service Pack 1, Windows Server allows for access-based enumeration
of folders that a server shares over the network.

When you enable access-based enumeration, users see shared files and folders only if they are given the
appropriate access permissions for the folder or files.

Access-based enumeration provides a more streamlined and efficient experience for end users, because
they see only files that they have permission to access.

Enabling Access-Based Enumeration


To enable access-based enumeration, complete the following steps:
1. Click the Start button, click Administrative Tools, and then click Share and Storage Management.
2. In the main pane of the Share and Storage Management window, right-click one of the shared
folders, and then click Properties.
3. In the Properties dialog box, click the Advanced button.
4. In the Advanced dialog box, select the Enable access-based enumeration check box.
When the Enable access-based enumeration check box is selected, access-based enumeration is
enabled on the shared folder. This setting is unique to each shared folder on the server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-13

Lesson 2
Managing NTFS File and Folder Permissions

NTFS has been the primary file system of the Windows Server operating system for more than 15 years.
One of the keys to its longevity is the logical and efficient way that NTFS manages file properties like
permissions and the way that NTFS has evolved and enhanced its interaction with Windows operating
systems.

To manage and use a Windows Server environment effectively, you need to know the methods that NTFS
uses to assign and propagate properties to files and folders.

Objectives
After completing this lesson, you will be able to:
Describe NTFS permissions.
Describe standard and advanced permissions.
Discuss NTFS permission inheritance.
Determine the effect of copying or moving files and folders.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-14 Configuring, Managing and Maintaining Windows Server 2008-based Servers

What Are NTFS Permissions?

Key Points
NTFS permissions are assigned to files or folders on a storage volume formatted with NTFS. The
permissions assigned to NTFS files and folders govern user access of these files and folders.

The following points describe the key aspects of NTFS permissions:


NTFS permissions can be assigned to an individual file or folder, or sets of files or folders.
NTFS permissions can be assigned individually to objects which include users, groups and computers.
NTFS permissions are controlled by denying or allowing specific types of NTFS file and folder access,
such as read or write.
NTFS permissions can be inherited from parent folders. By default, the NTFS permissions assigned to a
folder will be also assigned to newly created folders or files within that parent folder.

NTFS Permissions Examples


The following describes a basic example of assigning NTFS permissions.

For the Marketing Pictures folder, an administrator has chosen to assign Allow permissions to Adam
Carter for the Read permission type. Under default NTFS permissions behavior, Adam Carter will have
Read access to the files and folders contained in the Marketing Pictures folder.
When applying NTFS permissions, the results are cumulative. For example, lets carry on with the given
example and say that Adam Carter is also a part of the Marketing group. The Marketing group has been
given Write permissions on the Marketing Pictures folder. When we combine the permissions assigned to
Adam Carters user account with the permissions assigned to the Marketing group, Adam would have
both Read and Write permissions for the Marketing Pictures folder.

NTFS Permissions: Important Rules


There are a few key rules to examine when working with NTFS permissions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-15

There are two groupings of NTFS permissions.


Explicit vs. Inherited. When you apply NTFS permissions, permissions that are explicitly applied to a
file or a folder take precedence over those that are inherited from a parent folder.
Deny vs. Allow. After NTFS permissions have been divided into explicit and inherited permissions,
any Deny permissions that exist override conflicting Allow permissions within the group.
Therefore, taking these rules into account, NTFS permissions apply in the following order:
1. Explicit Deny
2. Explicit Allow
3. Inherited Deny
4. Inherited Allow
It is important to remember that NTFS permissions are cumulative, and these rules are applied only when
two NTFS permission settings conflict with each other.

Note: Further detail regarding conflicting and inherited permissions will be covered later in this lesson.

How to Configure NTFS Permissions


You can view and configure NTFS permissions by following these steps:
1. Right-click the file or folder you want to assign permissions for and click Properties.
2. In the Properties window, click the Security tab.
In this tab, you can select the current users or groups that have been assigned permissions to view the
specific permissions assigned to each principal.
3. To open an editable permissions dialog box so you can modify existing permissions or add new users
or groups, click the Edit button.

Note: More complex permissions settings will be discussed later in this lesson.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-16 Configuring, Managing and Maintaining Windows Server 2008-based Servers

What Are Standard and Advanced Permissions?

Key Points
Assignable NTFS permissions fall into two categories, Standard and Advanced.

Standard Permissions
Standard permissions provide the most commonly used permission settings for files and folders, and are
presented for assignment in the main NTFS permissions assignment window.

Standard permissions for NTFS files and folders consist of the following:

File permissions Description


Full Control Allows the user complete control of the file/folder, including control of
permissions.

Modify Allows the user read and write file/folder

Read and Execute Allows the user to read a file and start programs.
Allows the user to see folder content and start programs.

Read Allows the user read only access.

Write Allows the user to change file contents and delete files.
Allows the user to change folder content and delete files.

List folder contents Allows the user to view the contents of the folder only; no access is given to
(folders only) actual folder contents.

Note: Giving users Full Control permissions on a file or a folder not only gives them the ability to
perform any file system operation on the object, but also the ability to change permissions on the
object. They can also remove permissions on the resource for any or all users, including you.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-17

Advanced Permissions
Advanced permissions allow for a much finer level of control over NTFS files and folders. Advanced
permissions are accessible from the Security tab of a file or folders Properties sheet by clicking the
Advanced button.

Advanced permissions for NTFS files and folders consist of the following:

File Permissions Description

Traverse The Traverse Folder permission applies only to folders. This permission allows or
Folder/Execute File denies the user from moving through folders to reach other files or folders,
even if the user has no permissions for the traversed folders. The Traverse folder
takes effect only when the group or user is not granted the Bypass Traverse
Checking user right. The Bypass Traverse Checking user right checks user rights
in the Group Policy snap-in. By default, the Everyone group is given the Bypass
Traverse Checking user right.
The Execute File permission allows or denies access to program files that are
running.
If you set the Traverse Folder permission on a folder, the Execute File
permission is not automatically set on all files in that folder.

List Folder/Read Data The List Folder permission allows the user to view file names and subfolder
names. The List Folder permission applies only to folders and affects only the
contents of that folder. This permission is not affected if the folder that you are
setting the permission on is listed in the folder list. Also, this setting has no
effect on viewing the file structure from the command-line interface.
The Read Data permission applies only to files and allows or denies the user
from viewing data in files.

Read Attributes The Read Attributes permission allows the user to view the basic attributes of a
file or a folder such as read-only and hidden attributes. Attributes are defined
by NTFS.

Read Extended The Read Extended Attributes permission allows the user to view the extended
Attributes attributes of a file or folder. Extended attributes are defined by programs and
can vary by program.

Create Files/Write Data The Create Files permission applies only to folders and allows the user to create
files in the folder.
The Write Data permission applies only to files and allows the user to make
changes to the file and overwrite existing content by NTFS.

Created The Create Folders permission applies only to folders and allows the user to
Folders/Append Data create folders in the folder.
The Append Data permission applies only to files and allows the user to make
changes to the end of the file but not from deleting or overwriting existing
data.

Write Attributes The Write Attributes permission allows the user to change the basic attributes
of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply that you can create or delete
files or folders; it includes only the permission to make changes to the
attributes of a file or folder. To allow Create or Delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and
Delete.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-18 Configuring, Managing and Maintaining Windows Server 2008-based Servers

File Permissions Description

Write Extended The Write Extended Attributes permission allows the user to change the
Attributes extended attributes of a file or folder. Extended attributes are defined by
programs and can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders; it includes only the permission to make changes
to the attributes of a file or folder. To allow Create or Delete operations, view
the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete sections in this article.

Delete Subfolders and The Delete Subfolders and Files permission applies only to folders and allows
Files the user to delete subfolders and files; even if the Delete permission is not
granted on the subfolder or file.

Delete The Delete permission allows the user to delete the file or folder. If you have
not been assigned Delete permission on a file or folder, you can still delete the
file or folder if you are granted Delete Subfolders and Files permissions on the
parent folder.

Read Permissions Read permissions allows the user to read permissions about the file or folder,
such as Full Control, Read, and Write.

Change Permissions Change Permissions allows the user to change permissions on the file or folder,
such as Full Control, Read, and Write.

Take Ownership The Take Ownership permission allows the user to take ownership of the file or
folder. The owner of a file or folder can change permissions on it, regardless of
any existing permissions that protect the file or folder.

Synchronize The Synchronize permission allows different threads to wait on the handle for
the file or folder and synchronize with another thread that may signal it. This
permission applies only to multiple-threaded, multiple-process programs.

Note: Standard permissions are actually combinations of several individual Advanced permissions
grouped into commonly file and folder usage scenarios.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-19

What Is NTFS Permissions Inheritance?

Key Points
By default, NTFS uses inheritance to propagate permissions throughout an NTFS folder structure. When a
file or a folder is created, it is automatically assigned the permissions set on any folders that exist above it
in the hierarchy of the folder structure.

How Inheritance Is Applied


Consider the following example structure because it applies to Adam Carter and the groups he is member
of:

Adam Carter

Marketing Group
New York Editors

Folder or File NTFS Permission Adams Permissions

Marketing (folder) ReadMarketing Group Read


Marketing Pictures (folder) None explicitly set Read (inherited)
New York (folder) WriteNew York Editors Read (i) + Write
Fall_Composite.jpg (file) None explicitly set Read (i) + Write (i)
In this example, Adam is a member of two groups that are assigned permissions for files or folders within
the folder structure.
The top-level folder, Marketing, has an entry for the Marketing Group giving them read access.
In the next level, the Marketing Pictures folder has no explicit permissions set, but because of
permissions inheritance, Adam also has Read access to this folder and its contents from the
permissions set on the Marketing folder.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-20 Configuring, Managing and Maintaining Windows Server 2008-based Servers

In the third level, the New York folder has Write permissions assigned to one of Adams groups, New
York Editors. In addition to this explicitly assigned Write permission, the New York folder also inherits
the Read permission from the Marketing folder. These permissions will continue to pass down to file
and folder objects, cumulating with any explicit permissions set on those files.
The fourth and last level is the Fall_Composite.jpg file. Even though no explicit permissions have been
set for this file, Adam has both Read and Write access to the file, due to the inherited permissions
from both the Marketing folder and the New York folder.

Permission Conflicts
It is possible that explicitly set permissions on a file or folder will conflict with permissions inherited from a
parent folder. In these cases, the explicitly assigned permissions will always override the inherited
permissions.

In the given example, if Adam Carter was denied Read access to the Marketing folder, but then explicitly
allowed Read Access to the New York folder, this access permission would take precedence over the
inherited Deny Read access permission.

Blocking Inheritance
It is also possible to disable the inheritance behavior for a file or a folder (and its contents) on an NTFS
volume. This can be done to explicitly define permissions for a set of objects without including any of the
inherited permissions from any parent folders.
Windows provides an option for blocking inheritance on a file or a folder within the Advanced section of
the Security tab. To block inheritance on a file or folder, complete the following steps:
1. Right-click the file or folder where you want to block inheritance and click Properties.
2. In the Properties window, click the Security tab and then click the Advanced button.
3. In the Advanced Security Settings window, click the Change Permissions button.
4. In the next window, clear the Include inheritable permissions from this objects parent check box.

Note: At this point, you are prompted to either add the existing permissions as a starting point for your
explicitly assigned permissions or remove existing permissions on the object to start with a blank
permissions slate.

Resetting Default Inheritance Behavior


After the inheritance is blocked, changes made to permissions on the parent folder structure will no
longer have an effect on the permissions for the object (and its contents), which has blocked inheritance,
unless that behavior is reset from one of the parent folders by selecting the Replace all child objects
with inheritable permissions from this object check box. When this box is selected, the existing set of
permissions on the current folder will be propagated down to all child objects down the tree structure,
overriding all explicitly assigned permissions for those files and folders. This check box is found directly
under the Include inheritable permissions from this objects parent check box.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-21

Effects on NTFS Permissions When Copying or Moving Files and Folders

Key Points
NTFS permissions depend on the NTFS structure to maintain their integrity. When you move or copy files
or folders from their original location, NTFS permissions can be affected, depending on the nature of the
move or copy operation.

Note: It is important to define the move and copy process prior to defining the rules that apply to
moving and copying files.
Moving a file or folder causes the object to be relocated to the new destination. After a move operation
is complete, the file or folder no longer exists in the old location.
Copying a file or folder simply makes a copy of the object and places it in the new destination. The
original copy of the file remains in the same state in the original location.

The following rules apply when moving or copying files or folders to another location:
1. When moving or copying files or folders to another volume, all NTFS permissions are lost. If the
destination volume is NTFS, your files or folders will inherit the NTFS permissions of the parent folder
on the destination volume.

Note: When files are sent to another volume, it is always a copy operation. If you select move from
the Windows Explorer interface, the actual file operation copies the file to the destination and deletes
the files from the original location.

2. When copying files or folders to another location on the same NTFS volume, the original NTFS
permissions assigned to the original objects are lost. The objects inherit NTFS permissions settings
from the destination parent folder.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-22 Configuring, Managing and Maintaining Windows Server 2008-based Servers

3. When moving files or folders to another location on the same NTFS volume, the original explicitly
defined NTFS permissions are retained for the objects in their new location. If no explicit permissions
are defined, the objects inherit from their parent folder in the new location.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-23

Lesson 3
Managing Permissions for Shared Resources

Configuring and maintaining NTFS permissions for your file and folder structure is an important part of
administering a file server. However, if your file server must provide those files and folders to your users
on the network, the resources must be set up as shared folders in Windows Server 2008.

Shared folders provide the basis for providing network access to file resources, and their configuration
and deployment should be planned and managed effectively. This lesson will introduce you to the File
Services role in Windows Server 2008 and provide details on sharing and protecting your file structure.

Objectives
After completing this lesson, you will be able to:
Describe the File Services role.
Describe the use of shared folders.
Describe shared folder permissions.
Create shared folders by using Windows Explorer and Share and Storage Management.
Describe offline files.
Describe the file enhancements in Windows Server 2008 R2.
Configure offline file availability and access.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-24 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Overview of the File Services Role in Windows Server 2008

Key Points
The File Services role provides not only the ability to share your files and folders, but also helps manage
storage, enable file replication, provide network resources to non-Windows clients, and manage access to
and use of your shared folder structure proactively.

The File Services role consists of the following role services that work together to provide a full-featured
file management solution:
File Server is the core of the File Services role. It manages shared folders and enables users to access
files on the server from the network.
Distributed File System (DFS) allows administrators to configure a distributed system for shared
folders. This distribution allows for the same set of shared folders to be hosted on different servers.
DFS Replication allows you to replicate shared folders between servers, and DFS Namespace makes it
possible to use a single network share address to allow access to multiple physical DFS locations.
File Server Resource Manager (FSRM) enables the management of file usage through quotas, file
screening policies, and storage reports.
Services for Network File System allow you to configure NFS to allow access to your shared folders
from UNIX client computers.
Windows Search Service permits indexing of files and folders on your file server. This allows for more
efficient searches from clients that are compatible with Windows Search Service.
Windows Server 2003 File Services provides file services for Windows Server 2003 computers.
BranchCache for Network Files enables computers in branch offices to cache commonly downloaded
files from shared folders and then provide those files to other computers in the branch office. This
reduces network bandwidth usage and provides faster access to the files. This Role Service is available
only in Windows Server 2008 R2.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-25

Note: The commonly used File Services components (DFS, FSRM, and BranchCache) will be covered in
more detail later in this course.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-26 Configuring, Managing and Maintaining Windows Server 2008-based Servers

What Are Shared Folders?

Key Points
Shared folders are the key component of accessing files on your server from the network.

When you share a folder, the folder and all its contents are made available to multiple users
simultaneously over the network. Shared folders maintain a separate set of permissions from the NTFS
permissions on folders contents. These permissions are used to provide an extra level of security for files
and folders made available on the network.
Most organizations deploy dedicated file servers to host shared folders. You can store files in shared
folders according to categories or functions. For example, you can put shared files for the Sales
department in one shared folder and shared files for the Marketing department in another.

Note: The sharing process happens strictly at the folder level. It is not possible to share only an
individual file or a group of files.

Accessing a Shared Folder


A shared folder is accessed most commonly over the network by using its Universal Naming Convention
(UNC) address, which contains the name of the server the folder is hosted on and the actual shared folder
name, separated by a backward slash (\) and preceded by two backward slashes (\\). For example, the
UNC name for the Sales shared folder on the NYC-SVR1 server would be:

\\\NYC-SVR1\Sales

Sharing a Folder on the Network


Windows Server 2008 provides a number of ways to share a folder.
Using the Provision a Shared Folder Wizard from the Share and Storage Management console.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-27

Using the File Sharing Wizard, either from the folders right-click menu or by clicking the Share
button on the Sharing tab of the folders Properties window.
Using Advanced Sharing by clicking the Advanced Sharing button on the Sharing tab of the folders
Properties window.
Using the net share command from the command line.

Note: When sharing the folder, you will be asked to give the shared folder a name. This name does
not have to be the same name as the actual folder. It can be a descriptive name that better describes
the folder contents to network users.

Administrative Shares
Administrative or hidden shares can be created for shared folders that need to be available from the
network, but not to users browsing the network.

You can access an administrative share by entering in its UNC path, but the folder will not show up when
you browse the server by using Windows Explorer. Administrative shares also typically have a more
restrictive set of permissions assigned to the shared folder to reflect the administrative nature of the
folders contents.

To hide a shared folder, append the dollar symbol ($) to the folders name. For example, a shared folder
on NYC-SVR1 named Sales can be made into a hidden share by naming it as Sales$. The share is
accessible over the network by using the UNC name:

\\NYC-SVR1\Sales$

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-28 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Shared Folder Permissions

Key Points
Shared folder permissions apply only to users who access the folder over the network. They do not affect
users who access the folder locally on the computer where the folder is stored.

Just like NTFS permissions, you can assign shared folder permissions to user, group, or computer objects.
However, unlike NTFS permissions, shared folder permissions are not configurable for individual files or
folders within the shared folder. Shared folder permissions are set once for the shared folder itself and
apply universally to the entire contents of the shared folder for users who access the folder over the
network.

The following permissions can be applied to a shared folder:

Shared Folder Permission Description


Read Users can display folder and file names, display file data and attributes, run
program files and scripts, and navigate the folder structure within the
shared folder.

Change Users can create folders, add files to folders, change data in files, append
data to files, change file attributes, delete folders and files, and perform all
tasks permitted by the Read permission.

Full Control Users can change file permissions, take ownership of files, and perform all
tasks permitted by the Change permission.

Note: When you assign Full Control permissions on a shared folder to a user, that user can modify
permissions on the shared folder, which includes removing all users, including you, from the shared
folders permissions list. In most cases, Change permission should be assigned instead of Full Control.

When a shared folder is created, the default assigned shared permission is Read for the Everyone group.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-29

By default, Windows Server 2008 allows the following groups to create shared folders: Administrators and
Server Operators.

Question: Can you list at least one example of when an administrator might give Full Control permissions
to a user for a shared folder?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-30 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Demonstration: Creating Shared Folders

Key Points
In this demonstration, you will see how to:
Create a shared folder and assign permissions by using Windows Explorer.
Create a shared folder and assign permissions by using the Share and Storage Management console.

Demonstration Steps:
1. Open Windows Explorer.
2. Create a new folder named C:\Research.
3. Share the folder by using the Advanced Sharing button on the Sharing tab of the properties
window.
4. Assign Change permission to the Contoso\Research group.
5. Open the Share and Storage Management console.
6. Use the Provision a Shared Folder Wizard to create and share the C:\Marketing folder, giving
Change permissions to the Contoso\Marketing group.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-31

Offline File Configuration

Key Points
Windows Server 2008 provides the ability to cache network file for offline use. Files can be made available
for clients to cache locally, so the files are available for use when the client computer is disconnected from
the network.

Optionally, offline files and folders are edited or modified by the client, and the changes are synchronized
with the network copy of the files the next time the client is reconnected to the network. The
synchronization schedule and behavior of offline files is controlled by the client operating system.

Offline files are available to Windows XP, Windows Vista, Windows 7, Windows Server2003, Windows
Server 2008 and Windows Server 2008 R2 clients.

On a Windows Server 2008 computer, the Caching button in the Advanced Sharing window brings up the
Offline Settings window for a shared folder. The following options are available within the Offline Settings
window:
Only the files and programs that users specify are available offline. This is the default option
when you set up a shared folder. When you use this option, no files or programs are available offline
by default, and users control which files and programs they want to access when they are not
connected to the network.

Note: There is an Enable BranchCache option that enables BranchCache for the shared folder.
BranchCache will be discussed in more detail later in this course.

No files or programs from the shared folder are available offline. This option blocks Offline Files
on the client computers from making copies of the files and programs on the shared folder.
All files and programs that users open from the shared folder are automatically available
offline. Whenever a user accesses the shared folder or volume and opens a file or program in it, that
file or program is automatically made available offline to that user. Files and programs that are

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-32 Configuring, Managing and Maintaining Windows Server 2008-based Servers

automatically made available offline remain in the Offline Files cache and synchronize with the
version on the server until the cache is full or the user deletes the files. Files and programs that are
not opened are not available offline.
If you select the Optimized for performance check box, executable files (EXE, DLL) that are run from
the shared folder by a client computer are automatically cached on that client computer. The next
time the client computer runs the executable files, it will access its local cache instead of the shared
folder on the server.

Note: The Offline Files feature must be enabled on the client computer for files and programs to be
automatically cached. In addition, the Optimized for performance option does not have any effect on
client computers that use Windows Vista or later as these operating systems automatically perform
the program-level caching specified by this option.

Question: Which client computer type would make the best use of offline files?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-33

Offline File Enhancements in Windows Server 2008 R2

Key Points
New features introduced in Windows Server 2008 R2 and Windows 7 further enhance the offline file and
folder experience, which provides optimized offline file synchronization and access to improve the end-
user offline files experience.

