Académique Documents
Professionnel Documents
Culture Documents
6293A
Troubleshooting and Supporting
Windows 7 in the Enterprise
ii Troubleshooting and Supporting Windows 7 in the Enterprise
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
Released: 05/2011
Troubleshooting and Supporting Windows 7 in the Enterprise iii
iv Troubleshooting and Supporting Windows 7 in the Enterprise
Troubleshooting and Supporting Windows 7 in the Enterprise v
vi Troubleshooting and Supporting Windows 7 in the Enterprise
Troubleshooting and Supporting Windows 7 in the Enterprise vii
viii Troubleshooting and Supporting Windows 7 in the Enterprise
Troubleshooting and Supporting Windows 7 in the Enterprise ix
x Troubleshooting and Supporting Windows 7 in the Enterprise
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Contents
Module 1: Implementing a Troubleshooting Methodology
Lesson 1: Introduction to the EDST Job Role 1-3
Lesson 2: Overview of Troubleshooting Steps 1-14
Course Description
This course is designed for Information Technology (IT) professionals who have experience with
Windows XP and Windows Vista who work as Windows 7 Enterprise Desktop Support Technicians
(EDSTs) in Tier 2 support environments. The goal of this training is to enable these individuals to support
the Windows 7 operating system and solve technical troubleshooting problems in a Windows 7 and
Windows Server 2008 R2 networking environment.
The course builds on skills attained in Course 6292A: Installing and Configuring Windows 7 Client and
Course 6420B: Fundamentals of Windows Server 2008.
This course will not cover deployment scenarios and Tier 3 escalations, including comprehensive Group
Policy configuration, and domain administration and deployment. Course 6294A covers deployment
scenarios and support.
By the courses end, students will have been exposed to the process of establishing and using a
troubleshooting methodology, and the EDST job role and responsibilities. Additionally, students will be
exposed to various troubleshooting tools and techniques that enable them to address the following
Windows 7 issues in an enterprise network environment:
Startup
Group Policy
Hardware and device drivers
Performance
Network connectivity
Remote connectivity
Security
Applications
Audience
Primary audience: DST in an Enterprise IT organization
Secondary audience: DST in an upper MORG (medium organization) with approximately 475 personal
computers
EDSTs are experienced IT professionals who focus on a broad range of issues that relate to desktop
operating systems, desktop applications, mobile devices, networking, and hardware support. EDSTs must
combine technical expertise with problem-solving and decision-making skills, and possess a deep
understanding of their business and technical environments, so that they can resolve support issues
quickly. They consider all variables, justify resolutions with a logical troubleshooting approach, and relate
tradeoffs to business and technical requirements and constraints. EDSTs are responsible primarily for the
maintenance and support of PC desktops, installing and testing line-of-business applications on end users
computers, and making changes to user desktops or reimages, as necessary.
MCT USE ONLY. STUDENT USE PROHIBITED
xiv About This Course
EDSTs have used previous versions of Windows desktop operating systems and may have experience
with Windows Server operating systems. Their job requires them to stay knowledgeable and skilled with
using new versions and updates of technology, as their business environment dictates. They conduct most
server management tasks remotely by using Terminal Server or other administration tools installed on
their local workstation.
Student Prerequisites
In addition to their professional experience, students who attend this training should have the following
technical knowledge:
Networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and Domain Name
System (DNS)
Students who attend this training can meet the prerequisites by attending the following courses, or by
obtaining equivalent knowledge and skills:
Course 6292A: Installing and Configuring Windows 7 Client
Course Objectives
After completing this course, students will be able to:
Describe the processes of establishing and using a troubleshooting methodology, and define the
EDST job role and responsibilities.
Troubleshoot client-configuration failures and Group Policy object (GPO) application issues.
Troubleshoot security system issues, such as Encrypting File Systems (EFS), BitLocker Drive
Encryption, and file permissions.
Course Outline
This section provides an outline of the course:
Module 2, Troubleshooting Startup Issues describes how to use Windows 7 recovery tools to
troubleshoot startup problems. Additionally, it provides the information to configure and troubleshoot
startup settings, and to troubleshoot operating system services.