Fast First Logon


Fast first logon is a new feature in Windows Server 2008 R2 and Windows 7 that runs the offline file
synchronization process in the background the first time a user logs on after offline files have been
designated through Group Policy. Prior to Windows 7, after a policy was applied, the user had to wait
while the contents of the folder were moved to the new location. This process could take a considerable
amount of time if there was a large amount of data to move and the network was slow. On Windows 7,
the user must wait only for Windows to move the files into the local Offline Files cache. After the files are
moved, the user logs on and is free to perform other tasks while Windows synchronizes the locally cached
data over the network as a background task.

Usually Offline Support with Background Sync


This feature provides remote and branch office users with faster access to files that are located in a
network folder across a slow network connection. Windows 7 enhances this feature by including
Background Sync, a feature that synchronizes offline files in the background, ensuring that the server is
frequently updated with the latest changes.

When a client computers network connection to a server is slow (as configured by the administrator),
offline files automatically transition the client computer into an Offline (slow connection) mode. The user
then works from the local Offline Files cache. On Windows 7, Background Sync runs at regular intervals as
a background task to automatically synchronize and reconcile changes between the client computer and
the server. IT administrators can configure synchronization intervals and block-out times. With this
feature, users no longer must worry about manually synchronizing their data with the server when
working offline.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-34 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Exclusion List
The Exclusion List feature allows for the exclusion of certain file types (large audio or video files) from the
Offline Files synchronization process on Windows 7 clients. This reduces synchronization overhead and
disk space usage on the server and speeds up backup and restore operations. The list of file types is
configured by using Group Policy.

Transparent Caching
With transparent caching, the first time a user opens a file in a shared folder, Windows 7 reads the file
from the server and then stores it in the Offline Files cache on the local hard disk drive. The subsequent
times that a user opens the same file, Windows 7 retrieves the cached file from the hard disk drive instead
of reading it from the server. To provide data integrity, Windows 7 always contacts the server to ensure
that the cached copy is up to date. The cache is never accessed if the server is unavailable, and updates to
the file are always written directly to the server.

Transparent caching is not enabled by default. IT administrators can use a Group Policy setting to enable
transparent caching, improve the efficiency of the cache, and configure the amount of hard disk drive
space that the cache uses.

Note: All the features mentioned in this topic require the client computer to be running Windows 7
Professional, Enterprise, or Ultimate edition. The features also apply to Windows Server 2008 R2
computers acting as offline files clients.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-35

Demonstration: Configuring Offline File Access

Key Points
In this demonstration, you will see how to:
Configure offline files for a shared folder.
Make offline files available on a client operating system.

Demonstration Steps:
1. On the server, open Windows Explorer.
2. Share the E:\Labfiles\Mod03 folder as Mod03 by using the Advanced Sharing button on the
Sharing tab of the properties window.
3. In the Caching settings, make the folders contents available for offline synchronization.
4. On the client computer, map a network drive N to \\NYC- SVR1\Mod03.
5. Right-click the mapped network drive and make the files available for offline use.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-36 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Lesson 4
Determining Effective Permissions

Assigning permissions for a single user or a group on a single resource is a straightforward task, and it is
not difficult to determine the results. However, in a typical enterprise environment, permission
assignments are not often simple. Multiple group membership, blocked inheritance and combined NTFS
and shared folder permissions can make determining the actual permissions a user is assigned a complex
task.

Objectives
After completing this lesson, you will be able to:
Describe factors that influence effective NTFS permissions.
Determine effective NTSF permissions.
Describe the effects of combining NTFS and Shared Folder permissions.
Determine the effect of combining Shared Folder and NTFS permissions.
Describe best practices for implementing NTFS and Shared folder permissions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-37

What Are Effective NTFS Permissions?

Key Points
Effective NTFS permissions refer to the cumulative permissions given to a user for an object in relation to
both explicitly defined and inherited permissions allocated to the object for a user and any groups the
user has membership in.

The following principles determine effective permissions:


Cumulative permissions are the combination of the highest NTFS permissions granted to the
user and all the groups of which the user is a member. For example, if a user is a member of a
group that has Read permission and a member of a group that has Modify permission, the user has
Modify permission.
Deny permissions override equivalent Allow permissions. An explicit Allow permission can
override an inherited deny permission. For example, if a user is denied write access to a folder, but is
explicitly allowed write access to a subfolder or a particular file, the explicit Allow overrides the
inherited Deny.
Permissions can be applied to a user or a group. Assigning permissions to groups is preferred
because they are more efficient than managing the permissions of many individuals.
NTFS file permissions take priority over folder permissions. For example, if a user has Modify
permission to a folder, but only has Read permission to certain files in that folder, the effective
permission for those files will be Read.
Every object is owned in an NTFS volume or in Active Directory. The owner controls how
permissions are set on the object and to whom permissions are granted. For example, a user can
create a file in a folder where the user typically has Modify permission. However, because that user
created the file, the user can change the permissions. Then, the user can grant oneself Full Control
over the file.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-38 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Effective Permissions Tool


Windows Server 2008 provides a tool (Effective Permissions) that shows effective permissions, which are
cumulative permissions based on group membership. You can access this tool by using the following
steps:
1. Right-click the file or folder that you want to analyze permissions for and then click Properties.
2. In the Properties window, click the Advanced button.
3. In the Advanced Security Settings window, click the Effective Permissions tab.
4. Choose a user or group to evaluate by using the Select button.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-39

Discussion: Determining Effective NTFS Permissions

Key Points
In this discussion, you are presented with a scenario in which you are asked to apply NTFS permissions.
You need discuss in class the possible solutions to the scenario.

Scenario
Adam is a member of the Marketing group and the Sales group. The graphic on the slide shows folders
and files on the NTFS partition.

Question: The Marketing group has Write permission, and the Sales group has Read permission for the
Reports folder. Which permissions does Adam have for the Reports folder?

Question: The Marketing group has Read permission for the Reports folder. The Sales group has Write
permission for the New York folder. Which permissions does Adam have for the Region file?

Question: The Marketing group has Modify permission for the Reports folder. The Region file should be
available only to the Sales group, and the Sales group should only be able to read the Region file. What
do you do to ensure that the Sales group has only Read permission for the Region file?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-40 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Effects of Combining Shared Folder and NTFS Permissions

Key Points
When enabling access to network resources on an NTFS volume, use the most restrictive NTFS permissions
to control access to folders and files, combined with the most restrictive shared folder permissions that
control network access.

NTFS and shared folder permissions work together to control access to file and folder resources accessed
from the network.

How Combining NTFS and Shared Folder Permissions Works


The key rule to remember while applying NTFS and shared folder permissions is that the most restrictive
of the two permission sets dictates the access a user will have to a file or folder where both shared folder
permissions and NTFS permissions applied.

If a user has Full Control permissions on an NTFS folder but the shared folder permissions are set to Read,
that user will be able to obtain Read permissions to the file when accessing the folder over the network.
Access is restricted at the shared folder level, and any greater access at the NTFS permissions level does
not apply. Likewise, if the shared folder is set to Full Control, and the NTFS permissions are set to Write,
the user runs into no restrictions at the shared folder level, but the NTFS permissions on the folder will
allow only Write permissions for that folder.

The user must have appropriate permissions on both the NTFS resource and the shared folder. If no
permissions exist for the user on either resource, access is denied.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-41

Discussion: Determining Effective NTFS and Shared Folder Permissions

Key Points
In this discussion, you will determine effective NTFS and shared folder permissions.

Scenario
The figure shows two shared folders that contain folders or files that have NTFS permissions. Look at each
example and determine a users effective permissions.

In the first example, the Users folder has been shared, and the Users group has the shared folder
permission Full Control. User1, User2, and User3 have been granted the NTFS permission Full Control only
to their folder. These users are all members of the Users group.

Question: In diagram 1, discuss what the effective permissions are for User1, User2, and User3. Can User1
take full control of User2s directory? Give reasons. How does using the share permission instead of the
NTFS permission prevent users from accessing other Users directories?

Question: In diagram 2, you have shared the Data folder to the Sales group, granting Full Control
permissions. Within the Data directory, you have given the Sales group Read permissions on the NTFS
Sales folder. When users in the Sales group try to save a file in the \Data\Sales directory, they get an
access-denied error. Give reasons. Which permission must be changed and why?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-42 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Considerations for Implementing NTFS and Shared Folder Permissions

Key Points
Here are several considerations to make administering permissions more manageable:
Grant permissions to groups instead of users. Groups can always have individuals added or
deleted, while permissions on a case-by-case basis are difficult to track.
Use Deny permissions only when necessary. Because deny permissions are inherited exactly like
allow permissions, assigning deny permissions to a folder can result in users not being able to access
files lower in the folder structure. Deny permissions should be assigned in the following situations:
To exclude a subset of a group that has Allow permissions.
To exclude one specific permission when you have granted Full Control permissions already to a
user or a group.
Never deny the Everyone group access to an object. If you deny everyone access to an object, you
deny administrators access. Instead, remove the Everyone group, as long as you grant permissions for
the object to other users, groups, or computers.
Grant permissions to an object that is as high in the folder structure as possible so that the
security settings are propagated throughout the tree. For example, instead of bringing groups
representing all departments of the company together into a Read folder, assign Domain Users
(which is a default group for all user accounts on the domain) to the share. In this manner, you
eliminate the need to update department groups before new users receive the shared folder.
Use NTFS permissions instead of shared permissions for fine-grained access. Configuring both
NTFS and shared folder permissions can be difficult. Consider assigning the most restrictive
permissions for a group that contains many users at the shared folder level and then by using NTFS
permissions to assign more specific permissions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-43

Lab: Managing Access to File Services

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
5. User name: Administrator
6. Password: Pa$$w0rd
7. Domain: Contoso
8. Repeat steps 2 through 4 for 6419B-NYC-SVR1
9. Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.

Lab Scenario
Contoso, Ltd has recently deployed a new file server, NYC-SVR1, to its New York location. The New York
office has staff from both the Production and Research departments. Both departments require the ability
to save their documents to the new file server. Their files will be created in the E:\Labfiles\Mod03 folder.

The Production department work together on tasks and projects, and all members need the ability to save
files to the folder from their desktop. Any member of the Production team should be able to modify the
folders saved by anyone in the Production department. The Production department manager, Susanna
Stubberod, needs a folder for her monthly reports configured, so her staff can view the reports, but only
she should be able to make changes to files in the folder.
The Research department needs a folder to store the project results. All project results will be saved
directly to the server locally from an application installed on NYC-SVR1. All members of the Research

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-44 Configuring, Managing and Maintaining Windows Server 2008-based Servers

department should be able to make modifications to the files if they are logged on to NYC-SVR1. The
Research department needs to access their files from the network, but no changes should be allowed to
be made to the files, because that will interfere with the application. Max Stevens of the Research
department also uses a laptop, NYC-CL1, which he frequently takes offsite. He needs access to the
Research department files when he is not connected to the network.
The main tasks for this exercise are as follows:

1. Planning the shared folder implementation.

2. Implementing the shared folder structure.

3. Evaluating the shared folder structure.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-45

Exercise 1: Planning a Shared Folder Implementation (Discussion)


In this exercise, you will discuss and determine the best solutions for a shared folder implementation.

Discussion Questions:
1. What folder structure should be created on NYC-SVR1 to support the requirements of this scenario?
2. Which NTFS permissions should be assigned to the Production departments folder structure to fulfill
the scenario requirements? Which permissions should be assigned to the shared folder?
3. Which NTFS permissions should be assigned to the Research departments folder structure to fulfill
the scenario requirements? Which permissions should be assigned to the shared folder?
4. How will you make the Research departments files available to Max Stevens when he is offsite with
the NYC-CL1?

Result: In this exercise, you discussed and determined solutions for a shared folder implementation.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-46 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Exercise 2: Implementing a Shared Folder Implementation


In this exercise, you will create the shared folder implementation based on the discussions in the previous
exercise.

The main tasks are as follows:


1. Verify the File Services Role on NYC-SVR1.
2. Create a shared folder structure by using Windows Explorer.
3. Create a shared folder structure by using the Share and Storage Management console.
4. Configure offline files.

Task 1: Verify the File Services Role on NYC-SVR1


1. On NYC-SVR1, open Server Manager.
2. Verify that the File Services role has been installed with the File Server role service.
3. Close Server Manager.

Task 2: Create a shared folder structure by using Windows Explorer


1. On NYC-SVR1, open Windows Explorer.
2. Create the E:\Labfiles\Mod03\Production folder and assign the Production group Full Control
permissions.
3. Share the Production folder, assign the Contoso\Production group Change permissions on the shared
folder, and remove the Everyone group.
4. Create a new text document in E:\Labfiles\Mod03\Production.
5. Create the E:\Labfiles\Mod03\Production\Reports folder and create a new text document in
E:\Labfiles\Mod03\Production\Reports named Report1.txt
6. Assign Susanna Stubberod Full Control permissions on the E:\Labfiles\Mod03\Production\Reports
folder. Block permissions inheritance to ensure that no other users have permissions on this folder.

Task 3: Create shared folders by using the Share and Storage Management Console
1. On NYC-SVR1, open the Share and Storage Management console.
2. Run the Provision a Shared Folder Wizard to provision a share named Research located at
E:\Labfiles\Mod03\Research.
3. Assign the following NTFS permissions to the E:\Labfiles\Mod03\Research folder. Assign Full Control
for the Research group.
4. Assign the following shared folder permissions to the Research shared folder. Assign Read for the
Research group.

Task 4: Configure Offline files


1. Log on to NYC-CL1 as Contoso\Max, with password Pa$$w0rd.
2. Map the \\NYC-SVR1\Research network location to the R: drive.
3. Configure Drive R to be always available offline.

Results: In this exercise, you implemented a shared folder structure.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring Access to File Services 3-47

Exercise 3: Evaluating the Shared Folder Implementation


In this exercise, you will evaluate the shared folder implementation you created in the previous exercise.

Task 1: Test Research Folder Permissions


1. If necessary, log on to NYC-CL1 as Contoso\Max with password Pa$$w0rd.
2. Test to ensure that Max cannot create any new documents on the Research folder (Drive R).
3. Log off of NYC-CL1.

Task 2: Test Production Shared Folder Permissions


1. Log on to NYC-CL1 as Contoso\Scott with password Pa$$w0rd.
2. Test to ensure that Scott has Full Control to \\NYC-SVR1\Production and no access to \\NYC-
SVR1\Production\Reports.
3. Log off NYC-CL1.
4. Log on to NYC-CL1 as Contoso\Susanna with password Pa$$w0rd.
5. Test to ensure that Susanna has Full Control to \\NYC-SVR1\Production and \\NYC-
SVR1\Production\Reports.
6. Log off NYC-CL1.

Results: In this exercise, you evaluated a shared folder implementation.

To prepare for the next module


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:

1. On the host computer, start Hyper-V Manager.

2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
3-48 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Module Review and Takeaways

Review Questions
1. What is a common reason to use advanced NTFS permissions rather than the standard set of NTFS
permissions?

2. What advantages does creating a shared folder by using the Share and Storage Management tools
have over using Windows Explorer?

Windows Server 2008 R2 Features Introduced in this Module


Windows Server 2008 R2 feature Description

Offline Files enhancements New features that enhance the Offline Files experience for Windows
Server 2008 R2 and Windows 7 computers.

Tools
Tool Use for Where to find it

Share and Storage Provisioning shared Installed with the File Services role and found on
Management folders and storage the Administrative Tools menu.
Console objects

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-1

Module 4
Configuring and Managing Distributed File System
Contents:
Lesson 1: Distributed File System Overview 4-3
Lesson 2: Configuring DFS Namespaces 4-14
Lesson 3: Configuring DFS Replication 4-20
Lab: Installing and Configuring Distributed File System 4-28

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-2 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Module Overview

Many organizations maintain a large number of file servers containing vast amounts of data needed by
users. With so many file resources on the network, it is often a challenge for users to locate files quickly
and efficiently.

Larger enterprise organizations may manage multiple data sites, which often introduces additional
challenges, such as increased network traffic over wide area network (WAN) connections, and ensuring
the availability of files during WAN or server failures.

This module introduces the Distributed File System (DFS) solution that you can use to meet these
challenges by providing fault-tolerant access and WAN-friendly replication of files located throughout an
enterprise.

Objectives
After completing this module, you will be able to:
Describe the Distributed File System.
Configure DFS Namespaces.
Configure DFS Replication.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-3

Lesson 1
Distributed File System Overview

DFS in Microsoft Windows Server 2008 incorporates technology to provide efficient access and high
availability to file resources.
This lesson introduces DFS Namespaces and DFS Replication, and discusses scenarios and requirements for
deploying a DFS solution within your network environment.

Objectives
After completing this lesson, you will be able to:
Define DFS.
Describe how DFS namespaces and DFS replication function.
Describe common DFS Scenarios.
Describe the types of DFS Namespaces.
Describe folders and folder targets.
Install the DFS role service.
Describe new DFS features for Windows Server 2008 R2.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-4 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is the Distributed File System?

Key Points
To access a typical file share, most users need to know which file server the share is located on, and the
name of the share to access. Many large organizations may have hundreds of file servers, dispersed
geographically. This introduces a number of challenges for users to find and access files efficiently.

Distributed File System is a Windows Server 2008 role service that is included with the File Server role. The
DFS role service can be used to logically combine shared folders located on different servers into a virtual
namespace. Users only need to know the name of the virtual namespace, to access the shared folder
structure.

Another benefit of DFS is the ability to replicate both the virtual namespace and the shared folders to
multiple servers within the organization. This can ensure that the shares are fault tolerant and the shared
folders are located as close as possible to users, thereby providing efficient access to the data.

DFS includes two technologies that are implemented as role services. These technologies are:
DFS Namespaces. DFS Namespaces (DFS-N) allows administrators to group shared folders located
on different servers into one or more logically structured namespaces. Each namespace appears to
users as a single shared folder with a series of subfolders. The subfolders typically point to shared
folders that are located on various servers in multiple geographical sites throughout the organization.
DFS Replication. DFS Replication (DFS-R) is a multi-master replication engine used to synchronize
files between servers for both local and WAN network connections. DFS-R supports replication
scheduling, bandwidth throttling, and Remote Differential Compression (RDC). When enabled and
applied, RDC updates only the portions of files that have changed since the last replication. DFS-R can
be used in conjunction with DFS Namespaces or can be used as a stand-alone file replication
mechanism.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-5

How DFS Namespaces and DFS Replication Work

Key Points
Even though DFS Namespaces and DFS Replication are separate role services, they can be used together
to provide high availability and data redundancy. The following process describes how DFS Namespaces
and DFS Replication work together:

1. User accesses folder in the DFS namespace. When a user attempts to access a folder in a DFS
namespace, the client computer contacts the server hosting the namespace root. The host server can
be a stand-alone server hosting a stand-alone namespace, or the host server can use a domain-based
configuration that is stored in Microsoft Active Directory Domain Services (AD DS) and replicated
to various locations to provide high availability. The namespace server sends back to the client
computer a referral containing a list of servers that host the shared folders (called folder targets)
associated with the folder being accessed.
2. Client computer accesses the first server in the referral. The client computer caches the referral
information and then contacts the first server in the referral. This referral typically is a server in the
clients own site, unless there is no server located within the clients site. In this case, the administrator
can configure a target priority which helps to determine the next best server to which a user will
contact to access a file resource.

For example, in the diagram, the Marketing folder that is published within the namespace actually
contains two shared folders (folder targets). One share is located on a file server in New York, and the
other share is located on a file server in London. The shared folders are kept synchronized by DFS-R. Even
though multiple servers host the source folders, this fact is transparent to users, who only access a single
folder in the namespace. If one of the target folders becomes unavailable, users can be redirected to the
remaining targets within the namespace.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-6 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DFS Scenarios

Key Points
Several key scenarios can benefit from DFS Namespaces and DFS Replication. These scenarios include:
Sharing files across branch offices
Data collection
Data distribution

Sharing Files Across Branch Offices


Large organizations that have many branch offices often have to share files or collaborate between these
locations. DFS-R can help replicate files between branch offices or from a branch office to a hub site.
Having files in multiple branch offices also benefits users who travel from one branch office to another.
The changes that users make to their files in one branch office are replicated back to their branch office.

Note: This scenario is recommended only if users can tolerate some file inconsistencies as changes are
replicated throughout the branch servers. Also, note that DFS-R only replicates a file after it is closed.
Therefore, DFS-R is not recommended for replicating database files or any files that are held open for
long periods of time.

Data Collection
DFS technologies can collect files from a branch office and replicate them to a hub site, thus allowing the
files to be used for a number of specific purposes. Critical data can be replicated to a hub site by using
DFS-R, and then backed up at the hub site by using standard backup procedures. This increases the
branch office data recoverability if a server fails, because files will be available in two separate locations
and backed up. Additionally, companies can reduce branch office costs by eliminating backup hardware
and onsite information technology (IT) personnel expertise. Replicated data can also be used to make

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-7

branch office file shares fault tolerant. If the branch office server fails, clients in the branch office can
access the replicated data at the hub site.

Data Distribution
You can use DFS-N and DFS-R to publish and replicate documents, software, and other line-of-business
data throughout your organization. DFS-N and folder targets can increase data availability and distribute
client load across various file servers.

Note: Do not use DFS Replication in an environment where multiple users update or modify the same
files simultaneously on different servers. Doing so can cause DFS Replication to move conflicting copies
of the files to the hidden DfsrPrivate\ConflictandDeleted folder. When multiple users need to modify
the same files at the same time on different servers, use the file check-out feature of a product such as
Windows SharePoint Services to ensure that only one user is working on a file.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-8 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Types of DFS Namespaces

Key Points
You can create either a domain-based or stand-alone namespace. Each type has different characteristics.

Domain-Based Namespace
A domain-based namespace can be used when:
Namespace high availability is required, which is accomplished by replicating the namespace to
multiple namespace servers.
You need to hide the name of the namespace servers from users. This also makes it easier to replace a
namespace server or migrate the namespace to a different server. Users will then use the
\\domainname\namespace format as opposed to the \\servername\namespace format.
If you choose to deploy a domain-based namespace, you will also need to choose whether to use the
Windows 2000 Server mode or the Windows Server 2008 mode. Windows Server 2008 mode provides
additional benefits such as support for access-based enumeration; increased replication performance, and
it increases the number of folder targets from 5,000 to 50,000. Access-based Enumeration enables you to
hide folders that users do not have permission to view.

To use Windows Server 2008 mode, the following requirements must be met:
The Active Directory forest must be at Microsoft Windows Server 2003 or higher forest functional
level.
The Active Directory domain must be at the Microsoft Windows Server 2008 domain functional
level.
All namespace servers must be Windows Server 2008.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-9

Note: You can migrate a domain-based namespace from Windows 2000 Server mode to Windows
Server 2008 mode by using the DFSutil command-line tool. You can also enable or disable Access-based
Enumeration by using the Share and Storage Management MMC.

Stand-Alone Namespace
A standalone namespace must be used when:
Your organization has not implemented AD DS.
Your organization does not meet the requirements for a Windows Server 2008 mode, domain-based
namespace, and you have requirements for more than 5,000 DFS folders. Stand-alone DFS
namespaces support up to 50,000 folders with targets.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-10 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are Folders and Folder Targets?

Key Points
A DFS namespace is a virtual view of shared folders in an organization. As the administrator, you select
which shared folders to present in the namespace, design the hierarchy in which those folders appear, and
determine the names that the shared folders show in the namespace. When a user views the namespace,
the folder structure appears to reside on a single disk.

Folders
Folders are the primary namespace elements. They appear under the namespace root (\\server\rootname
or \\domain\rootname) and help build the namespace hierarchy. As with standard disk structures, folders
are organized into tree structures similar to the way you use folders on a hard disk to organize files. When
you create a folder by using the DFS Management console, you type a name for the folder and specify
whether to add any folder targets.

Folder Targets
A folder target is based upon a Universal Naming Convention (UNC) path to one of the following
locations:
A shared folder, for example, \\server\share
A folder within a shared folder, for example, \\server\share\folder
A path to another namespace, for example, \\domainname\rootname
To increase the folders redundancy, you can specify multiple folder targets. If one of the folder targets is
not available, the client will attempt to access the next folder target in the referral. This increases the data
availability in the folder.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-11

Demonstration: Installing the Distributed File System Role Service

Key Points
In this demonstration, you will see how to:
Install the DFS Role Service.

Demonstration Steps:
1. Open Server Manager.

2. If necessary, use the Add Roles Wizard to install the File Services server role. If the role is already
installed, use the Add Role Services Wizard to install the required role services.
3. Select the Distributed File System role services. Note that you can select the DFS Namespaces and
DFS Replication role services individually, if required.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-12 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DFS Enhancements in Windows Server 2008 R2

Key Points
Microsoft Windows Server 2008 R2 provides a number of enhancements and new features to both DFS-
N and DFS-R. The following sections discuss these new capabilities:

Note: The content in this section only applies to Windows Server 2008 R2.

Updates to DFS Namespaces


Performance improvements. The DFS Namespaces service takes less time to start, which increases
performance especially with large domain-based namespaces with 5,000 or more folder targets.
Windows Server 2008 R2 also includes three new performance counters that can be used to monitor
DFS Namespaces:
DFS Namespace Service API Queue. Displays the number of requests in the queue waiting to
be processed by the DFS Namespace service.
DFS Namespace Service API Requests. Provides a number of objects showing the information
of DFS requests as average response time, requests processed, requests failed, and requests
processed per second.
DFS Namespace Service Referrals. Provides a number of objects showing the information of
referral requests processed by the DFS Namespace service. Information includes average
response time, requests processed, requests failed, and requests processed per second.
New DFS Management tool support. A number of enhancements to the DFS Management tool
include the following:
Accessbased enumeration management improvements. When access-based enumeration is
enabled on a shared folder or DFS folder, users will only see folders and files for which they have
Read (or equivalent) permissions. Previously, access-based enumeration could only be enabled on

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-13

a shared folder by using Share and Storage Management, or by using the Dfsutil command for
DFS folders. Windows Server 2008 R2 provides an additional enhancement by allowing you to
enable and configure access-based enumeration for a namespace by using the DFS Management
tool.
Support for selectively enabling or disabling namespace root referrals. The DFS Management
tool provides the ability to enable or disable namespace servers. This allows you to control
whether a server is available for referrals.
Improvements to the Dfsdiag.exe command-line tool. Windows Server 2008 R2 includes
changes to the Dfsdiag.exe command-line tools help text. When you type Dfsdiag /?, the help
and error message text has been rewritten to provide more clear and descriptive
information.

Updates to DFS Replication


Failover cluster support. The DFS Replication service in Windows Server 2008 R2 is now designed to
coordinate with a Windows Server 2008 R2-based failover cluster. You can add a failover cluster as a
member of a replication group.
Read-only replicated folders. Prior to Windows Server 2008 R2, the only way to configure a read-
only replicated folder was to manually set share permissions and access control lists on the folders,
which required additional administrative effort. Windows Server 2008 R2 provides the ability to
configure a replicated folder as a read-only or a read-write member. You can use either the DFS
Management tool or the Dfsradmin command-line tool to configure read-only replicated folders.

Note: Read-only domain controllers based upon Windows Server 2008 R2 use read-only replicated
folders to secure the SYSVOL folder.

Improvements to the Dfsrdiag.exe command-line tool. Windows Server 2008 R2 includes changes
to the Dfsrdiag.exe command-line tool. The following switches provided enhanced diagnostic
capabilities:
Replstate. Displays a summary of the replication status across all connections on the specified
replication group member.
IdRecord. Displays the DFS Replication ID record and version of a specified file or folder. You can
use this information to determine if a file has replicated properly to another member.
FileHash. Computes and displays a hash value for a particular file. This can be used to compare
two files to ensure that they are identical.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-14 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 2
Configuring DFS Namespaces

Configuring a DFS Namespace consists of several tasks, including creating the namespace structure,
creating folders within the namespace, and adding folder targets. You may also choose to perform
additional management tasks, such as configuring the referral order, enabling client fail back, and
implementing DFS replication. This lesson provides information on how to complete these configuration
and management tasks to deploy an effective DFS solution.

Objectives
After completing this lesson, you will be able to:
Describe the process for deploying namespaces to publish content.
Describe the permissions required to create and manage a namespace.
Create and configure DFS namespaces and folder targets.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-15

Deploying Namespaces for Publishing Content

Key Points
You use DFS namespaces to publish content for users. To configure a namespace for publishing content
to users, perform the following procedures:

1. Create a namespace. Use the New Namespace Wizard to create the namespace from within the DFS
Management console. To create a namespace, you must specify a namespace server, a namespace
name and a namespace type (either domain-based or stand-alone). You can also specify whether the
namespace is enabled for Windows Server 2008 mode.
2. Create a folder in the namespace. After the namespace is created, add a folder in the namespace
that will be used to contain the content that you want to publish. During the folder creation, you
have the option to add folder targets, or you can perform a separate task to add, edit, or remove
folder targets later.
3. Add folder targets. After a folder is created within the namespace, the next task is to create folder
targets. The folder target is a shared folders UNC path on a specific server. You can browse for shared
folders on remote servers and create shared folders as needed. You can also add multiple folder
targets to increase the folders availability in the namespace. If you add multiple folder targets,
consider using DFS-R to ensure that the content is the same between the targets.
4. Set the ordering method for targets in referrals. A referral is an ordered list of targets that a client
computer receives from the namespace server when a user accesses a namespace root or folder.
When a client receives the referral, the client attempts to access the first target in the list. If the target
is not available, the next target is attempted. By default, targets in the clients site are always listed
first in the referral. You can configure the method for ordering targets outside the clients site on the
Referrals tab of the Namespace Properties dialog box. You have the choice of configuring the
lowest cost, random order, or configuring the ordering method to exclude targets outside the
clients site.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-16 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Note: Folders inherit referral settings from the namespace root. You can override the namespace
settings on the Referrals tab of the Folder Properties dialog box by excluding targets outside the
clients site.

Optional Management Tasks


There are a number of optional tasks that you may want to consider, such as:
Set target priority to override referral ordering. You may have a specific folder target that you
want everyone to use from all site locations, or you may have a specific folder target that should be
used last among all targets. You can configure these scenarios by overriding the referral ordering on
the Advanced tab of the Folder Target Properties dialog box.
Enable client failback. If a client cannot access a referred target, the next target is selected. Client
failback will ensure that clients fail back to the original target after it is restored. You can configure
client failback on the Referrals tab of the Namespace Properties dialog box by selecting the check
box next to Clients fail back to preferred targets. All folders and folder targets inherit this option.
However, you can also override a specific folder to enable or disable client failback features if
required.
Replicate folder targets using DFS-R. You can use DFS-R to keep the contents of folder targets in
sync. The next lesson discusses DFS-R in detail.

Additional ReadingChecklist:
Deploy DFS Namespaces
http://technet.microsoft.com/en-us/library/cc725830.aspx

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-17

Permissions Required to Create and Manage a Namespace

Key Points
To perform DFS namespace management tasks, a user either has to be a member of an administrative
group or has to be delegated specific permission to perform the task. You can right-click the namespace
and then click Delegate Management Permissions to delegate the required permissions.

The following table describes the groups that can perform DFS administration by default, and the method
for delegating the ability to perform DFS management tasks:

Groups that can Delegation method


perform the task
Task by default

Create a domain-based Domain admins Delegate Management Permissions.


namespace. Add user to local administrators group on the
namespace server.

Add a namespace server Domain admins Delegate Management Permissions.


to a domain-based Add user to local administrators group on the
namespace. namespace server.

Manage a domain-based Local Delegate Management Permissions.


namespace. administrators on
each namespace
server

Create a stand-alone Local Add user to local administrators group on the


namespace. administrators on namespace server.
each namespace
server

Manage a stand-alone Local Delegate Management Permissions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-18 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Groups that can Delegation method


perform the task
Task by default

namespace. administrators on
each namespace
server

Create a replication Domain admins Delegate Management Permissions.


group or enable DFS
replication on a folder.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-19

Demonstration: How to Create Namespaces

Key Points
In this demonstration, you will see how to:
Create a new namespace.
Create a new folder and folder target.

Demonstration Steps:
1. Open DFS Management.

2. Use the New Namespaces Wizard to create a new namespace. Configure options such as the
namespace type and Windows Server 2008 mode.
3. Use the New Folder dialog box to create a main folder, and then add Folder Targets as required.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-20 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 3
Configuring DFS Replication

To configure DFS-R effectively, it is important to understand the terminology and requirements associated
with the feature. This lesson provides information on the specific elements, requirements, and scalability
considerations as they relate to DFS-R, and provides a process for configuring an effective replication
topology.

Objectives
After completing this lesson, you will be able to:
Describe DFS replication.
Describe replication groups and replicated folders.
Describe DFS-R requirements.
Deploy a replication group.
Discuss tools used to troubleshoot DFS-R.
Generate diagnostic reports and perform propagation tests.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-21

What Is DFS Replication?

Key Points
DFS-R provides a way to keep folders synchronized between servers across both well-connected and
limited bandwidth connections. It is important to take note of the following key points related to DFS-R:
DFS-R can use Remote Differential Compression (RDC). RDC is a client-server protocol that can be
used to efficiently update files over a limited bandwidth network. RDC detects data insertions,
removals, and re-arrangements in files, enabling DFS-R to replicate only the changed file blocks when
files are updated. RDC is only used for files that are 64 kilobytes (KB) or larger by default. DFS-R also
supports cross-file RDC, which allows DFS replication to use RDC, even when a file with the same
name does not exist at the client. Cross-file RDC can determine files that are similar to the file that
needs to be replicated, and it uses blocks of similar files that are identical to the replicating file to
minimize the amount of data that needs to be replicated. To use cross-file RDC, one member of the
replication connection must be running an edition of the Windows operating system that supports
cross-file RDC.
DFS-R uses a hidden staging folder to stage a file before sending or receiving it. Staging folders act as
caches for new and changed files to be replicated from sending members to receiving members. The
sending member begins staging a file when it receives a request from the receiving member. The
process involves reading the file from the replicated folder and building a compressed representation
of the file in the staging folder using the XPRESS compression format. XPRESS is similar to ZIP or RAR
compression. Any files that are placed in staging are compressed with XPRESS unless the file has an
extension that is included on a specific exclusion list After being constructed, the staged file is sent to
the receiving member; if remote differential compression is used, only a fraction of the staging file
might be replicated. The receiving member downloads the data and builds the file in its staging
folder. After the file download is completed on the receiving member, DFS-R decompresses the file
and installs it into the replicated folder. Each replicated folder has its own staging folder, which by
default is located under the local path of the replicated folder in the DfsrPrivate\Staging folder.
DFS-R detects changes on the volume by monitoring the update sequence number (USN) journal,
and replicates changes only after the file is closed.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-22 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DFS-R uses a version vector exchange protocol to determine which files need to be synchronized. The
protocol sends less than 1 KB per file across the network to synchronize the metadata associated with
changed files on the sending and receiving members.
DFS-R uses a conflict resolution heuristic of last writer wins for files that are in conflict (that is, a file
that is updated at multiple servers simultaneously) and earliest creator wins for name conflicts. Files
and folders that lose the conflict resolution are moved to a folder known as the Conflict and Deleted
folder. You can also configure the service to move deleted files to the Conflict and Deleted folder for
retrieval, should the file or folder be deleted. Each replicated folder has its own hidden Conflict and
Deleted folder, which is located under the local path of the replicated folder in the
DfsrPrivate\ConflictandDeleted folder.
DFS-R is self-healing and can automatically recover from USN journal wraps, USN journal loss, or DFS
Replication database loss.
DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces to
obtain configuration and monitoring information from the DFS Replication service.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-23

What Are Replication Groups and Replicated Folders?

Key Points
A replication group consists of a set of member servers that participate in replicating one or more
replicated folders. There are two main types of replication groups:
Multipurpose replication group. Use to configure replication between two or more servers for
publication, content sharing, or other scenarios.
Replication group for data collection. Configures a two-way replication between two servers, such
as a branch office server and a hub server. This group type is used to collect data from the branch
office server to the hub server. You can then use standard backup software to back up the hub server
data.
A replicated folder is a folder that is synchronized between each member server.

Creating multiple replicated folders within a single replication group helps to simplify the following for
the entire group:
Replication Group type
Topology
Hub and spoke configuration
Replication schedule
Bandwidth throttling
The replicated folders stored on each member can be located on different volumes in the member.
Replicated folders do not need to be shared folders or part of a namespace, though the DFS Management
snap-in makes it easy to share replicated folders, and optionally, publish them in an existing namespace.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-24 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DFS-R Requirements

Key Points
To use DFS-R, you must be aware of specific replication requirements. These requirements include:
Ensure that the Active Directory schema has been updated to include the new DFS replication objects.
If you plan to use DFS Replication, the Active Directory schema must be updated to at least the
version equal to Microsoft Windows Server 2003 R2, so that it includes the Active Directory classes
and attributes that DFS Replication uses. To use read-only replicated folders, the schema must include
the Windows Server 2008 or newer schema additions. To upgrade the schema, on the schema
operations master, run adprep.exe /forestprep. This tool is available in the Windows\sources\adprep
folder of the Windows Server 2008 installation media.
All Servers in a replication group must be in the same forest. You cannot enable replication across
servers in different forests.
The servers that will participate in DFS Replication must run a Windows Server 2003 R2, Windows
Server 2008, or Windows Server 2008 R2 operating system. You must install the DFS Replication
service role on each server that will take part in replication, and you must install the DFS Management
snap-in on one server to manage replication. DFS replication is supported on all x64 editions of
Windows Server 2008 R2 and on all x86 and x64 editions of Windows Server 2008. DFS is not
supported on Itanium-based computers..
To support failover clustering, the failover cluster server must be running Windows Server 2008 R2.
Antivirus software must be compatible with DFS Replication in that antivirus software can cause
excessive replication if their scanning activities alter the timestamp on files in a replicated folder.
Contact your antivirus software vendor to check for compatibility.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-25

Demonstration: How to Deploy a Replication Group

Key Points
In this demonstration, you will see how to:
Create a new folder target for replication.
Create a new replication group.

Demonstration Steps:
1. Open DFS Management.

2. Use the New Folder Target dialog box to create an additional folder target to be used for
replication.
3. Use the New Replication Group Wizard to configure options such as the Replication Group Type,
Replication Group name, Replication group members, and Topology selection.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-26 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Tools Used to Troubleshoot DFS-R

Key Points
Windows Server 2008 provides a number of tools that can be used to monitor and troubleshoot DFS-R.
The tools include:
Diagnostic Reports. You can run a diagnostic report for the following:
Health Report. Shows extensive replication statistics and reports on replication health and
efficiency.
Propagation Test. Generates a test file in a replicated folder to be used to verify replication and
provide statistics for the propagation report.
Propagation Report. Provides information about the progress for a test file that is generated
during a propagation test. This report will ensure that replication is functional.
Verify Topology. Used to verify and report on the status of the replication group topology. This will
report any members that are disconnected.
Dfsrdiag.exe. This command-line utility can be used to monitor the replication state of the DFS
replication service.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-27

Demonstration: How to Generate Diagnostic Reports and Propagation


Tests

Key Points
In this demonstration, you will see how to:
Generate a Health Report.
Generate a Propagation Test and Report.

Demonstration Steps:
1. Open DFS Management.
2. Under the Replication node, right-click the replication group, and then click Create Diagnostic
Report.

3. Select either Health Report, Propagation test, or Propagation report.

4. Complete the Diagnostic Report Wizard.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-28 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lab: Installing and Configuring the Distributed File


System Role Service

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. Log on by using the following credentials:


User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps from 2 through 4 for 6419B-NYC-SVR1.

Lab Scenario
You are a network administrator for Contoso, Ltd. Your organization currently stores files on a number of
servers located throughout the infrastructure. To simplify file access for users and provide high availability
and redundancy of the file services, you decide to implement a DFS solution. For this project, you must
complete the following tasks:
Install the DFS role service to include DFS namespaces and DFS replication.
Create a domain-based DFS namespace called, CorpDocs, with NYC-SVR1 as the namespace server.
Enable Access-Based Enumeration for the CorpDocs namespace.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-29

Add the following folders to the CorpDocs namespace:


MarketingTemplates folder target located on NYC-DC1
PolicyFiles folder target located on NYC-SVR1
Configure availability and redundancy by adding additional folder targets and replicating the folder
targets for the PolicyFiles folder.
Configure the replicated folder target for PolicyFiles to be read-only.
Provide reports on the health of the CorpDocs folder replication.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-30 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 1: Installing the Distributed File System Role Service


Scenario
In this exercise, you will install the DFS role service on NYC-DC1 and NYC-SVR1.

The main tasks for this exercise are as follows:

1. Install the DFS role service on NYC-SVR1.

2. Install the DFS role service on NYC-DC1.

Task 1: Install the Distributed File System Role Service on NYC-SVR1.


1. On NYC-SVR1, open Server Manager.

2. Use the Add Role Services wizard to install the Distributed File System role services and configure
the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
Create a DFS Namespace: Create a namespace later.

Task 2: Install the Distributed File System Role Service on NYC-DC1.


1. On NYC-DC1, open Server Manager.
2. In the details pane, under the File Services section, use the Add Role Services wizard to install the
Distributed File System role services and configure the following:
Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication.
Create a DFS Namespace: Create a namespace later.

Results: After completing this exercise, you have installed the DFS role service on NYC-SVR1 and NYC-
DC1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-31

Exercise 2: Creating a DFS Namespace


Scenario
You decide to create the CorpDocs namespace on NYC-SVR1. As per the requirements, the namespace
will be domain-based and will have access-based enumeration enabled.

The main tasks for this exercise are as follows:

1. Use the New Namespace Wizard to create the CorpDocs namespace.

2. Enable access-based enumeration for the CorpDocs namespace.

Task 1: Use the New Namespace Wizard to create the CorpDocs namespace.
1. On NYC-SVR1, open the DFS Management console.

2. Start the New Namespace Wizard and configure the following:


Namespace Server: NYC-SVR1
Namespace Name and Settings: CorpDocs
Namespace Type: Domain-based namespace
Enable Windows Server 2008 mode: Enabled
3. Use the DFS Management console to verify that the \\NYC-SVR1\CorpDocs namespace is enabled.

Task 2: Enable access-based enumeration for the CorpDocs namespace.


1. From the \\Contoso.com\CorpDocs Properties dialog box, enable access-based enumeration.

Results: After completing this exercise, you have created the CorpDocs namespace and configured it to
use access-based enumeration.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-32 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 3: Configuring Folder Targets


Scenario
Two folders need to be added to the CorpDocs workspace. One folder is located on NYC-DC1 and is
called, MarketingTemplates. The other folder is located on NYC-SVR1 and is called, PolicyFiles.

The main tasks for this exercise are as follows:


1. Add the MarketingTemplates folder to the CorpDocs Namespace.
2. Add the PolicyFiles folder to the CorpDocs Namespace.
3. Verify the CorpDocs Namespace.

Task 1: Add the MarketingTemplates folder to the CorpDocs namespace.


1. Switch to the NYC-SVR1 virtual machine.

2. In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: MarketingTemplates
Folder Target: \\NYC-DC1\MarketingTemplates

Task 2: Add the PolicyFiles folder to the CorpDocs namespace.


1. In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following
configuration:
Name: PolicyFiles
Folder Target: \\NYC-SVR1\PolicyFiles

Task 3: Verify the CorpDocs namespace.


1. On NYC-SVR1, access the \\Contoso.com\Corpdocs namespace and verify that both
MarketingTemplates and PolicyFiles are visible.

Results: After completing this exercise, you have configured Folder Targets for the CorpDocs
namespace.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-33

Exercise 4: Configuring DFS Folder Replication


Scenario
Your requirements state to configure the PolicyFiles folder to be highly available and redundant. You
decide to add a second folder target for the PolicyFiles folder on NYC-DC1 and configure replication to
keep the two folders synchronized.

The main tasks for this exercise are as follows:


1. Create another Folder Target for PolicyFiles.
2. Configure DFS Replication.
3. View Diagnostic Reports.

Task 1: Create another Folder Target for PolicyFiles.


1. Switch to the NYC-SVR1 virtual machine.

2. In DFS Management, under Contoso.com\CorpDocs\PolicyFiles, create a new folder target with the
following configuration:
Folder Target: \\NYC-DC1\PolicyFiles
Local path of shared folder: C:\PolicyFiles
Shared folder permissions: Administrators have full access; other users have read and write
permissions
Click Yes to start the Replicate Folder Wizard.

Task 2: Configure DFS Replication.


1. In DFS Management, complete the Replicate Folder Wizard with the following configuration:
Replication Group and Replicated Folder Name: Default settings
Replication Eligibility: Verify that both servers are eligible
Primary Member: NYC-SVR1
Topology Selection: Full mesh
Replication Group Schedule and Bandwidth: Replicate continuously using the specified
bandwidth
2. Verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1.

3. From the DFS Management console, configure the NYC-DC1 member to be read-only.

Task 3: View Diagnostic Reports.


1. On NYC-SVR1, in the DFS Management console, under Replication, use the Diagnostic Report
Wizard to create a Health report. Use NYC-SVR1 as the reference member.

2. Review the DFS Replication Health Report for errors.

Results: After completing this exercise, you will have configured DFS Folder Replication and produced a
diagnostic report.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-34 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

To prepare for the next module.


When you complete the lab exercises, revert the virtual machines to their initial state. To do this, complete
the following steps:

1. On the host computer, start Hyper-V Manager.

2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.


4. Repeat these steps for 6419B-NYC-SVR1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Managing Distributed File System 4-35

Module Review and Takeaways

Review Questions
1. How can you use DFS in your File Services deployment?
2. What kind of compression technology is used by Windows Server 2008 DFS?

3. What is the difference between a domain-based DFS namespace and a stand-alone DFS namespace?

4. What is the default ordering method for client referral to folder targets?
5. What does the Primary Member configuration do when setting up replication?

6. Which folder is used to cache files and folders where conflicting changes are made on two or more
members?

Windows Server 2008 R2 Features Introduced in this Module


Windows Server 2008 R2
Feature Description

Read-only replicated Ability to configure read-only replicated folders from the DFS Management
folders console

Failover cluster support Failover cluster support for DFS

Tools
Tool Used for Where to Find It

Dfsutil Performing advanced On a namespace server, type Dfsutil at the command prompt.
operations on DFS
namespaces

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
4-36 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Tool Used for Where to Find It

Dfsdiag Configure and monitor On a namespace server, type Dfsdiag at the command prompt.
DFS

Dfsrdiag Monitoring replication On a namespace server, type Dfsrdiag at the command


prompt.

Dfscmd.exe Scripting basic DFS tasks On a namespace server, type Dfscmd at the command prompt.
such as configuring DFS
roots and targets

DFS Performing tasks related Click Start, point to Administrative Tools, and then click DFS
Managemen to DFS namespaces and Management.
t replication

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-1

Module 5
Managing File Resources Using File Server Resource
Manager
Contents:
Lesson 1: Overview of File Server Resource Manager 5-3
Lesson 2: Configuring Quota Management 5-11
Lab A: Installing FSRM and Implementing Quota Management 5-19
Lesson 3: Implementing File Screening 5-22
Lesson 4: Managing Storage Reports 5-28
Lab B: Configuring File Screening and Storage Reports 5-33
Lesson 5: Implementing Classification Management and
File Management Tasks 5-36
Lab C: Configuring Classification and File Management Tasks 5-49

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-2 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Module Overview

The files on your servers are constantly changing with content being added, removed, and modified. The
Microsoft Windows Server 2008 File Service role is designed to help administrators in an enterprise
environment manage the continually growing amount of data. The file storage requirements and
demands within an enterprise are constantly changing and adapting to new requirements or policies.
When storage requirements change and the data being stored changes as well, you need to manage an
increasingly larger and complex storage infrastructure. Therefore, to meet the needs of your organization,
you need understand and control how the existing storage is used.

This module introduces you to File Server Resource Manager (FSRM), a built-in component of Windows
Server 2008 that helps you address and manage these issues.

Objectives
After completing this module, you will be able to:
Describe FSRM.
Configure Quota Management.
Implement File Screening.
Manage storage reports.
Implement Classification Management and file management tasks.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-3

Lesson 1
Overview of File Server Resource Manager

FSRM is a set of tools that allow you to understand, control, and manage the quantity and type of data
stored on your servers. Using FSRM, you can place quotas on storage volumes, screen files and folders,
generate comprehensive storage reports, control the file classification infrastructure, and use file
management tasks to perform scheduled actions on sets of files. These tools not only help you monitor
existing storage resources, but also aid in planning and implementing future policy changes.

Objectives
After completing this lesson, you will be able to:
Describe common capacity management challenges.
Describe the features available within FSRM.
Describe FSRM configuration options.
Install and configure the FSRM role service.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-4 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Capacity Management Challenges

Key Points
Capacity management is a proactive process of determining the current and future capacity needs for
your enterprise's storage environment. As the size and complexity of the data increase, the need for
capacity management also increases. To effectively meet the storage needs of your organization, you
need to track how much storage capacity is available, how much storage space you need for future
expansion, and how you are using the environments storage.

Key Capacity Management Challenges


Capacity management brings with it the following key challenges:
Determining existing storage use. To manage your storage environment and ensure that you can
perform the simplest capacity management task, you need to understand your environments current
storage requirements. Knowing how much data is being stored on your servers, what types of data is
being stored, and how that data is currently being used is the benchmark for measuring the various
aspects of capacity management in your environment.
Establishing and enforcing storage use policies. Capacity management includes ensuring that your
storage environment is being used to its full potential. Managing growth is important to ensure that
your storage environment is not overwhelmed by unplanned or unauthorized data storage on your
servers. Modern media data such as audio, video, and graphic files consume a large amount of
storage space and, if left unchecked, the unauthorized storage of these types of files can consume the
storage space required for legitimate business use.
Anticipating future requirements. Storage requirements are constantly changing. New projects and
new organizational initiatives require increased storage. New applications and imported data require
additional storage. If you are not able to anticipate or prepare for events like these, your storage
environment may not be able to meet the storage requirements.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-5

Addressing Capacity Management Challenges


To address these key challenges, you need to implement basic capacity management measures to
roactively manage the storage environment and prevent challenges from becoming problems.
Analyze how storage is being used. The first step in capacity management is analyzing the current
storage environment. Accurate analysis begins with proper tools that provide usable and organized
information regarding the current state of your storage environment.
Define storage resource management policies. A robust set of policies are necessary to maintain
the current storage environment and ensure that storage growth happens in a manageable and
predictable way. Preventing unauthorized files from being saved to your servers, ensuring that data is
stored in the right location, and ensuring that users have the required storage are a few of the key
areas your capacity management policies may address.
Implement policies to manage storage growth. After implementing capacity management policies,
you need to have an effective tool to ensure that the policies established are technically enforced.
Quotas placed on a users data storage must be maintained, restricted files must be prevented from
being saved, and business files must be stored in the proper locations.
Implement a system for reporting and monitoring. Also, a reporting and notification system must
be established to inform you how policies are enforced, besides the general state of your capacity
management system and data storage situation.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-6 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is File Server Resource Manager?

Key Points
FSRM is a role service of the File Services role in Windows Server 2008. You can install it as part of the File
Services role by using Server Manager. Then, you can use the FSRM console to manage FSRM on your
server.

FSRM is intended to act as a capacity management solution for your Windows Server2008 server. It
provides a robust set of tools and capabilities that allow you to effectively manage and monitor your
servers storage capacity.

FSRM contains five components that work together to provide a capacity management solution.

Quota Management
Quota management allows you to create, manage, and obtain information about quotas that are used to
set a storage limit on a volume or folder (and its contents). By defining notification thresholds, you can
send email notifications, log an event, run a command or script, or generate reports when users approach
or exceed a quota.

Quota management also allows you to create and manage quota templates to simplify the quota
management process.

File Screening Management


File screening management allows you to create, manage, and obtain information about file screens. This
information can be used to prevent specific file types from being stored on a volume or folder or notify
you when those files are being stored. When users attempt to save unauthorized files, file screening can
block the process and notify the administrators to allow for proactive management.

Like quota management, file screening management allows you to create and manage file screen
templates to simplify file screening management. You can also create file groups that allow you to
manage which file types may be blocked or allowed.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-7

Storage Reports Management


Storage reports management allows you to schedule and configure storage reports. These reports provide
information regarding the components and aspects of FSRM including:
Quota usage
File screening activity
Files that may negatively affect capacity management, such as large files, duplicate files, or unused
files
List and filter files according to owner, file group, or a specific file property.

Note: Storage reports can be run based on a schedule or generated on demand.

Classification Management (Windows Server 2008 R2 Only)


Classification Management allows you to create and manage classification properties that you can assign
to files. You can assign property values to files by using classification rules, which can be applied on
demand or based on a schedule. Classification allows you categorize and manage files by using a wide
array of properties to identify and group your files.

File Management Tasks (Windows Server 2008 R2 Only)


With file management tasks, you can schedule and configure specific tasks, which can automate the
application or expiration of custom commands, allowing for automated file management procedures.

File management tasks leverage the capabilities of Classification Management to allow you to delete old
files or move files to a specific location based on a file property (file name or file type).

Note: Volumes that FSRM manages must be formatted by using the New Technology File System
(NTFS). FSRM is included with Windows Server 2003 SP1 and later.

Question: Do you currently implement any capacity management functionality in your server
environment? If so, which of the FSRM features does it provide?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-8 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

FSRM Configuration Options

Key Points
FSRM has several configuration options that apply globally to all FSRM components.

You can access these options by using the following steps:


1. Open the File Server Resource Manager console.
2. Right-click the root File Server Resource Manager node in the left pane, and then click Configure
Options.

FSRM Options
In the File Server Resource Manager Options properties sheet, several tabs allow you to configure various
aspects of FSRM.

Email Notifications
This tab allows you to provide the name or address of an SMTP server name, along with other details that
FSRM will use to send email notifications.

Notification Limits
Notification limits allow you to specify a time period that FSRM will wait between sending notifications to
avoid excessive notifications from a repeatedly exceeded quota or unauthorized file detection. It allows
you set separate values for email notifications, entries recorded to the event log, and commands being
run or reports being generated. The default value for each is 60 minutes.

Storage Reports
The Storage Reports tab allows you to configure and view the default parameters for any existing storage
reports.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-9

Report Locations
This tab allows you to view and modify the location in which the following three different types of storage
reports are stored: incident reports, scheduled reports, and on demand reports. By default, each category
is stored in its own folder: %systemdrive%\Storage Reports.

Note: If FSRM generates a large number of storage reports, you may want to relocate the storage
report folders to another physical volume to decrease disk I/O load on your system volume. You may
also want to change the location if the size of your storage reports causes a capacity issue on your
system volume.

File Screen Audit


On the File Screen Audit tab, a single check box allows to enable or disable the recording of file screening
activity to the auditing database. You can view the resulting file screening activity when you run the File
Screening Audit report from Storage Reports Management.

Automatic Classification
This tab allows you to provide a schedule that governs the automatic classification of files. Within the tab,
you can specify which logs to generate and if and how to generate a report of the classification process.

Managing FSRM Remotely


You can connect remotely to another server running FSRM by using the FSRM console. From here, you
manage FSRM in the same way that you manage resources on your local computer.

To remotely manage FSRM:


Both servers must be running Windows Server 2008 R2 with FSRM installed.
The Remote File Server Resource Manager Management exception must be enabled from within
Windows Firewall manually through the Control Panel applet or by using Group Policy.
You must be logged on to the local computer with an account that is a member of the local
Administrators group on the remote computer.

FSRM Command-Line Tools


If you prefer to work from the command line, you can use the following tools:
Dirquota.exe: Create and manage quotas, auto-apply quotas, and quota templates.
Filescrn.exe: Create and manage file screens, file screen exceptions, file screen templates, and file
groups.
Storrept.exe: Configure report parameters and generate storage reports on demand. You can also
create report tasks and then use Schtasks.exe to schedule the tasks.

Note: The command-line tools are added to the system path when you install File Server Resource
Manager, and they must be run from an Administrator Command Prompt window.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-10 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: Installing and Configuring FSRM

Key Points
In this demonstration, you will see how to:
Use Server Manager to install the FSRM role service.
View FSRM configuration options.
Demonstration Steps:
1. Open Server Manager.
2. Add the File Server Resource Manager role service.
3. Open File Server Resource Manager.
4. View the FSRM configuration options.
5. View the FSRM Quota Management, File Screening Management, Storage Report Management,
Classification Management, and File Management Tasks components.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-11

Lesson 2
Configuring Quota Management

Data is the core component of your server infrastructure. Under most circumstances, the server
infrastructure provides the data contained in the files on the server to your users or applications.
The requirement for data storage continues to grow. Whether files are added to your servers by users or
applications, quota management can help you to ensure that users and applications use the only the
amounts of space allotted to them.

Objectives
After completing this lesson, you will be able to:
Describe quota management by using FSRM.
Compare FSRM quotas with NTFS Disk quotas.
Define quota templates.
Create and configure a quota.
Describe methods used to monitor quota usage.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-12 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is Quota Management?

Key Points
In FSRM quota management allows you to limit the disk space that is allocated to a volume or folder. The
quota limit applies to the entire folder subtree.

Using quotas, you can manage capacity restrictions in a variety of ways. For example, you can use a quota
to ensure that individual users do not consume excessive amounts of storage with their home drives, or
limit the amount of space consumed by multimedia files in a particular folder.

Quota Types
Two different types of quotas can created within quota management.
A hard quota prevents users from saving files after the space limit is reached, and it generates
notifications when the volume of data reaches each configured threshold.
A soft quota does not enforce the quota limit, but it generates all the configured notifications.

Quota Notifications
To determine what happens when the quota limit approaches, you can configure notification thresholds.
For each threshold you define, you can send email notifications, log an event, run a command or script, or
generate storage reports. For example, you might want to notify the administrator and the user who
saved the file when a folder reaches 85 percent of its quota limit and then send another notification when
the quota limit is reached. In some cases, you might want to run a script that raises the quota limit
automatically when a threshold is reached.

Creating Quotas
When you create a quota on a volume or a folder, you can base the quota on a quota template or use
custom properties. Whenever possible, base a quota on a quota template. You can reuse a quota template
to create additional quotas, and it simplifies ongoing quota maintenance.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-13

FSRM can also generate quotas automatically. When you configure an auto-apply quota, you apply a
quota template to a parent volume or folder. Then, a quota based on the template is created for each of
the existing subfolders, and a quota is automatically generated for each new subfolder that is created.

Question: In which scenario would you want to use a soft quota?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-14 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

FSRM Quotas vs. NTFS Disk Quotas

Key Points
In the earlier versions of Windows, the only option for managing storage was by using the native NTFS
quota system.

NTFS quotas allow an administrator to declare a general storage limit on a per user basis for an NTFS
formatted volume. This method governs a users storage consumption across the volume, regardless of
which folder it is in. NTFS quotas do not account for NTFS compression, which means that even though a
compressed file may take up less physical room than if it were uncompressed, the quota will be applied
based on the files uncompressed size.

NTFS disk quotas are based on file ownership, so operating system accounts are not immune to disk
quotas. System accounts such as the local system are also susceptible to running out of disk space due to
disk quotas having been set.

FSRM quota management introduces some key advantages over NTFS quotas. The following table
outlines the key difference between FSRM-based quota management and using NTFS disk quotas.

Quota Feature NTFS Quotas FSRM Quotas

Quota Tracking Per user on a volume By folder or by volume

Disk usage calculation Logical file size reported Actual physical disk space
by NTFS

Notification mechanisms Event logs only Email, custom reports, running commands or
scripts, event logs

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-15

What Are Quota Templates?

Key Points
FSRM gives you the flexibility in creating, using, and managing templates for quotas.

A quota template defines a space limit, the quota type (hard or soft), and a set of notifications to be
generated when the quota limit is approached or exceeded.

Quota templates simplify the creation and maintenance of quotas. Using a quota template, you can apply
a standard storage limit and a standard set of notification thresholds to many volumes and folders on
servers throughout your organization.

Template-Based Quota Updating


If you base your quotas on a template, you can update all quotas that are based on the template by
editing that template. This feature simplifies the updating the properties of quotas by providing a central
point where IT administrators can make all changes.

For example, you can create a User Quota template that you use to place a 200 MB limit on the personal
folder of each user. For each user, you would then create a quota based on the User Quota template and
assign it to the users folder. If you later decide to allow each user additional space on the server, you only
change the space limit in the User Quota template and choose to update each quota that is based on that
quota template.

Quota Template Examples


File Server Resource Manager provides several quota templates. For example:
You can use the 200 MB Limit Reports to User template to place a hard 200 MB limit on the personal
folder of each user and send storage reports to users who exceed the quota.
For some folders, you might want to use the 200 MB Limit with 50 MB Extension template to grant a
one-time 50MB quota extension to users who exceed the 200 MB quota limit.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-16 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Other default templates are designed for monitoring disk usage through soft quotas such as the
Monitor 200 GB Volume Usage template and the Monitor 500 MB Share template. When you use
these templates, users can exceed the quota limit, but email and event log notifications are generated
when they do so.

Question: What advantage does creating 50 quotas from a template have over creating each quota
individually?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-17

Demonstration: Creating and Configuring a Quota

Key Points
In this demonstration, you will see how to:
Create a new quota template.
Create a new quota based on a quota template.
Generate a quota notification.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-18 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Monitoring Quota Usage

Key Points
In addition to the information in the notifications sent by quotas, you can find about quota usage by
viewing the quotas in quota management within the FSRM console by generating a Quota Usage report
or by creating soft quotas for monitoring the overall disk usage.

Quota Usage Report


Use the Quota Usage report to identify quotas that may soon be exceeded so that you can take the
appropriate action. Generating a Quota Usage report will be covered in greater detail in the Managing
Storage Reports lesson.

Templates for Monitoring Disk Usage


To monitor the overall disk usage, you can create soft quotas for volumes or shares. FSRM provides the
following default templates that you can use (or adapt) for this purpose.
Monitor 200 GB Volume Usage
Monitor 500 MB Share

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-19

Lab A: Installing FSRM and Implementing Quota


Management

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1

Lab Scenario
You need to begin the implementation and configuration of FSRM for NYC-SVR1. The first step in this
process is installing the FSRM role service.

You have also been asked to establish an initial quota governing user data directories. You must configure
a quota template that allows users a maximum of 100 MB of data in their user folders. When users exceed
85 percent of the quota, or when they attempt to add files larger than 100 MB, an event should be logged
to the Event Viewer on the server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-20 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 1: Installing the FSRM Role Service


You need to install the FSRM role service on NYC-SVR1.

The main task is as follows:


1. Install the FSRM Role Service.

Task 1: Install the FSRM role service.


1. On NYC-SVR1, open Server Manager.
2. Add File Server Resource Manager role service.
3. In the Configure Storage Usage Monitoring page, select Allfiles (E:).
4. After the installation is complete, close the Add Role Services Wizard.
5. Close Server Manager.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-21

Exercise 2: Configuring Storage Quotas


You must configure a quota template that allows users a maximum of 100 MB of data in their user folders.
When users exceed 85 percent of the quota, or when they attempt to add files larger than 100 MB, an
event should be logged to the Event Viewer on the server.

The main tasks are as follows:


1. Create a quota template.
2. Configure a quota based on the quota template.
3. Test that the quota is functional.

Task 1: Create a quota template.


1. In the File Server Resource Manager console, use the Quota Templates node to configure a template
that sets a hard limit of 100 MB on the maximum folder size. Make sure this template also notifies the
Event Viewer when the folder reaches 85 percent and 100 percent capacity.

Task 2: Configure a quota based on the quota template.


1. Use the File Server Resource Manager console and the Quotas node to create a quota on the
E:\Labfiles\Mod05\Users folder by using the quota template that you created in Task 1. Configure
the quota to auto apply on existing and new subfolders.

2. Create an additional folder named Max in the E:\Labfiles\Mod05\Users folder, and ensure that the
new folder is listed in the quotas list in FSRM.

Task 3: Test that the quota is functional.


1. Open a command prompt and use the fsutil file createnew file1.txt 89400000 command to create
a file in the E:\Labfiles\Mod05\Users\Max folder.
2. Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then press
Enter.
Hint: fsutil file createnew file2.txt 16400000
4. Close the command prompt.
5. Close all open windows on NYC-SVR1.

Results: In this exercise, you configured a storage quota.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-22 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 3
Implementing File Screening

Both the integrity of the data stored on your servers and the availability of free storage space for creating
new data are extremely important in your storage environment. If non-business files are allowed to be
stored on servers, both integrity and availability can be compromised.

File screening by using FSRM allows you prevent unauthorized files from being stored on your servers.

Objectives
After completing this lesson, you will be able to:
Describe File Screening Management.
Describe File Groups.
Configure File Screen Templates.
Implement File screening.
Describe File Screen Exceptions.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-23

What Is File Screening Management?

Key Points
File Screening Management allows you to create file screens to block files from being saved on a volume
or in a folder tree. A file screen affects all folders in the designated path. You use file groups to control the
types of files that file screens manage. For example, you might create a file screen to prevent users from
storing audio and video files in their personal folders on the server.

Like all components of FSRM, you can choose to generate email or other notifications when a file
screening event occurs.

File Screen Types


A file screen can be active or passive:
Active screening prevents users from saving unauthorized file types on the server and generates
configured notifications when they attempt to do so.
Passive screening sends configured notifications to users who are saving specific file types, but it does
not prevent users from saving those files.

File Screening Management Considerations


To simplify managing file screens, base your file screens on file screen templates, which will be covered
later in this lesson.

For additional flexibility, you can configure a file screen exception in a subfolder of a path where you have
created a file screen. When you place a file screen exception on a subfolder, you allow users to save file
types there that would otherwise be blocked by the file screen applied to the parent folder.

Note: A file screen does not prevent users and applications from accessing files that were saved to the
path before the file screen was created, regardless of whether the files are members of blocked file
groups.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-24 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are File Groups?

Key Points
Before you begin working with file screens, you must understand the role of file groups in determining
which files are screened. A file group is used to define a namespace for a file screen or a file screen
exception, or to generate a Files by File Group storage report.

File Group Characteristics


A file group consists of a set of file name patterns, which are grouped as files to include and files to
exclude:
Files to include: Files to which the file group apply.
Files to exclude: Files to which the file group does not apply.

For example, an Audio Files file group might include the following file name patterns:
Files to include:*.mp*: Includes all audio files created in the current and future MPEG formats (MP2,
MP3, and so forth).
Files to exclude:*.mpp: Excludes files created in Project (.mpp files), which would otherwise be
included by the *.mp* inclusion rule.

FSRM provides several default file groups, which you can view in File Screening Management by clicking
the File Groups node. You can define additional file groups or change the files to include and exclude.
Any change that you make to a file group affects all existing file screens, templates, and reports to which
the file group has been added.

Note: For convenience, you can modify file groups when you edit the properties of a file screen, file
screen exception, file screen template, or the Files by File Group report. Note that any changes that you
make to a file group from these property sheets affect all items that use that file group.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-25

What Is a File Screen Template?

Key Points
To simplify file screen management, you can create your file screens based on file screen templates. A file
screen template defines the following:
File groups to block.
Screening types to perform.
Notifications to be generated.

You can configure two screening types in a file screen template. Active screening does not allow users to
save any files related to the selected file groups configured with the template. Passive screening allows
users to save files, but provides notifications for monitoring.

FSRM provides several default file screen templates, which you can use to block audio and video files,
executable files, image files, and email files, to meet common administrative needs. To view the default
templates, select the File Screen Templates node in the File Server Resource Manager console tree.

By creating file screens exclusively from templates, you can manage your file screens centrally by updating
the templates instead of individual file screens.

Note: File Screens are created from File Screen Templates just like Quotas are created from Quota
Templates, as discussed in Lesson 2.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-26 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: How to Implement File Screening

Key Points
In this demonstration, you will see how to:
Create a File Group.
Create a File Screen Template.
Create a File Screen by using a File Screen Template.

Demonstration Steps:
1. Open the File Server Resource Manager console.
2. Expand the File Screening Management node.
3. Create a new File Group called MPx Media Files that includes all files with a file extension beginning
with .mp. Exclude .mpp files from this File Group.
4. Create a new File Screen Template called Block MPx Media Files by using the MPx Media Files File
Group and configure it to send a warning to the event log.
5. Create a new File Screen for E:\Labfiles\Mod05 by using the Block MPx Media Files File Screen
Template.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-27

What Is a File Screen Exception?

Key Points
Occasionally, you need to allow exceptions to file screening. For example, you might want to block video
files from a file server, but you need to allow your training group to save video files for their computer-
based training. To allow files that other file screens are blocking, create a file screen exception.

A file screen exception is a special type of file screen that overrides any file screening that would
otherwise apply to a folder, and all its subfolders in a designated exception path. That is, it creates an
exception to any rules derived from a parent folder. To determine which file types the exception will allow,
file groups are assigned.

File Screen Exceptions are created by specifically choosing the Create File Screen Exception from the File
Screens node under File Screening Management in FSRM.

Note: File Screen Exceptions always override File Screens with conflicting settings. Therefore, you must
plan and implement File Screen Exceptions carefully.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-28 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 4
Managing Storage Reports

Knowing and using the tools to enforce capacity management measures is only part of a capacity
management solution. To effectively manage your storage environment, you need to stay informed
regarding the status of your servers and how your enforcement policies are working.

This lesson will introduce storage reports in FSRM. Storage reports allow you to view information about
how FSRM components are operating on your server.

Objectives
After completing this lesson, you will be able to:
Describe the storage reports feature of FSRM.
Configure and schedule a Report Task.
Generate On-Demand Reports.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-29

What Are Storage Reports?

Key Points
FSRM can generate reports that help you understand file usage on the storage server. You can use the
storage reports to monitor disk usage patterns (by file type or user), identify duplicate files and dormant
files, track quota usage, and audit file screening.

From the Storage Reports Management node, you can create report tasks, which are used to schedule one
or more periodic reports, or you can generate reports on demand. For on-demand and scheduled reports,
current data is gathered before the report is generated. Reports can also be generated automatically to
notify you when a user exceeds a quota threshold or saves an unauthorized file.

Storage Report Types


The following table describes each storage report that is available.

Report Description

Duplicate Files Lists files that appear to be duplicates (files with the same size and
last-modified time). Use this report to identify and reclaim disk space
that is wasted due to duplicate files.

File Screening Audit Lists file screening events that have occurred on the server for a
specific number of days. Use this report to identify users or
applications that violate screening policies.

Files by File Group Lists files that belong to specific file groups. Use this report to identify
file group usage patterns and file groups that occupy large amounts
of disk space. This can help you determine which file screens to
configure on the server.

Files by Owner Lists files, grouped by file owners. Use this report to analyze usage
patterns on the server and users who use large amounts of disk space.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-30 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Report Description

Files by Property Lists files by the values of a particular classification property. Use this
report to observe file classification usage patterns.

Large Files Lists files that are of a specific size or larger. Use this report to identify
files that are consuming the most disk space on the server. This can
help you quickly reclaim large quantities of disk space.

Least Recently Accessed Files Lists files that have not been accessed for a specific number of days.
This can help you identify seldom-used data that might be archived
and removed from the server.

Most Recently Accessed Files Lists files that have been accessed within a specified number of days.
Use this report to identify frequently used data that must be highly
available.

Quota Usage Lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage levels so
that you can take appropriate action.

Configuring Report Parameters


Except for the Duplicate Files report, all reports have configurable report parameters that determine the
content in the report. The parameters vary with the type of report. For some reports, report parameters
can be used to select the volumes and folders on which to report, set a minimum file size to include, or
restrict a report to files owned by specific users.

Saving Reports
Regardless of how you generate a report, or whether you choose to view the report immediately, the
report is saved on the disk. Incident reports are saved in the Dynamic HTML (DHTML) format. You can
save scheduled and on-demand reports in DHTML, HTML, XML, CSV, and text formats.

Scheduled reports, on-demand reports, and incident reports are saved in separate folders within a
designated report repository. By default, the reports are stored in the subdirectories of the
%Systemdrive%\StorageReports\ folder. To change the default report locations, in the File Server
Resource Manager Options dialog box, on the Report Locations tab, specify where to save each type of
storage report.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-31

What Is a Report Task?

Key Points
A report task is a set of storage management reports that run based on a schedule.

The report task specifies which reports to generate and what parameters to use, which volumes and
folders to report on, how often to generate the reports, and which file formats to save them in.

When you schedule a set of reports, the reports are saved in the report repository. You also have the
option of sending the reports to a group of administrators by email.
Report tasks can be scheduled by using the following steps from within FSRM.
1. Click the Storage Reports Management node.
2. Right-click Storage Reports Management and click Schedule a New Report Task (or click
Schedule a New Report Task in the Actions pane). The Storage Reports Task Properties dialog
box appears.

Note: To minimize the impact of report processing on server performance, generate multiple reports on
the same schedule so that the data is only gathered once.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-32 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Generating On-Demand Reports

Key Points
During daily operations, you may want to generate reports on demand to analyze the different aspects of
the current disk usage on the server. Before the reports are generated, current data is gathered.

When you generate reports on demand, the reports are saved in the report repository, but no report task
is created for later use. You can optionally view the reports immediately after they are generated or send
the reports to a group of administrators by email.
1. Click the Storage Reports Management node.
2. Right-click Storage Reports Management, and then click Generate Reports Now (or click
Generate Reports Now in the Actions pane). The Storage Reports Task Properties dialog box
appears.

Note: When generating an on-demand report, you can wait for the reports to be generated and then
immediately display them. If you choose to open the reports immediately, you must wait while the
reports are generated. Processing time varies, depending on the types of reports and the data scope.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-33

Lab B: Configuring File Screening and Storage Reports

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1

Lab Scenario
You need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. You
need to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be saved
on the server. Your manager has asked you to ensure that the saving of Microsoft Project files (.mpp) is
not affected by your file screening setup.

You have also been asked to provide a report to your manager about the attempts to save these media
files on NYC-SVR1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-34 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 1: Configuring File Screening


You need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. You
need to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be saved
on the server. Your manager has asked you to ensure that the saving of Project files (.mpp) is not affected
by your file screening setup.

Task 1: Create a file group.


1. Open the File Server Resource Manager console.
2. Open the File Server Resource Manager Configuration Options dialog box and enable the Record
file screening activity in auditing database option on the File Screen Audit tab.

Note: This step is to allow recording of File Screen events that supply data for the a File Screen Audit
report to be run in Exercise 2

3. Create a new File Group with the following properties.


File group name: MPx Media Files
Files to include: *.mp*
Files to exclude *.mpp

Task 2: Create a file screen template.


1. Create a File Screen Template with the following properties.
Template name: Block MPx Media Files
Screening type: Active
File groups: MPx Media Files
Event Log: Send a warning to the event log

Task 3: Create a file screen.


1. Create a File Screen based on the Block MPx Media Files File Screen Template for the
E:\Labfiles\Mod05\Users directory.
2. Close the File Server Resources Manager.

Task 4: Test the file screen.


1. Click Start, and then click Computer.
2. Create a new text document in E:\Labfiles\Mod05 and rename it as musicfile.mp3.
3. Copy musicfile.mp3 into E:\Labfiles\Mod05\Users. You will be notified that the system was unable
to copy the file to E:\Labfiles\Mod05\User.

Results: After this exercise, you should have configured file screening by creating a file group, a file
screen template, and a file screen.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-35

Exercise 2: Generating Storage Reports


You need to provide a report that documents attempts to save these media files on NYC-SVR1.

Task 1: Generate an On-Demand Storage Report.


1. Open the File Services Resource Manager console.
2. Right-click Storage Reports Management, select Generate Reports Now and then provide the
following parameters:
Report on E:\Labfiles\Mod05\Users.
Generate only the File Screening Audit report.
3. Close all open windows on NYC-SVR1.

Results: In this exercise, you generated a storage report.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-36 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 5
Implementing Classification Management and File
Management Tasks

Most applications manage files based on the directory they are contained in. This leads to complicated file
layouts that require a lot of attention from administrators. Such layout can also lead to frustration among
the users.
In Windows Server 2008 R2, Classification Management and File Management tasks enable administrators
to manage groups of files based on various file and folder attributes. With Classification Management and
File Management tasks, you can automate file and folder maintenance tasks such as cleaning up stale data
or protecting sensitive information.

In this lesson, you will learn how Classification Management and File Management tasks work to together
to make it easier for you to manage and organize the files and folders on your servers.

Note: The capabilities and components described in this lesson are available only in Windows Server
2008 R2.

Objectives
After completing this lesson, you will be able to:
Describe the Classification Management feature of FSRM.
Describe how to create Classification Properties.
Describe how Classification Rules are used to automatically assign Classification Properties.
Configure Classification Management.
Describe considerations for using Classification Management.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-37

Describe File Management Tasks.


Configure File Management Tasks.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-38 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is Classification Management?

Key Points
Most applications manage files based on their location or the folder they are contained in. This leads to
complicated folder structure that often negatively affects the usability of the files and folders and
increases administrative requirements.

To reduce the cost and risk associated with this type of data management, the File Classification
infrastructure uses a platform that allows administrators to classify files and apply policies based on that
classification. The storage layout is unaffected by data management requirements, and the organization
can adapt more easily to a changing business and regulatory environment.

Classification Management is designed to ease the burden and management of data that is spread out in
your organization. Files can be classified in a variety of ways. In most scenarios, classification is performed
manually. The File Classification infrastructure in Windows Server 2008 R2 allows organizations to convert
these manual processes into automated policies. Administrators can specify file management policies
based on a files classification and apply corporate requirements for managing data based on business
value. They can easily modify the policies and use tools that support classification to manage their files.

You can use file classification to perform the following actions:


1. Define classification properties and values, which can be assigned to files by running classification
rules.
2. Create, update, and run classification rules. Each rule assigns a single predefined property and value
to files within a specified directory based on installed classification plug-ins.
3. When running a classification rule, reevaluate files that are already classified. You can choose to
overwrite existing classification values or add the value to properties that support multiple values.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-39

What Are Classification Properties?

Key Points
Classification properties are used to assign values to files. There are many property types that you can
choose from, as listed in the table below. You can define these properties based on the needs of your
organization. Classification properties are assigned to files that use classification rules, which will be
discussed in the next topic.

The following table defines the available property types and the policy that is applied when a file is
reclassified:

Yes/No A Boolean property that can be Yes or No. When multiple values are
combined, a No value overwrites a Yes value.

Date-Time A simple date and time property. When multiple values are combined,
conflicting values prevent reclassification.

Number A simple number property. When multiple values are combined,


conflicting values prevent reclassification.

Multiple Choice List A list of values that can be assigned to a property. More than one
value can be assigned to a property at a time. When multiple values
are combined, each value in the list is used.

Ordered List A list of fixed values. Only one value can be assigned to a property at a
time. When multiple values are combined, the value highest in the list
is used.

String A simple string property. When multiple values are combined,


conflicting values prevent reclassification.

Multi-string A list of strings that can be assigned to a property. More than one

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-40 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

value can be assigned to a property at a time. When multiple values


are combined, each value in the list is used.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-41

What Is Classification Rule?

Key Points
A classification rule assigns a Classification Property to a file system object. A classification rule includes
information detailing when to assign a classification property to a file.

Key Classification Rule Properties


To define the behavior of a classification rule, ask yourself the following questions:
Is the rule enabled? On the Rule Settings tab, the Enabled check box allows you to specifically
disable or enable the classification rule.
What is the scope of the rule? On the Rule Settings tab, the scope parameter allows you to select a
folder or folders that the classification rule will apply to. When the rule is run, it processes and
attempts to classify all file system objects within this location.
What classification mechanism will the rule use? On the rules Classification tab, you must choose
a classification method that the rule will use to assign the classification property. By default, there are
two methods that you can choose from:
Folder Classifier. The folder classifier mechanism assigns properties to a file based on the files
folder path.
Content Classifier: The content classifier searches for strings or regular expressions in files. This
means that the content classifier classifies a file based on the textual contents of the file, such as
whether it contained a specific word, phrase, or numeric value or type.
What property will the rule assign? The main function of the classification rule is to assign a
property to a file object based on how the rule applies to that file object. You must specify a property
and the specific value of that property to be assigned by the rule on the Classification tab.
What additional classification parameters will be used? The core of the rules logic lies in the
additional classification parameters. Clicking the Advanced button on the Classification tab takes you
to the Additional Classification Parameters window. Here, you can specify additional parameters like
strings or regular expressions that, if found in the file system object, will cause the rule to apply itself.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-42 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

This could be something like looking for the phrase Social Security Number or any number with the
format 000-000-000 to apply a Yes value for a Confidential classification property to the file. This
classification could then be leveraged to perform some tasks on the file system object like moving it
to a secure location.

A classification parameter can be one of the following three types:


RegularExpression. Match a regular expression by using the .NET syntax. For example, \d\d\d
will match any three-digit number.
StringCaseSensitive: Match a case-sensitive string. For example, Confidential will only match
Confidential and not confidential or CONFIDENTIAL.
String: Match a string, regardless of case. Confidential will match both Confidential and
CONFIDENTIAL.

Classification Scheduling
You can run classification rules in two ways, on-demand or based on a schedule. Either way you choose,
each time you run classification, it uses all rules that you have left in the Enabled state.

Configuring a schedule for classification allows you to specify a regular interval at which file classification
rules will run, ensuring that your servers files are regularly classified and up to date with the latest
classification properties.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-43

Demonstration: How to Configure Classification Management

Key Points
In this demonstration you will see how to:
Create a Classification Property.
Create a Classification Rule.
Modify the Classification Schedule.

Demonstration Steps:
1. Open File Server Resource Manager and expand the Classification Management node.
2. Using the Classification Properties node, create a new Classification Property named Confidential
with the Yes/No property type.
3. Using the Classification Rules node, create a new Classification Rule named Confidential
Documents.
4. Configure the rule to classify documents with a value of Yes for the Confidential classification
property if the file contains the string value payroll.
5. Create a classification schedule that runs daily at 8:30 A.M.
6. Using the Classification Rule node, manually run Classification With All Rules Now and view the
report.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-44 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Considerations for Using File Classification

Key Points
Although Classification Management provides a powerful mechanism to catalog, categorize, and classify
your file system objects, you should consider certain factors when dealing with Classification
Management.

How Classification Properties Are Stored


The properties are stored in an alternate data stream, which is a feature of NTFS. Alternate data streams
move with a file if the file moves within NTFS file systems, but they do not appear in the files contents.
The properties are also stored within file formats in Office products as custom document properties or
server document properties.

Movement Can Affect a Files Classification Properties


A file retains its classification properties if the file is moved to another NTFS file system by using a
standard mechanism such as Copy or Move. If a file is moved to a non-NTFS volume, file classification
properties are not retained. However, the classification properties for files in Microsoft Office products
remain attached, regardless of how the file is moved.

The Classification Management Process Exists Only in Windows Server 2008 R2


Classification properties are available only to servers running Windows Server 2008 R2. However,
Microsoft Office documents will retain classification property information in Document Properties, which
is viewable regardless of the operating system being used.

Classification Rules Can Conflict


The File Classification infrastructure attempts to combine property where a potential conflict exists. The
following behaviors will occur with their corresponding property.
For Yes or No properties, a Yes value takes priority over a No value.
For ordered list properties, the highest property value takes priority.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-45

For multiple choice properties, the property sets are combined into one set.
For multiple string properties, a multistring value is set that contains all the unique strings of the
individual property values.
For other property types, an error occurs.

Classification Management Cannot Not Classify Certain Files


The File Classification Infrastructure will not identify individual files within a container file such as a .zip or
.vhd file. Also, FCI will not allow content classification for the contents of encrypted files.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-46 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Are File Management Tasks?

Key Points
File management tasks automate the process of finding subsets of files on a server and applying simple
commands to them on a scheduled basis. Files are identified by classification properties that have been
assigned to the file by a classification rule.

File management tasks include a file expiration command, and you can also create custom tasks. You can
define files that will be processed by a file management task through the following properties:
Location
Classification properties
Creation time
Modification time
Last accessed time
File name
You can also configure file management tasks to notify file owners of any impending policy that will be
applied to their files.

File Expiration Tasks


File expiration tasks are used to automatically move all files that match certain criteria to a specified
expiration directory, where an administrator can back up those files and delete them.

When a file expiration task is run, a new directory is created within the expiration directory. The new
directory is grouped by the server name on which the task was run, and it is named according to the
name of the file management task and the time it was run. When an expired file is found, it is moved into
the new directory, while preserving its original directory structure.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-47

Custom File Management Tasks


Expiration is not always a desired action to be performed on files. File management tasks allow you to run
custom commands. Using the custom commands dialog box, you to run an executable file, script, or other
custom commands to perform an operation on the files within the scope of the file management task.

Note: Custom tasks are configured by selecting the Custom type on the Action tab of the Create File
Management Task window.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-48 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: How to Configure File Management Tasks

Key Points
In this demonstration, you will see how to:
Create a File Management Task.
Configure a File Management Task to Expire Documents.

Demonstration Steps:
1. Open FSRM and expand the File Management Tasks node.
2. Create a file management task named Expire Confidential Documents with a scope of
E:\Labfiles\Mod05\Data.
3. On the Action tab, configure the task for file expiration to E:\Labfiles\Mod05\Expired.
4. Add a condition that Confidential equals Yes.
5. Run the File Management Task and view the report.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-49

Lab C: Configuring Classification and File


Management Tasks

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6419B-NYC-SVR1

Lab Scenario
The Finance department of Contoso, Ltd has discovered that several payroll documents are being stored
in locations that are not secure.

You have been asked to use the Classification Management and File Management Tasks components of
FSRM to ensure that all payroll-related files are located in a secure location.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-50 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 1: Configuring Classification Management


The Finance department wants all documents related to the company payroll to be classified as
confidential. You must create a Classification Property and a Classification Rule that classifies any files
containing the word payroll as confidential.

Task 1: Create a classification property.


1. Create a Classification Property with the following attributes.
Property name: Confidential
Description: Assigns a confidentiality value of Yes or No
Property Type: Yes/No

Task 2: Apply classification properties by using classification rules.


1. Create a new Classification Rule.
2. Configure the Rule Settings tab with the following attributes.
Rule name: Confidential Payroll Documents
Description: Classify documents containing the word payroll as confidential
Scope: E:\Labfiles\Mod05\Data
3. Configure the Classification tab with the following attributes
Classification Mechanism: Content Classifier
Property name: Confidential
Property value: Yes
4. On the Classification tab, click Advanced.
5. Click the Additional Classification Parameters tab and add the following parameters.
Name: String
Value: payroll
6. Right-click the Classification Rules node and Run Classification With All Rules Now and selecting
the Wait for classification to complete execution option.
7. View the generated report and ensure that January.txt is displayed in the report.
8. View the contents of E:\Labfiles\Mod05\Data\January.txt.
9. Close all open windows on NYC-SVR1.

Results: In this exercise, you configured Classification Management.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Managing File Resources Using File Server Resource Manager 5-51

Exercise 2: Implementing File Management Tasks


You have been notified that the Finance department wants all payroll-related documents that you have
classified to be relocated to a more secure location. Your task is to create a File Management task that will
move any documents classified as confidential to the E:\Labfiles\Mod05\Confidential folder.

Task 1: Configure file management tasks based on classification properties.


1. Open the File Server Resource Manager and create a File Management task and configure the
properties according to the following steps.
2. On the General tab, configure the following attributes:
Task name: Move Confidential Files
Description: Move confidential documents to another folder
Scope: E:\Labfiles\Mod05\Data.

3. On the Action tab, configure the following attributes.


Type: File expiration
Expiration directory: E:\Labfiles\Mod05\Confidential
4. On the Condition tab, configure the following attributes.
Property conditions:
Property: Confidential
Operator: Equals
Value: Yes
5. On the Schedule tab, create a schedule to run at 9:00 A.M. every day, starting today.
6. Right-click the newly created task, and then click Run File Management Task Now. Select the
option to wait for task to complete execution and then review the report. Ensure that January.txt is
listed in the report.
7. In Windows Explorer, browse to the E:\Labfiles\Mod05\Confidential folder. January.txt should be
located in this folder and no longer in E:\Labfiles\Mod05\Data.

Results: In this exercise, you implemented File Management Tasks.

To prepare for the next module.


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6419B-NYC-SVR1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
5-52 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Module Review and Takeaways

Review Questions
1. What criteria need to be met to use FSRM for managing a servers file structure?
2. In what ways can Classification Management and File Management Tasks decrease administrative
overhead when dealing with a complex file and folder structure?

Windows Server 2008 R2 Features Introduced in this Module


Windows Server 2008 R2 feature Description

Classification Management (FSRM) Create and assign user-defined properties to files that use an
automated file classification infrastructure

File Management Tasks (FSRM) Perform automated file management tasks leveraging the file
classification infrastructure

Tools
Tool Use for Where to find it

File Server Managing your file Install the FSRM role service as part of the File
Resource Manager server infrastructure Services server role

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-1

Module 6
Configuring and Securing Remote Access
Contents:
Lesson 1: Configuring a Virtual Private Network Connection 6-3
Lesson 2: Overview of Network Policies 6-16
Lab A: Implementing a Virtual Private Network 6-26
Lesson 3: Integrating Network Access Protection with VPNs 6-31
Lesson 4: Configuring VPN Enforcement Using NAP 6-39
Lab B: Implementing NAP into a VPN Remote Access Solution 6-48
Lesson 5: Overview of DirectAccess 6-56

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-2 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Module Overview

For an organization to support its distributed workforce, it must implement technologies that enable
remote users to connect to the organizations network infrastructure. These technologies include virtual
private networks (VPNs) and DirectAccess. You need to understand how to configure and secure your
remote access clients by using network policies and, where appropriate, Network Access Protection (NAP).
This module explores these remote access technologies.

Objectives
After completing this module, you will be able to:
Configure a VPN Connection.
Explain network policies.
Describe VPN enforcement with NAP.
Configure NAP.
Describe and deploy DirectAccess.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-3

Lesson 1
Configuring a Virtual Private Network Connection

A VPN provides a point-to-point connection between the components of a private network through a
public network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a
connection to a VPN servers listening virtual port.

To properly implement and support a VPN environment within your organization, you must understand
how to select a suitable tunneling protocol, configure VPN authentication, and configure the Network
Policy and Access Services server role to support your chosen configuration.

Objectives
After completing this lesson, you will be able to:
Describe virtual private networking.
Describe methods used to authenticate remote systems.
Identify the tunneling protocols used for a VPN Connection.
Describe considerations for installing a VPN server.
Configuring a VPN server.
Describe additional tasks related to managing and configuring a VPN server.
Describe VPN Reconnect.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-4 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is Virtual Private Networking?

Key Points
To emulate a point-to-point link, the data is encapsulated or wrapped and prefixed with a header. This
header provides routing information that enables the data to traverse the shared or public network to
reach its endpoint.

To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted on
the shared or public network are indecipherable without encryption keys. The link in which the private
data is encapsulated and encrypted is known as a VPN connection.

There are two types of VPN connections:


Remote access
Site-to-site
Remote Access VPN connections enable your users working at home, customer site, or through a public
wireless access point to access resources on your organizations private network by using the
infrastructure that a public network provides, such as the Internet.

From the users perspective, the VPN is a point-to-point connection between their computer, the VPN
client, and your organizations resources. The exact infrastructure between the client and the resource is
irrelevant because it appears logically as if the data is sent over a dedicated private link.

Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices or with other organizations over a
public network while helping to maintain secure communications.

A VPN connection routed across the Internet logically operates as a dedicated wide area network (WAN)
link. When networks connect over the Internet, a router forwards packets to another router across a VPN
connection.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-5

A site-to-site VPN connection connects two portions of a private network. For example, a branch office
router, acting as a VPN server, can create a VPN connection between itself and a corporate hub router
across the Internet. As the calling router, the branch office router authenticates itself to the answering
router on the corporate hub, and, for mutual authentication, the answering router authenticates itself to
the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN
connection typically do not originate at the routers.

In a site-to site VPN connection, the packets sent from either router across the VPN connection typically
do not originate at the routers.

Properties of VPN Connections


VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with
Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) have the following
properties:

Note: These tunneling protocols are discussed in the next few topics.

Encapsulation. With VPN technology, private data is encapsulated with a header that contains
routing information that allows the data to traverse the transit network.
Authentication. Authentication for VPN connections takes the following three different forms:
User-level authentication by using PPP authentication.
To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the
connection by using a PPP user-level authentication method and verifies that the VPN client has the
appropriate authorization. If you use mutual authentication, the VPN client also authenticates the
VPN server, which provides protection against computers that are masquerading as VPN servers.
Computer-level authentication by using Internet Key Exchange (IKE).
To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to
exchange either computer certificates or a preshared key. In either case, the VPN client and server
authenticate each other at the computer level. It is recommended that you use computer-certificate
authentication because it is a much stronger authentication method. Computer-level authentication is
only performed for L2TP/IPsec connections.
Data origin authentication and data integrity.
To verify that the data sent on the VPN connection originated at the connections other end and was
not modified in transit, the data contains a cryptographic checksum based on an encryption key
known only to the sender and the receiver. Data origin authentication and data integrity are only
available for L2TP/IPsec connections.
Data encryption. To ensure the confidentiality of data as it traverses the shared or public transit
network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption
processes depend on both the sender and the receiver by using a common encryption key.
Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone
who does not have the common encryption key. The encryption keys length is an important security
parameter. You can use computational techniques to determine the encryption key. However, such
techniques require more computing power and computational time as the encryption keys get larger.
Therefore, it is important to use the largest possible key size to ensure data confidentiality.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-6 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Types of VPN Authentication Methods

Key Points
Authentication of access clients is an important security concern. Authentication methods typically use an
authentication protocol that is negotiated during the connection establishment process.

PAP
Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication
protocol. It is negotiated if the remote access client and remote access server cannot negotiate a more
secure form of validation.

CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication
protocol that uses the Message Digest 5 (MD5) one-way encryption scheme to hash the response to a
challenge issued by the remote access server. CHAP is an improvement over PAP because the password is
never sent over the link. Instead, the password is used to create a one-way hash from a challenge string.
The server, knowing the client's password, can duplicate the operation and compare the result with that
sent in the client's response.

A server running routing and remote access supports CHAP so that remote access clients that require
CHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you should
consider using another authentication protocol, such as MS-CHAP version 2.

MSCHAPv2
Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) is an encrypted password, and
mutual-authentication process that works as follows:
1. The authenticator (the remote access server or the computer running Network Policy Server) sends a
challenge to the remote access client that consists of a session identifier and an arbitrary challenge
string.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-7

2. The remote access client sends a response that contains a one-way encryption of the received
challenge string, the peer challenge string, the session identifier, and the user password.
3. The authenticator checks the response from the client and sends back a response containing an
indication of the success or failure of the connection attempt and an authenticated response based
on the sent challenge string, the peer challenge string, the clients encrypted response, and the user
password.
4. The remote access client verifies the authentication response and, if correct, uses the connection. If
the authentication response is not correct, the remote access client terminates the connection.

Extensible Authentication Protocol


EAP
With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a
remote access connection. The remote access client and the authenticator (either the remote access server
or the Remote Authentication Dial-In User Service (RADIUS) server) negotiate the exact authentication
scheme to be used. Routing and Remote Access includes support for EAP-Transport Level Security (EAP-
TLS) by default. You can plug in other EAP modules to the server running Routing and Remote Access to
provide other EAP methods.

Using Smart Cards for Remote Access


Using smart cards for user authentication is the strongest form of authentication in the Windows Server
2008 family. For remote access connections, you must use EAP with the Smart card or other certificate
(TLS) EAP type, also known as EAP-TLS.
To use smart cards for remote access authentication, you must:
Configure remote access on the remote access server.
Install a computer certificate on the remote access server computer.
Configure the smart card or other certificate (TLS) EAP type in network policies.
Enable smart card authentication on the dial-up or VPN connection on the remote access client.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-8 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Tunneling Protocols for a VPN Connection

Key Points
PPTP, L2TP, and SSTP depend heavily on the features originally specified for PPP. PPP was designed to
send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets
within PPP frames and then transmits the encapsulated PPP packets across a point-to-point link. PPP was
defined originally as the protocol to use between a dial-up client and a network access server.

PPTP
PPTP enables you to encrypt and encapsulate in an IP header multi-protocol traffic, which is then sent
across an IP network or a public IP network, such as the Internet. You can use PPTP for remote access and
site-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is a
PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet.
Encapsulation: PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses
Transmission Control Protocol (TCP) connection for tunnel management and a modified version of
Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of the
encapsulated PPP frames can be encrypted, compressed, or both.
Encryption: The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using
encryption keys generated from the MS-CHAPv2 or EAP-TLS authentication process. VPN clients must
use the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP frames can be
encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously
encrypted PPP frame.

L2TP
L2TP enables you to encrypt multi-protocol traffic to send over any medium that supports point-to-point
datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP and
Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-9

Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP
relies on IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as
L2TP/IPsec.

Both the VPN client and server must support L2TP and IPsec. Client support for L2TP is built in to the
Windows XP, Windows Vista, and Windows 7 remote access clients, and VPN server support for L2TP
is built in to members of the Windows Server 2008 and Windows Server 2003 family.

Note: L2TP is installed with the TCP/IP protocol.

Encapsulation: Encapsulation for L2TP/IPsec packets consists of two layers:


First layer: L2TP encapsulation
A PPP frame (an IP datagram) is wrapped with an L2TP header and a User Datagram Protocol
(UDP) header.
Second layer: IPsec encapsulation
The resulting L2TP message is wrapped with an IPsec Encapsulating Security Payload (ESP) header
and trailer, an IPsec Authentication trailer that provides message integrity and authentication,
and a final IP header. The IP header contains the source and destination IP address that
corresponds to the VPN client and server.
Encryption: The L2TP message is encrypted with one of the following protocols by using encryption
keys generated from the IKE negotiation process: Advanced Encryption Standard (AES) 256, AES 192,
AES 128, and 3DES encryption algorithms.

SSTP
SSTP is a tunneling protocol that uses the Secure Hypertext Transfer Protocol (HTTPS) protocol over TCP
port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic.
SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the
HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL
provides transport-level security with enhanced key negotiation, encryption, and integrity checking.

When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS
layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload.
Encapsulation: SSTP encapsulates PPP frames in IP datagrams for transmission over the network. SSTP
uses a TCP connection (over port 443) for tunnel management and as PPP data frames.
Encryption: The SSTP message is encrypted within the SSL channel of the HTTPS protocol.

IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. Because
of its support for mobility (MOBIKE), IKEv2 is much more resilient to changing network connectivity,
making it a good choice for mobile users who move between access points and even switch between
wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client moves
from one wireless hotspot to another or when it switches from a wireless to a wired connection; this ability
is a requirement of VPN Reconnect.

The use of IKEv2 and IPsec enables support for strong authentication and encryption methods.
Encapsulation: IKEv2 encapsulates datagrams by using IPsec ESP or AH headers for transmission over
the network.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-10 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Encryption: The message is encrypted with one of the following protocols by using encryption keys
generated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192,
AES 128, and 3DES encryption algorithms.
IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2.

Note: IKEv2 is the default VPN tunneling protocol in Windows 7.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-11

Considerations for Installing a VPN Server

Key Points
Before you deploy your organizations VPN solution, consider the following factors:
To accept incoming connections, your VPN server requires two network interfaces: determine which
network interface connects to the Internet and which network interface connects to your private
network. During configuration, you must choose which network interface connects to the Internet. If
you specify the incorrect interface, your remote access VPN server will not operate correctly.
Determine whether remote clients receive IPv4 addresses from a Dynamic Host Configuration
Protocol (DHCP) server on your private network or from the remote access VPN server that you are
configuring. If you have a DHCP server on your private network, the remote access VPN server can
lease ten addresses at a time from the DHCP server and assign those addresses to remote clients. If
you do not have a DHCP server on your private network, the remote access VPN server can generate
and assign IP addresses automatically to remote clients. If you want the remote access VPN server to
assign IP addresses from a range that you specify, you must determine what that range should be.
Determine whether you want connection requests from VPN clients to be authenticated by a RADIUS
server or by the remote access VPN server that you are configuring. Adding a RADIUS server is useful
if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS
clients to your private network.
Determine whether IPv4 VPN clients can send DHCP messages to the DHCP server on your private
network. If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages
from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a
DHCP server is on a different subnet from your remote access VPN server, ensure that the router
between subnets can relay DHCP messages between the clients and the server. If your router is
running Windows Server 2008 or Windows Server 2008 R2, you can configure the DHCP Relay Agent
service on the router to forward DHCP messages between subnets.
Ensure that the individual responsible for the deployment of your VPN solution has the necessary
administrative group memberships to install the server roles and configure the necessary services;
membership of the local Administrators group is required to perform these tasks.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-12 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: Configuring a VPN Server

Key Points
In this demonstration, you will see how to:
Configure user dial-in settings.
Configure Routing and Remote Access as a VPN server.
Configure a VPN client.

Demonstration Steps:
1. Verify the dial-in permission of Adam Carter.
2. Determine group memberships of Adam Carter.
3. Add the Network Policy Server role to NYC-EDGE1.
4. Configure and enable a VPN server on NYC-EDGE1.
5. Disable existing NPS policies on NYC-EDGE1.
6. Create a VPN connection on NYC-CL1.
7. Attempt to connect to NYC-EDGE1 by using the VPN.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-13

Additional Configuration Tasks for VPN Servers

Key Points
After you complete the steps in the Add Roles Wizard and complete the configuration in Routing and
Remote Access, your server is ready for use as a remote access VPN server.
The following are the additional tasks that you can perform on your remote access/VPN server:
Configure static packet filters. Add static packet filters to better protect your network.
Configure services and ports. Choose which services on the private network you want to make
available for remote access users.
Adjust logging levels for routing protocols. Configure the level of event details that you want to log.
You can decide which information you want to track in log files.
Configure the number of VPN ports. Add or remove VPN ports.
Create a Connection Manager profile for users. Manage the client connection experience for users
and simplify troubleshooting of client connections.
Add Active Directory Certificate Services (AD CS). Configure and manage a certification authority (CA)
on a server for use in a PKI.
Increase remote access security. Protect remote users and the private network by enforcing use of
secure authentication methods, requiring higher levels of data encryption, and more.
Increase VPN security. Protect remote users and the private network by requiring use of secure
routing and tunneling protocols, configuring account lockout, and more.
Consider implementing VPN Reconnect. VPN Reconnect uses IKEv2 technology to provide seamless
and consistent VPN connection, automatically re-establishing a VPN when users temporarily lose their
Internet connections.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-14 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is VPN Reconnect?

Key Points
In dynamic business scenarios, users must be able to securely access data anytime, from anywhere and
access it continuously, without interruption. For example, users might want to securely access data on the
companys server in the head office, from a branch office, or while on the road.

To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows
Server 2008 R2 and Windows 7. This enables users to securely access the companys data by using a VPN
connection, which will automatically reconnect if connectivity is interrupted. It also enables roaming
between different networks.
VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to provide seamless and
consistent VPN connectivity. VPN Reconnect automatically re-establishes a VPN connection when Internet
connectivity is available again. Users who connect by using a wireless mobile broadband benefit most
from this capability.

Consider a user with a laptop running Windows 7. When the user travels to work in a train, the user
connects to the Internet by using a wireless mobile broadband card and then establishes a VPN
connection to the companys network. When the train passes through a tunnel, the Internet connection is
lost. After the train comes out of the tunnel, the wireless mobile broadband card automatically reconnects
to the Internet. With earlier versions of Windows client and server operating systems, VPN did not
reconnect automatically. Therefore, the user needed to manually repeat the multistep process of
connecting to the VPN. This was time-consuming for mobile users with intermittent connectivity.

With VPN Reconnect, Windows Server 2008 R2 and Windows 7 automatically re-establish active VPN
connections when the Internet connectivity is re-established. Even though the reconnection might take
several seconds, users stay connected and have uninterrupted access to internal network resources.

The system requirements for using the VPN Reconnect feature are as follows:
Windows Server 2008 R2 as a VPN server

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-15

Windows 7 or Windows Server 2008 R2 client


PKI infrastructure, because a computer certificate is required for a remote connection with VPN
Reconnect. Certificates issued by either an internal or public CA can be used.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-16 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 2
Overview of Network Policies

Network policies determine whether a connection attempt is successful, and if such an attempt is
successful, the network policy defines connection characteristics, such as day and time restrictions, session
idle-disconnect times, and other settings.

Understanding how to configure network policies is essential if you are to successfully implement VPNs
based on the Network Policy and Access Services Server role within your organization.

Objectives
After completing this lesson, you will be able to:
Describe the Network Policy and Access Services role.
Describe how network polices are used to control and secure a VPN connection.
Describe the process for creating and configuring a Network Policy.
Create a Network Policy to be used for VPN connections.
Describe how network policies are processed.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-17

What Is the Network Policy and Access Services Role?

Key Points
The Network Policy and Access Services role in Windows Server 2008 R2 provides the following network
connectivity solutions:
NAP. NAP is a client health policy creation, enforcement, and remediation technology that is
included in the NAP included with Windows XP with SP3, Windows Vista, Windows 7 client operating
systems and in the Windows Server 2008 and Windows Server 2008 R2 operating systems. With NAP,
you can establish and automatically enforce health policies, which can include software requirements,
security update requirements, required computer configurations, and other settings. If client
computers do not comply with a health policy, you can restrict their network access until their
configuration is updated and brought into compliance. Depending on how you choose to deploy
NAP, noncompliant clients can be updated automatically so that users can regain full network access
quickly without manually updating or reconfiguring their computers.
Secure wireless and wired access. When you deploy 802.1X wireless access points, it provides
wireless users with a secure password-based authentication method, which is easy to deploy. When
you deploy 802.1X authenticating switches, wired access allows you to secure your network by
ensuring that intranet users are authenticated before they can connect to the network or obtain an IP
address by using DHCP.
Remote access solutions. With remote access solutions, you can provide users with VPN and
traditional dial-up access to your organizations network. You also can connect branch offices to your
network with VPN solutions, deploy full-featured software routers on your network, and share
Internet connections across the intranet.
Central network policy management with RADIUS server and proxy. Rather than configuring
network access policy at each network access server, such as wireless access points, 802.1X
authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location
that specify all aspects of network connection requests, including who is allowed to connect, when
they can connect, and the level of security they must use to connect to your network.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-18 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is a Network Policy?

Key Points
Network policies are sets of conditions, constraints, and settings that enable you to designate who is
authorized to connect to the network and the circumstances under which they can, or cannot, connect.
Additionally, when you deploy NAP, health policy is added to the network policy configuration so that
NPS performs client health checks during the authorization process.
You can view network policies as rules; each rule has a set of conditions and settings. NPS compares the
rules conditions with the properties of connection requests. If a match occurs between the rule and the
connection request, the settings that you define in the rule are applied to the connection.
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the lists first rule, then the second, and so on, until a match is found.

Note: After a matching rule is determined, further rules are disregarded. It is important to order your
network policies appropriately.

Each network policy has a Policy State setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate the policy when authorizing connection requests.

Network Policy Properties


Each network policy has four categories of properties:
Overview. These properties allow you to specify whether the policy is enabled; whether the policy
grants or denies access; and whether a specific network connection method, or type of network
access server, is required for connection requests. Overview properties also enable you to specify
whether to ignore the dial-in properties of user accounts in AD DS. If you select this option, NPS uses
only the network policys settings to determine whether to authorize the connection.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-19

Conditions. These properties allow you to specify the conditions that the connection request must
have to match the network policy. If the conditions configured in the policy match the connection
request, NPS applies the network-policy settings to the connection. For example, if you specify the
network access server IPv4 address (NAS IPv4 Address) as a condition of the network policy and NPS
receives a connection request from a NAS that has the specified IP address, the condition in the policy
matches the connection request.
Constraints. Constraints are additional parameters of the network policy that are required to match
the connection request. If the connection request does not match a constraint, NPS automatically
rejects the request. Unlike the NPS response to unmatched conditions in the network policy, if a
constraint is not matched, NPS does not evaluate additional network policies. The connection request
is denied.
Settings. These properties allow you to specify the settings that NPS applies to the connection
request if all of the policys network policy conditions are matched.
When you add a new network policy by using the NPS MMC snap-in, you must use the New Network
Policy Wizard. After you have created a network policy by using the wizard, you can customize the policy
by double-clicking it in NPS to obtain the policy properties.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-20 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Process for Creating and Configuring a Network Policy

Key Points
NPS uses network policies and the dial-in properties of user accounts to determine whether to authorize a
connection request to your network. You can configure a new network policy in either the NPS MMC
snap-in or the Routing and Remote Access Service MMC snap-in.

Creating Your Policy


When you use the New Network Policy Wizard to create a network policy:
The value that you specify as the network connection method is used to configure the Policy Type
condition automatically. If you keep the default value, NPS evaluates the network policy that you
create for all network connection types through any type of network access server. If you specify a
network connection method, NPS evaluates the network policy only if the connection request
originates from the type of network access server that you specify. For example, if you specify Remote
Desktop Gateway, NPS evaluates the network policy only for connection requests that originate from
Remote Desktop Gateway servers.
On the Specify Access Permission page, you must select Access granted if you want the policy to
allow users to connect to your network. If you want the policy to prevent users from connecting to
your network, select Access denied. If you want user account dial-in properties in AD DS to determine
access permission, you can select the Access is determined by User Dial-in properties (which override
NPS policy) check box.

Note: To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group.

Adding a Network Policy by Using the Windows Interface


To add a network policy by using the Windows interface:
1. Open the NPS console, and expand Policies.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-21

2. In the console tree, right-click Network Policies, and then click New. The New Network Policy
Wizard opens.
3. Use the New Network Policy Wizard to create a policy.
4. Configure the Network Policy properties (described in the remainder of this topic).

Configuring Your Policy


After you have created your policy, you can use the properties dialog box for the policy to view or
reconfigure its settings.

Network Policy PropertiesOverview Tab


From the Overview tab of the Properties sheet for a network policy, or while running the New Network
Policy wizard, you can configure the following:
Policy Name. Type a friendly and meaningful name for the network policy.
Policy State. Designate whether to enable the policy.
Access Permission. Designate whether the policy grants or denies access. Also, specify whether NPS
should ignore the dial-in properties of user accounts in AD DS when using the policy to perform the
connection attempts authorization.
The network connection method to use for the connection request:
Unspecified. If you select Unspecified, NPS evaluates the network policy for all connection
requests that originate from any type of network access server and for any connection method.
Remote Desktop Gateway. If you specify Remote Desktop Gateway, NPS evaluates the network
policy for connection requests that originate from servers that are running Remote Desktop
Gateway.
Remote Access Server (VPN-Dial-up). If you specify Remote Access Server (VPN-Dial-up), NPS
evaluates the network policy for connection requests that originate from a computer running
Routing and Remote Access service configured as a dial-up or VPN server. If another dial-up or
VPN server is used, the server must support the RADIUS protocol and the authentication
protocols that NPS provides for dial-up and VPN connections.
DHCP Server. If you specify DHCP Server, NPS evaluates the network policy for connection
requests that originate from servers that are running DHCP.
Health Registration Authority. If you specify Health Registration Authority, NPS evaluates the
network policy for connection requests that originate from servers that are running Health
Registration Authority.
HCAP Server. If you specify HCAP server, NPS evaluates the network policy for connection
requests that originate from servers that are running HCAP.

Network Policy PropertiesConditions Tab


You must configure at least one condition for every network policy. NPS provides many conditions groups
that allow you to define the properties clearly that the connection request that NPS receives must have to
match the policy.

The available condition groups are:


Groups. These specify user or computer groups that you configure in AD DS and to which you want
the other rules of the network policy to apply when group members attempt to connect to the
network.
HCAP. These conditions are used only when you want to integrate your NPS NAP solution with Cisco
Network Admission Control. To use these conditions, you must deploy Cisco Network Admission

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-22 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Control and NAP. You also must deploy an HCAP server running both Internet Information Services
(IIS) and NPS.
Day and Time Restrictions. The Day and Time Restrictions condition allows you to specify, at a
weekly interval, whether to allow connections on a specific set of days and times.
For example, you can configure this condition to allow access to your network only between the
hours of 8 A.M. and 5 P.M., Monday through Thursday. With this condition value, users whose
connection requests match all conditions of the network policy cannot connect to the network on
Fridays, Saturdays, Sundays, and during other weekdays between the hours of 5 P.M. and 8 A.M., but
they can connect between Monday and Thursday between 8 A.M. and 5 P.M.

Conversely, you can specify the days and times during which you want to deny network connections.
If you specify days and times during which to deny connections, users can access your network on the
unspecified days and times. For example, if you configure this condition to deny connections all day
on Sunday, users cannot connect at any time on Sundays, but they can connect Monday through
Saturday at any time.
NAP. Settings include Identity Type, MS-Service Class, NAP-Capable Computers, Operating System,
and Policy Expiration.

Note: The Identity Type condition is for NAP DHCP and IPsec deployments to allow client health
checks when NPS does not receive an Access-Request message that contains a value for the User-
Name attribute. In these circumstances, client health checks are performed, but authentication and
authorization are not.

Connection Properties. Settings include Access Client IPv4 Address, Access Client IPv6 Address,
Authentication Type, Allowed EAP Types, Framed Protocol, Service Type, and Tunnel Type.
RADIUS Client Properties. Settings include Calling Station ID, Client Friendly Name, Client IPv4
Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.

Important: Client computers, such as wireless laptop computers and other computers running client-
operating systems, are not RADIUS clients. RADIUS clients are network access serverssuch as wireless
access points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-up
serversbecause they use the RADIUS protocol to communicate with RADIUS servers such as NPS
servers.

Gateway. Settings include Called Station ID, NAS Identifier, NAS IPv4 Address, NAS IPv6 Address, and
NAS Port Type.

Network Policy PropertiesConstraints Tab


Constraints are optional additional network policy parameters that differ from network policy conditions
in one substantial way; that is, when a condition does not match a connection request, NPS continues to
evaluate other configured network policies to find a match for the connection request. When a constraint
does not match a connection request, NPS does not evaluate additional network policies, but rejects the
connection request, and the user or computer is denied network access.

The following list describes the constraints that you can configure in network policy:
Authentication Methods. Allows you to specify the authentication methods that are required for the
connection request to match the network policy.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-23

Idle Timeout. Allows you to specify the maximum time, in minutes, that the network access server
can remain idle before the connection disconnects.
Session Timeout. Allows you to specify the maximum amount of time, in minutes, that a user can be
connected to the network.
Called Station ID. Allows you to specify the telephone number of the dial-up server that clients use
to access the network.
Day and time restrictions. Allows you to specify when users can connect to the network.
NAS Port Type. Allows you to specify the access media types that are allowed for users to connect to
the network.

Network Policy PropertiesSettings Tab


NPS applies the settings, which you configure in the network policy, to the connection, if all of the
conditions and constraints that you configure in the policy match the connection requests properties.

The available groups of settings that you can configure are:


RADIUS Attributes

Important: If you plan to return to RADIUS clients any additional RADIUS attributes or vendor-specific
attributes (VSAs) with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs
to the appropriate network policy.

RADIUS attributes are described in Request for Comments (RFC) 2865, RFC 2866, RFC 2867, RFC 2868, RFC
2869, and RFC 3162. RFCs and Internet drafts for VSAs define additional RADIUS attributes.
NAP. With NAP Enforcement, you can specify how you want to enforce NAP, remediation server
groups, troubleshooting URL, and auto-remediation.
Routing and Remote Access. Includes Multilink and Bandwidth Allocation Protocol (BAP), IP filters,
encryption, and IP settings.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-24 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Demonstration: How to Create a Network Policy

Key Points
In this demonstration, you will see how to create a VPN policy and test it.

Demonstration Steps:
1. Create a VPN policy based on Windows Groups condition.
2. Test the VPN you previously created.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-25

How Network Policies Are Processed

Key Points
When NPS performs authorization of a connection request, it compares the request with each network
policy in the ordered list of policies, starting with the policy with the highest processing order and moving
down the list.
If NPS finds a network policy in which the conditions match the connection request, NPS uses the
matching network policy and the dial-in properties of the user account to perform the authorization.

If you configure the dial-in properties of the user account to grant or control access through network
policy, and the connection request is authorized, NPS applies the settings that you configure in the
network policy to the connection.
If NPS does not find a network policy that matches the connection request, NPS rejects the
connection unless the dial-in properties on the user account are set to grant access.
If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-26 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lab A: Implementing a Virtual Private Network

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V
Manager.

2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat these steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Lab Scenario
Contoso, Ltd. would like to implement a remote access solution for its employees, so they can connect to
the corporate network while away from the office. Contoso, Ltd. requires a network policy that mandates
that VPN connections are encrypted for security reasons. You are required to enable and configure the
necessary server services to facilitate this remote access.
For this project, you must complete the following tasks:
Configure Routing and Remote Access as a VPN remote access solution.
Configure a custom Network Policy.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-27

Exercise 1: Configuring Routing and Remote Access as a VPN Remote


Access Solution
Scenario
In this exercise, you will install and configure the Network Policy and Access Services role to support the
requirements of the Contoso, Ltd. workforce.

The main tasks for this exercise are as follows:

1. Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.

2. Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients.

3. Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTP
connections.

Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.
1. Switch to the NYC-EDGE1 virtual server.
2. Open Server Manager.
3. Add the Network Policy and Access Services role with the following role services:
a. Network Policy Server
b. Routing and Remote Access Services

Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for
Remote Access clients.
1. On NYC-EDGE1, open Routing and Remote Access.
2. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and Enable
Routing and Remote Access.
3. Use the following settings to configure the service:
a. On the Configuration page, accept the defaults.
b. On the Remote Access page, select the VPN check box.
c. On the VPN Connection page, select the Public interface.
d. On the IP Address Assignment page, select the From a specified range of addresses option.
e. On the Address Range Assignment page, create an address pool with 75 entries with a start
address of 10.10.0.60.
f. On the Managing Multiple Remote Access Servers page, accept the defaults.
g. Accept any messages by clicking OK.

Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25
L2TP connections.
1. In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then
right-click Ports, and then click Properties.
2. Use the following information to complete the configuration process:
a. Number of WAN Miniport (SSTP) ports: 25
b. Number of WAN Miniport (PPTP) ports: 25

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-28 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

c. Number of WAN Miniport (L2TP) ports: 25


3. Click OK to confirm any prompts.
4. Close the Routing and Remote Access tool.

Results: At the end of exercise, you enabled routing and remote access on the NYC-EDGE1 server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-29

Exercise 2: Configuring a Custom Network Policy


Scenario
In this exercise, you will create and verify a custom network policy in accordance with the requirements of
Contoso, Ltd. The requirements for this policy are:
Supported tunnel types: L2TP, PPTP
Supported authentication methods: MS-CHAP-v2 with strongest authentication
Constraints: Connections disallowed between 11P.M. and 6 A.M. Monday through Friday
The main tasks for this exercise are as follows:

1. Open the Network Policy Server management tool on 6419B-NYC-EDGE1


2. Create a new network policy for RRAS clients
3. Create and test a VPN Connection.

Task 1: Open the Network Policy Server management tool on 6419B-NYC-EDGE1.


1. Switch to the NYC-EDGE1 virtual computer.
2. Open the Network Policy Server tool.

Task 2: Create a new network policy for RRAS clients.


1. In the Network Policy Server console, create a new policy with the following settings:
a. Name: Secure VPN.
b. Type of network access server: Remote Access Server (VPN-Dial up).
c. Conditions: Tunnel Type = L2TP, PPTP, SSTP.
d. Access permission: Access granted.
e. Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAP-v2).
f. Constraints: Day and time restrictions = 11PM to 6AM Monday thru Friday Denied.
g. Settings: Encryption = Strongest encryption (MPPE 128-bit).
2. Ensure that the Secure VPN policy is the first in the list of any policies.
3. Close the Network Policy Server tool.

Task 3: Create and Test a VPN Connection.


1. Switch to the NYC-CL1 computer.
2. Open Network and Sharing Center.
3. Change the network adapter settings as follows:
a. IP Address: 131.107.0.20
b. Subnet mask: 255.255.255.0
c. Default gateway: 131.107.0.1
4. Create a VPN with the following settings:
a. Internet address to connect to: 131.107.0.2.
b. Name: Contoso VPN.
5. Connect with the new VPN properties as follows:

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-30 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

a. User name: Administrator


b. Password: Pa$$w0rd
c. Domain: Contoso

Note: The VPN connects successfully.

6. Disconnect the VPN and close all open windows.

Results: In this exercise, you created and tested a VPN connection.

To prepare for the next lab


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-31

Lesson 3
Integrating Network Access Protection with VPNs

NAP enables you to create customized health-requirement policies to validate computer health before
allowing access or communication, as well as automatically update compliant computers to ensure
ongoing compliance and limit the access of noncompliant computers to a restricted network until they
become compliant.
NAP with VPN protection enables you to control access to your organizations private network based
upon the health characteristics of the VPN clients health status. It is important that you can configure
NAP appropriately if you wish to implement this protection.

Objectives
After completing this lesson, you will be able to:
Describe NAP.
Describe the advantages of using Network Access protection with a VPN solution.
Describe the NAP client and server components.
Describe how NAP enforcement works for VPN connections.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-32 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is Network Access Protection?

Key Points
NAP for Windows Server 2008, Windows Server 2008 R2, Windows 7, and Windows Vista provides
components and an application programming interface (API) that help you enforce compliance with your
organizations health-requirement policies for network access or communication.

NAP enables you to create solutions for validating computers that connect to your networks, as well as
provide needed updates or access to needed health update resources and limit the access or
communication of noncompliant computers.

You can integrate NAPs enforcement features with software from other vendors or with custom
programs. You can customize the health-maintenance solution that developers within your organization
may develop and deploy, whether for monitoring the computers accessing the network for health policy
compliance, automatically updating computers with software updates to meet health policy requirements,
or limiting the access of computers that do not meet health policy requirements to a restricted network.

Remember that NAP does not protect a network from malicious users. Rather, it helps you maintain the
health of your organizations networked computers automatically, which in turn helps maintain your
networks overall integrity. For example, if a computer has all the software and configuration settings that
the health policy requires, the computer is compliant and will have unlimited network access; however.
NAP does not prevent an authorized user with a compliant computer from uploading a malicious
program to the network or engaging in other inappropriate behavior.

Aspects of NAP
NAP has three important and distinct aspects:
Health state validation. When a computer attempts to connect to the network, the computers
health state is validated against the health-requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant. In a monitoring-only environment, all
computers have their health state evaluated and the compliance state of each computer is logged for
analysis. In a limited access environment, computers that comply with the health-requirement policies

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-33

have unlimited network access. Computers that do not comply with health-requirement policies may
find their access limited to a restricted network.
Health policy compliance. You can help ensure compliance with health-requirement policies by
choosing to update noncompliant computers automatically with missing software updates or
configuration changes through management software, such as Microsoft System Center
Configuration Manager. In a monitoring-only environment, computers will have network access
before they are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically and you can define exceptions for computers that are not NAP compatible.
Limited access. You can protect your networks by limiting the access of noncompliant computers.
You can base limited network access on a specific amount of time or on what the noncompliant
computer can access. In the latter case, you define a restricted network containing health update
resources, and the limited access will last until the noncompliant computer comes into compliance.
You also can configure exceptions so that computers that are not compatible with NAP do not have
their network access limited.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-34 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Advantages of Implementing VPN Enforcement

Key Points
With NAP with VPN enforcement, a computer must be compliant to obtain unlimited network access
through a remote access VPN connection. For noncompliant computers, network access is limited through
a set of IP packet filters that the VPN server applies to the VPN connection.

VPN enforcement enforces health policy requirements every time a computer attempts to obtain a
remote access VPN connection to the network. VPN enforcement also actively monitors the health status
of the NAP client and applies the restricted networks IP packet filters to the VPN connection if the client
becomes noncompliant.
The components of VPN enforcement consist of NPS in Windows Server 2008 R2 and a VPN EC that is
part of the remote access client in Windows 7, Windows Vista, Windows XP Service Pack 3, and Windows
Server 2008 R2. VPN enforcement provides strong limited network access for all computers accessing the
network through a remote access VPN connection.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-35

Components of a VPN Enforcement Solution

Key Points
The components of a VPN enforcement solution consist of the following:
NAP clients. Computers that support the NAP platform for system health-validated network access
or communication.
NAP enforcement points. Computers or network-access devices that use NAP or that you can use
with NAP to require evaluation of a NAP clients health state and provide restricted network access or
communication. NAP enforcement points use a NPS that is acting as a NAP health policy server to
evaluate the health state of NAP clients, whether network access or communication is allowed, and
the set of remediation actions that a noncompliant NAP client must perform. NAP enforcement
points include the following:
VPN server. This is a computer that runs Windows Server 2008 R2 and Routing and Remote
Access, and that enables VPN intranet connections via remote access.
DHCP server. This is a computer that runs Windows Server 2008 R2 and the DHCP Server service,
and that provide automatic IPv4 address configuration to intranet DHCP clients.
NAP health policy servers. These are computers that run Windows Server 2008 R2and the NPS
service, and that store health-requirement policies and provide health-state validation for NAP. NPS is
the replacement for the Internet Authentication Service (IAS) and the RADIUS server and proxy that
Windows Server 2003 provides. NPS also acts as an authentication, authorization, and accounting
(AAA) server for network access. When acting as an AAA server or NAP health policy server, NPS
typically runs on a separate server for centralized configuration of network access and health-
requirement policies. The NPS service also runs on Windows Server 2008 R2based NAP
enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server.
However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS
messages with a NAP health policy server.
Health requirement servers. These are computers providing the current system health state for NAP
health policy servers. An example of these would be a health-requirement server for an antivirus
program that tracks the latest version of the antivirus signature file.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-36 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

AD DS. This Windows directory service stores account credentials and properties and Group Policy
settings. Although not required for health-state validation, Active Directory is required for IPsec-
protected communications, 802.1X-authenticated connections, and remote access VPN connections.
Restricted network. This is a separate logical or physical network that contains:
Remediation servers. These are computers that contain health update resources that NAP
clients can access to remediate their noncompliant state. Examples include antivirus signature
distribution servers and software update servers.
NAP clients with limited access. These are computers placed on the restricted network when
they do not comply with health-requirement policies.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-37

How VPN Enforcement Determines Remote Access

Key Points
VPN enforcement uses a set of remote-access IP packet filters to limit VPN client traffic so that it can
reach only the resources on the restricted network. The VPN server applies the IP packet filters to the IP
traffic that it receives from the VPN client, and silently discards all packets that do not correspond to a
configured packet filter.

VPN Enforcement Process


The following process occurs when a NAP-capable VPN client connects to a NAP-capable VPN server:
1. VPN Initiation. The VPN client initiates a connection to the VPN server. The VPN server requests that
the VPN client identify itself. The NAP enforcement client (EC) on the VPN client responds, providing
the VPN clients user name.
2. Request SSoH. The VPN server sends this response to the NAP health policy server. The NAP health
policy server contacts the VPN client, and the two exchange a series of messages to negotiate a
secure session. Then the NAP health policy sends a System Statement of Health (SSoH) request to the
VPN client.
3. Generate SSoH. The VPN NAP EC, on the client, queries the local NAP Agent for the SSoH and passes
it to the NAP health policy server.
4. Authentication. The NAP health policy server requests that the VPN client authenticate itself, and the
VPN client authenticates itself to the NAP health policy server.
5. Generate SoHR. The NPS service on the NAP health policy server passes the SSoH to the NAP
Administration Server component which in turn passes it to the appropriate System Health Validators
(SHVs). The SHVs analyze their SoH contents and return Statement of Health Response (SoHRs) to the
NAP Administration Server, which in turn passes it to the NPS.
6. Compare SoHR with health policies. The NPS service compares the SoHRs with the configured
health policies and creates the SSoHR and then sends the SSoHR to the VPN client.
7. Determine access. The NPS service sends a RADIUS Access-Accept message to the VPN server:

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-38 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

If the VPN connection is limited, the RADIUS Access-Accept message also contains a set of IP
packet filters that limit the VPN client to the restricted network.
If the VPN connection is unlimited, the RADIUS Access-Accept message does not contain IP
packet filters to limit network access. After the VPN connection completes, the NAP client will
have unlimited network access.
8. Complete connection. The VPN client and VPN server complete the VPN connection.
If the VPN client is noncompliant, the VPN connection has the packet filters applied, and the VPN client
only can reach the resources on the restricted network.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-39

Lesson 4
Configuring VPN Enforcement Using NAP

To ensure the correct configuration of VPN enforcement with NAP, you must understand which
components you must deploy and how to configure the required settings.

Objectives
After completing this lesson, you will be able to:
Configure a VPN server to support NAP.
Describe how System Health Validators are used to define requirements.
Describe how Health Policies are used to designate configuration requirements.
Describe the concept of Remediation servers.
Describe general configuration settings for the NAP components.
Configure NAP policies for VPN enforcement.
Configure client settings to support NAP for VPN access.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-40 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is a System Health Validator?

Key Points
SHAs and SHVs, which are NAP infrastructure components, provide health-state tracking and validation.
Windows 7 includes a Windows Security Health Validator SHA that monitors the Windows Security Center
settings. Windows Server 2008 R2 includes a corresponding Windows Security Health Validator SHV. NAP
is designed to be flexible and extensible, and interoperates with any vendors software that provides SHAs
and SHVs that use the NAP API.

An SHV receives a SoH from the NAP Administration Server and compares the system health status
information in the SoH with the required system health state. For example, if the SoH is from an antivirus
SHA and contains the last virus-signature file version number, the corresponding antivirus SHV can check
with the antivirus health requirement server for the latest version number to validate the NAP clients SoH.

The SHV returns a SoHR to the NAP Administration Server. The SoHR can contain information about how
the corresponding SHA on the NAP client can meet current system-health requirements. For example, the
SoHR that the antivirus SHV sends could instruct the NAP clients antivirus SHA to request the latest
version, by name or IP address, of the antivirus signature file from a specific antivirus signature server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-41

What Is a Health Policy?

Key Points
Health policies consist of one or more SHVs and other settings that allow you to define client-computer
configuration requirements for the NAP-capable computers that attempt to connect to your network.
When NAP-capable clients attempt to connect to the network, the client computer sends a SoH to the
NPS. The SoH is a report of the client configuration state, and NPS compares the SoH with the
requirements that the health policy defines. If the client configuration state does not match the
requirements that the health policy defines, NPS takes one of the following actions, depending on the
NAP configuration:
It rejects the connection request.
It places the NAP client on a restricted network where it can receive updates from remediation servers
that bring the client into compliance with health policy. After the NAP client achieves compliance,
NPS enables it to connect.
It allows the NAP client to connect to the network despite its noncompliance with health policy.
You can define NPS client-health policies by adding one or more SHVs to the health policy.

After you configure a health policy with one or more SHVs, you can add it to the Health Policies condition
of a network policy that you want to use to enforce NAP when client computers attempt connection to
your network.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-42 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is a Remediation Server Group?

Key Points
A remediation server group is a list of restricted network servers that provide resources that bring
noncompliant NAP-capable clients into compliance with your defined client health policy.
A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers
into compliance with health policy, as NPS defines. For example, a remediation server can host antivirus
signatures. If health policy requires that client computers have the latest antivirus definitions, the
following work together to update noncompliant computers: an antivirus SHA, an antivirus SHV, an
antivirus policy server, and the remediation server.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-43

Overview of VPN NAP Enforcement Configuration

Key Points
To correctly establish VPN NAP enforcement, you must complete the following high-level configuration
tasks.

NAP Health Policy Server


You must define the following on the NAP health policy server:
RADIUS clients. If you deployed Routing and Remote Access on a separate server computer, you
must configure the NAP VPN server as a RADIUS client in NPS.
Connection request policy. Configure the following settings:
Source is set to remote access server.
Policy is configured to authenticate requests on this server.
Override network policy authentication settings is selected
Protected Extensible Authentication Protocol (PEAP) is configured to enable health checks and
allow secure password or certificate-based authentication.
Network policies. Configure the following settings:
Source is set to remote access server.
Compliant, noncompliant, and non-NAP-capable policies are set to grant access.
Compliant network policy conditions are set to require the client to match compliant health
policy.
Noncompliant network policy conditions are set to require the client to match noncompliant
health policy.
Non-NAP-capable network policy conditions are set to require the client is not NAP-capable.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-44 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Access settings: Full access is granted for compliant computers. In full enforcement mode, limited
access is granted for noncompliant computers. Either full or limited access is granted for non-
NAP-capable computers. If remediation server groups are not used, IP filters are configured in
noncompliant policy settings and optionally, in non-NAP-capable policy settings to provide
restricted access.
Health policies. Configure the following settings:
Compliant health policy is set to pass selected SHVs.
Noncompliant policy is set to fail selected SHVs.
System health validators. Error codes are configured, and depending on the SHV, health checks are
configured on the NAP health policy server or the health requirement server.
Remediation server groups. Remediation server groups are required if IP filters are not used to
configure restricted access settings.

NAP VPN Server


You must define the following on the NAP VPN server:
Authentication provider. If the NAP VPN server and the NAP health policy server are on different
computers, you must configure the NAP VPN server for RADIUS authentication by using the NAP
health policy server.
Authentication methods. Configure the NAP VPN server to allow the PEAP authentication method.
Client address assignment. Choose whether to assign VPN clients an IPv4 address by using DHCP or
a static address pool.

VPN NAP-Enabled Client Computer


You must define the following settings on a VPN NAP-enabled client computer:
NAP Agent service. You can start the NAP Agent service by using either Group Policy or local policy
settings.
VPN connection. You must configure a VPN connection on each client computer. You must
configure logon security settings to use Protected Extensible Authentication Protocol (PEAP) with
either MSCHAP v2 or certificate-based authentication.
Quarantine checks. When configuring client PEAP properties in the advanced security settings of the
VPN connection, you must select the Enable Quarantine checks check box.
Remote access enforcement client. You can enable the remote access enforcement client with
either Group Policy or local policy settings.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-45

Demonstration: How to Configure NAP for VPN Enforcement

Key Points
In this demonstration, you will see how to:
Configure the NPS role for NAP.
Create VPN NAP policies.
Configure VPN enforcement on the NPS server.

Demonstration Steps:
1. Install the required certificate on the VPN server.
2. Configure the NPS server as a health policy server.
3. Configure System Health Validators.
4. Configure Health Policies.
5. Configure Network Policies.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-46 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Client Settings to Support NAP

Key Points
You should remember these basic guidelines when you configure NAP clients:
Some NAP deployments that use Windows Security Health Validator require that you enable Security
Center. For example, both Windows Vista and Windows XP with SP3 require Security Center to be
enabled.
The Network Access Protection service is required when you deploy NAP to NAP-capable client
computers. By default, this is not.
You also must configure the NAP enforcement clients on the NAP-capable computers.

Enable Security Center in Group Policy


You can use this procedure to enable Security Center on NAP-capable clients by using Group Policy. Some
NAP deployments that use Windows Security Health Validator require Security Center.

Note: To complete this procedure, you must be a member of the Domain Admins, the Enterprise
Admins group, or the Administrators group on the local computer.

To enable Security Center in Group Policy:

1. Open the Group Policy Management console, and then click Add.

2. In the Select Group Policy Object dialog box, click Finish, and then click OK.
3. In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.

4. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-47

Enable the Network Access Protection Service on Clients


You can use this procedure to enable and configure NAP service on NAP-capable client computers. When
you deploy NAP, enabling this service is required.

Note: To complete this procedure, you must be a member of the Domain Admins group, the
Enterprise Admins group, or the Administrators group on the local computer.

To enable the Network Access Protection service on client computers:

1. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then
double-click Services.
2. In the services list, scroll down, and double-click Network Access Protection Agent.

3. In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.
4. Click Start.

Enable and Disable NAP Enforcement Clients


You can use this procedure to enable or disable on NAP-capable computers, one or more NAP
enforcement clients, including the DHCP Enforcement Client, the Remote Access Enforcement Client, the
EAP Enforcement Client, the IPsec Enforcement Client, and the TS Gateway Enforcement Client.
To enable and disable NAP Enforcement Clients:

1. Open the NAP client configuration console. To do this, click Start, click All Programs, click
Accessories, click Run, type NAPCLCFG.MSC, and then click OK.
2. Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to
enable or disable, and then click Enable or Disable.

Note: To perform this procedure, you must be a member of the Administrators group on the local
computer, or you must have been delegated the appropriate authority. If the computer is joined to a
domain, members of the Domain Admins group might be able to perform this procedure. As a security
best practice, consider performing this procedure by using the Run as command.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-48 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lab B: Implementing NAP into a VPN Remote Access


Solution

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2. In Hyper-V Manager, click 6419B-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on using the following credentials:
User name: Administrator
Password: Pa$$w0rd
Domain: Contoso
5. Repeat the steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Lab Scenario
Contoso, Ltd. is required to extend its virtual private network solution to include Network Access
Protection.

There have been a number of problems with users connecting to the Contoso network with a VPN from
their unmanaged home computers. It is important to ensure that these computers are in compliance with
Contoso health policies.

As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers
automatically into compliance. You will do this by using Network Policy Server, creating client compliance
policies, and configuring an NAP server to check the current health of computers.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-49

For this project, you must complete the following tasks:


Configure NAP Server Components
Configure NAP for VPN clients

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-50 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Exercise 1: Configuring NAP Components


Scenario
In this exercise, you will configure the required server-side components to support the Contoso, Ltd.
requirement.

The main tasks for this exercise are as follows:


1. Configure a computer certificate.
2. Configure NYC-EDGE1 with NPS functioning as a health policy server.
3. Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPN
server.
4. Allow ping on NYC-EDGE1.

Task 1: Configure a computer certificate


1. Switch to the NYC-DC1 virtual server.
2. Open the Certification Authority tool.
3. From the Certificate Templates console, open the properties of the Computer certificate template.
4. On the Security tab, grant the Authenticated Users group the AllowEnroll permission.
5. Close the Certification Authority tool.

Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server


1. Switch to the NYC-EDGE1 computer Create a management console by running mmc.exe.
2. Add the Certificates snap-in with the focus on the local computer account.
3. Navigate to the Personal certificate store and Request New Certificate.
4. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
then click Next.
5. Enroll the Computer certificate listed.
6. Close the console and do not save the console settings.
7. Using Server Manager, install the NPS Server with the following role services: Network Policy
Server and Remote Access Service.
8. Open the Network Policy Server tool.
9. Under Network Access Protection, open Default Configuration for the Windows Security Health
Validator.
10. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for all
network connections.
11. Create a health policy with the following settings:
a. Name: Compliant
b. Client SHV checks: Client passes all SHV checks
c. SHVs used in this health policy: Windows Security Health Validator
12. Create a health policy with the following settings:
a. Name: Noncompliant

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-51

b. Client SHV checks: Client fails one or more SHV checks


c. SHVs used in this health policy: Windows Security Health Validator
13. Disable all existing network policies.
14. Configure a new network policy with the following settings:
a. Name: Compliant-Full-Access
b. Conditions: Health Policies = Compliant
c. Access permissions: Access granted
d. Settings: NAP Enforcement = Allow full network access
15. Configure a new network policy with the following settings:
a. Name: Noncompliant-Restricted
b. Conditions: Health Policies = Noncompliant
c. Access permissions: Access granted

Note: A setting of Access granted does not mean that noncompliant clients are granted full network
access. It specifies that the policy should continue to evaluate the clients matching these conditions.

d. Settings:
i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation of
client computers is not selected.
ii. IP Filters = IPv4 input filter, Destination network = 10.10.0.10/255.255.255.255 and
IPv4 output filter, Source network = 10.10.0.10/255.255.255.255.
16. Disable existing connection request policies.
17. Create a new Connection Request Policy with the following settings:
a. Policy name: VPN connections
b. Type of network access server: Remote Access Server (VPN-Dial up)
c. Conditions: Tunnel type = L2TP, SSTP, and PPTP
d. Authenticate requests on this server = True
e. Authentication methods:
i. Select Override network policy authentication settings
ii. Add Microsoft: Protected EAP (PEAP).
iii. Add Microsoft: Secured password (EAP-MSCHAP v2)
f. Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is
enabled.
18. Close the Network Policy Server console.

Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS)
configured as a VPN server
1. On NYC-EDGE1, open Routing and Remote Access.
2. Select Configure and Enable Routing and Remote Access.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-52 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

3. Use the following settings to complete configuration:


a. Select Remote access (dial-up or VPN).
b. Select the VPN check box.
c. Choose the interface called Public and clear the Enable security on the selected interface by
setting up static packet filters check box.
d. IP Address Assignment: From a specified range of addresses:
i. 10.10.0.100 > 10.10.0.110
e. Complete the process by accepting defaults when prompted and confirming any messages by
clicking OK.
4. In the Network Policy Server, click the Connection Request Policies node and disable Microsoft
Routing and Remote Access Service Policy. This was created automatically when Routing and
Remote Access was enabled.
5. Close the Network Policy Server management console and the Routing and Remote Access console.

Task 4: Allow ping on NYC-EDGE1


1. Open Windows Firewall with Advanced Security.
2. Create an Inbound Rule with the following properties:
a. Type: Custom
b. All programs
c. Protocol type: Select ICMPv4 and then click Customize
i. Specific ICMP types: Echo Request
d. Default scope
e. Action: Allow the connection
f. Default profile
g. Name: ICMPv4 echo request
3. Close the Windows Firewall with Advanced Security console.

Results: In this exercise, you configured and enabled a VPN-enforced NAP scheme.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-53

Exercise 2: Configuring Client Settings to support NAP


Scenario
In this exercise, you will implement a VPN on NYC-CL1 and test the computers health against the NAP
configuration you previously created.

The main tasks for this exercise are as follows:


1. Configure Security Center
2. Enable client NAP enforcement
3. Move the client to the Internet
4. Create a VPN on NYC-CL1

Task 1: Configure Security Center.


1. Switch to the NYC-CL1 computer.
2. Open the Local Policy Editor (gpedit.msc) and enable the Local Computer Policy/Computer
Configuration/Administrative Templates/Windows Components/Security Center/Turn on
Security Center (Domain PCs only) setting.
3. Close the Local Group Policy Editor.

Task 2: Enable client NAP enforcement.


1. Run the NAP Client Configuration tool (napclcfg.msc).
2. Under Enforcement Clients, enable EAP Quarantine Enforcement Client.
3. Close the NAP Client Configuration tool.
4. Run services.msc and configure the Network Access Protection Agent service for automatic startup.
5. Start the service.
6. Close the services console.

Task 3: Move the client to the Internet.


1. Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection
Internet Protocol Version 4 (TCP/IPv4) settings:
a. IP address: 131.107.0.20
b. Subnet mask: 255.255.255.0
c. Default gateway: blank
d. Preferred DNS server: blank
2. Verify that you can successfully ping 131.107.0.2

Task 4: Create a VPN on NYC-CL1.


1. Create a new VPN connection with the following properties:
a. Internet address to connect to: 131.107.0.2
b. Destination name: Contoso VPN
c. Allow other people to use this connection: True
d. User name: Administrator

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-54 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

e. Password: Pa$$word
f. Domain: CONTOSO
2. After you have created the VPN, modify its settings by viewing the properties of the connection and
then selecting the Security tab. Use the following settings to reconfigure the VPN:
a. Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled).
b. Properties of this authentication type:
i. Validate server certificate: true
ii. Connect to these servers: false
iii. Authentication method: Secured password (EAP-MSCHAP v2)
iv. Enable Fast Reconnect: false
v. Enforce Network Access Protection: true
3. Test the VPN connection:
a. In the Network Connections window, right-click the Contoso VPN connection, and then click
Connect.
b. In the Connect Contoso VPN window, click Connect.
c. View the details of the Windows Security Alert. Ensure that the correct certificate information is
displayed and then click Connect.
4. Verify that your computer meets the health requirements of the NAP policy:
a. Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted.
b. Ping10.10.0.10.
5. Disconnect the Contoso VPN.
6. Configure Windows Security Health Validator to require an antivirus application:
a. Switch to NYC-EDGE1 and open Network Policy Server.
b. Modify the Default Configuration of the Windows Security Health Validator so that An
antivirus application is application is on check box is enabled on the Windows 7/Windows
Vista selection.
7. Switch back to NYC-CL1 and reconnect the VPN.
8. Verify your computer does not meet the health requirements of the NAP policy:
a. Verify that a message is displayed in the Action Center that states that the computer doesnt
meet security standards.
b. Use IPCONFIG /all to verify that the System Quarantine State is Restricted.
9. Disconnect the VPN.

Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcement
policy for Contoso.

To prepare for the next lab


When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-55

1. On the host computer, start Hyper-V Manager.


2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-56 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

Lesson 5
Overview of DirectAccess

Organizations often rely on VPN connections to provide remote users with secure access to data and
resources on the corporate network. VPN connections are easy to configure and are supported by
different clients. However, VPN connections must be first established, and it may require additional
configuration on the corporate firewall. Also, VPN connections usually enable remote access to the entire
corporate network. Moreover, organizations cannot effectively manage remote computers. To overcome
such limitations in VPN connections, organizations can implement DirectAccess, available in Windows
Server 2008 R2 and Windows 7, to provide a seamless connection between the internal network and the
remote computer when there is Internet connectivity. Using DirectAccess, organizations can easily
manage remote computers.

Objectives
After completing this lesson, you will be able to:
Discuss challenges of typical VPN connections.
Describe the features and benefits of DirectAccess.
Describe the components required to implement DirectAccess.
Describe the use of the Name Resolution Policy table.
Describe how DirectAccess Works for internally connected clients.
Describe how DirectAccess Works for externally clients.
Describe how a DirectAccess client determines its location.
Describe how to configure DirectAccess

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-57

Discussion: Challenges of VPN Connections

Key Points
What are some of the challenges you face when implementing VPNs?

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-58 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is DirectAccess?

Key Points
Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamless
remote access to intranet resources without establishing the VPN connection first. The DirectAccess
feature also ensures seamless connectivity on application infrastructure for internal users and remote
users.
Unlike VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables
any application on the client computer to have complete access to intranet resources. DirectAccess also
enables you to specify resources and client-side applications that are restricted for remote access.
Organizations benefit from DirectAccess because remote computers can be managed as if they are local
computersusing the same management and update serversto ensure they are always up to date and
in compliance with security and system health policies. You can also define more detailed access control
policies for remote access when compared with defining access control policies in VPN solutions.

DirectAccess is designed with the following benefits:


Always-on connectivity. Whenever the user connects the client computer to the Internet, the client
computer is connected to the intranet also. This connectivity enables remote client computers to
access and update applications easily. It also makes intranet resources always available and enables
users to connect to the corporate intranet from anywhere and anytime, thereby improving their
productivity and performance.
Seamless connectivity. DirectAccess provides a consistent connectivity experience regardless of
whether the client computer is local or remote. This allows users to focus more on productivity and
less on connectivity options and process. This consistency can reduce training costs for users, and
fewer support incidents.
Bidirectional access. DirectAccess can be configured so that DirectAccess clients not only have
access to intranet resources, but also have access from the intranet to those DirectAccess clients.
Therefore, DirectAccess can be bidirectional so that DirectAccess users have access to intranet
resources, and you can have access to DirectAccess clients when they are connecting over a public

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-59

network. This ensures that the client computers are always updated with recent security patches, the
domain Group Policy is enforced, and there is no difference whether users are on the corporate
intranet or on the public network.
This bidirectional access also results in:
Decreased update time.
Increased security.
Decreased update miss rate.
Improved compliance monitoring.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This tighter degree of control allows security architects to precisely control remote
users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so
that users can ensure that their communication is safe. You can use a granular policy to define who
can use DirectAccess and from where.
Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and NAP
solutions, resulting in the seamless integration of security, access, and health requirement policies
between the intranet and remote computers.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-60 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

DirectAccess Infrastructure Components

Key Points
To deploy and configure DirectAccess, your organization must support the following infrastructure
components.

DirectAccess Server
The server must be joined to an Active Directory domain.
The server must have Windows Server 2008 R2 running.
The server must have at least two physical network adapters installed, one connected to the Internet
and the other to the intranet.
The server must have at least two consecutive static, public IPv4 addresses assigned to the network
adapter that is connected to the Internet.
The server should not be placed behind a NAT.
On the DirectAccess server, you can install the DirectAccess Management Console feature by using Server
Manager. You can use the DirectAccess Management Console to configure DirectAccess settings for the
DirectAccess server and clients and monitor the status of the DirectAccess server. You may need more
than one DirectAccess server, depending on the deployment and scalability requirements.

DirectAccess Clients
To deploy DirectAccess, you also need to ensure that the client meets certain requirements:
The client should be joined to an Active Directory domain.
The client should be running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows
Server 2008 R2.
The client must have a relevant computer certificate with which to identify itself.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-61

Note: You cannot deploy DirectAccess on clients running Windows Vista, Windows Server 2008, or
other earlier versions of Windows operating systems.

DirectAccess Servers
Generally installed in the perimeter network, these servers provide intranet connectivity for DirectAccess
clients on the Internet.

Network Location Server


DirectAccess clients use the NLS server to determine their location. If the client can connect with HTTPS,
then the client assumes it is on the intranet and disables DirectAccess components. If the NLS is not
contactable, the client assumes it is on the Internet. The NLS server is installed with the Web server role.

Active Directory Domain


You must deploy at least one Active Directory domain with at least one Windows Server 2008 R2 or
Windows Server 2008based domain controller, though it is not necessary to raise the domain or forest
functional levels to Windows Server 2008 R2.

PKI
You must implement a PKI to issue computer certificates for authentication, and where desirable, health
certificates when using NAP. You need not implement public certificates.

Group Policy
Although not required, it is easier to use Group Policy to provide for centralized administration and
deployment of DirectAccess settings instead of relying on the Netsh command-line tool. The DirectAccess
Setup Wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess
server, and selected servers.

DNS Server
At least one running Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix
(http://go.microsoft.com/fwlink/?LinkID=159951), Windows Server 2008 SP2 or later, or a third-party DNS
server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP).

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-62 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

What Is the Name Resolution Policy Table?

Key Points
To separate Internet traffic from Intranet traffic for DirectAccess, Windows Server 2008 R2 and Windows 7
include the Name Resolution Policy Table (NRPT), a feature that allows DNS servers to be defined per DNS
namespace, rather than per interface. The NRPT stores a list of rules. Each rule defines a DNS namespace
and configuration settings that describe the DNS clients behavior for that namespace. When a
DirectAccess client is on the Internet, each name query request is compared with the namespace rules
stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT
rule.
If a name query request does not match a namespace listed in the NRPT, the request is sent to the DNS
servers configured in the TCP/IP settings for the specified network interface. For a remote client, the DNS
servers will typically be the Internet DNS servers configured through the Internet service provider (ISP).
For a DirectAccess client on the intranet, the DNS servers will typically be the intranet DNS servers
configured through Dynamic Host Configuration Protocol (DHCP).

Single-label names, such as http://internal, will typically have configured DNS search suffixes appended to
the name before they are checked against the NRPT.

If no DNS search suffixes are configured and the single-label name does not match any other single-label
name entry in the NRPT, the request will be sent to the DNS servers specified in the clients TCP/IP
settings.

Namespaces, for example, internal.contoso.com, are entered into the NRPT, followed by the DNS servers
to which requests matching that namespace should be directed. If an IP address is entered for the DNS
server, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. You need
not specify any additional security for such configurations. However, if a name is specified for the DNS
server, such as dns.contoso.com in the NRPT, the name must be publicly resolvable when the client
queries the DNS servers specified in its TCP/IP settings.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
Configuring and Securing Remote Access 6-63

The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resources
and Internet DNS for name resolution of other resources. Dedicated DNS servers are not required for
name resolution. DirectAccess is designed to prevent the exposure of your intranet namespace to the
Internet.

Some names need to be treated differently with regards to name resolution; these names should not be
resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers
specified in the clients TCP/IP settings, you must add them as NRPT exemptions.
NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the name
resolution mechanism first tries to use the local name cache, second the hosts file, then NRPT, and finally
sends the query to the DNS servers specified in the TCP/IP settings.

Sep 7 2011 9:58PM


Warning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content is
licensed as-is. Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,
guarantees or conditions. Please report any unauthorized use of this content to piracy@microsoft.com or by calling +1
Nova 4, LLC
6-64 Configuring, Managing, and Maintaining Windows Server 2008-based Servers

How DirectAccess Works for Internal Clients

Key Points
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the network
location server URL.
Because the FQDN of the network lo