Module 3, Using Group Policy to Centralize Configuration describes Group Policy application. It also
covers steps to troubleshoot both client configuration failures and GPO application issues.
Module 4, Troubleshooting Hardware Device, Device Driver, and Performance Issues helps students
troubleshoot issues related to hardware devices and device drivers by identifying basic hardware-related
issues. Additionally, the module helps students determine hardware failure issues, and the problems that
device drivers can cause. Finally, this module provides guidance on how to configure performance options
in Windows 7, as well as monitor reliability and performance of Windows 7 computers.
Module 5, Troubleshooting Network Connectivity Issues describes how to troubleshoot issues related to
network connectivity by providing the steps to determine the network configuration of client computers,
and then to troubleshoot network connections.
Module 7, Troubleshooting Logon and Resource Access Issues describes how to use troubleshooting
tools and methods to troubleshoot user profile and logon scripts issues, and issues with file and printer
access.
Module 8, Troubleshooting Security Issues describes how to troubleshoot issues related to security
systems such as EFS, BitLocker, and file permissions. The module instructs students how to troubleshoot
and recover files encrypted with EFS and BitLocker-protected drives. In this module, students also
troubleshoot file permissions, content access issues, and Windows Internet Explorer issues.
Module 9, Troubleshooting Operating System and Application Issues describes how to troubleshoot
issues related to operating system features and applications, including application installation and
operation issues. This module also addresses applying application and Windows updates.
MCT USE ONLY. STUDENT USE PROHIBITED
xvi About This Course
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press.
Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
The following table shows the role of each virtual machine used in this course:
Software Configuration
The following software is installed on each VM:
Windows Server 2008 R2 Enterprise
Windows 7 Enterprise
Classroom Setup
Each classroom computer will have the same set of virtual machines configured in the same way. All of the
virtual machines are deployed on each student computer.
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
DVD drive
Network adapter
*Striped
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
1-1
Module 1
Implementing a Troubleshooting Methodology
Contents:
Lesson 1: Introduction to the EDST Job Role 1-3
Module Overview
It is important that you understand the responsibilities of an Enterprise Desktop Support Technician
(EDST), the benefits of developing a troubleshooting methodology, and the benefits of following the
procedures that your methodology defines.
Objectives
After completing this module, you will be able to:
Lesson 1
Introduction to the EDST Job Role
As an EDST, your job is to act as an escalation point for problems that help-desk personnel cannot resolve;
to support end users directly; and to troubleshoot various problems. However, an EDSTs responsibilities
involve much more than simply fixing problems.
Properly document a problems resolution in the manner that company policy dictates.
The goal of this lesson is to introduce you to the EDST role and describe how an EDST best supports end
users, both directly and indirectly, in a Windows 7 environment.
Objectives
After completing this lesson, you will be able to:
As an EDST, your job is to increase end-user productivity by troubleshooting and trying to solve the
computer and system issues that end users experience. This requires that you understand your role in the
support environment.
An EDST must fulfill a number of roles in the support environment. A good EDST possesses technical
expertise in addition to nontechnical aptitude, such as excellent interpersonal skills, that enable the EDST
to build rapport with both end users and other members and users of the support environment.
A good troubleshooter, who is able to isolate an issue quickly by performing specific diagnostic tasks.
A knowledgeable resource, who is familiar with relevant products, and is able to perform hardware
and software installation tasks, system monitoring, and maintenance.
An effective communicator, because help-desk staff and end users typically are not calling you for
social reasons. Rather, they may be distressed or upset, and you will need to manage these
interpersonal and technical interactions simultaneously and effectively.
An information source, because even if you do not know the answer, you need to know where to get
the answer and when to escalate a problem.
As an EDST, your position is located in tier 2. The following table provides an overview of a typical
technical support structure.
Tier 3, engineer Tactical Analyzes and designs within a single technology and then
implements the technology. Handles complex troubleshooting,
including escalations from administrators.
If the issue is outside that scope, you should escalate it to a higher tier levelsystems engineers or
architects, as appropriate.
You must troubleshoot and provide information about many aspects of the Windows 7 operating system
that is beyond the responsibility of the help desk, such as:
As an EDST, you should use proper procedures to document the incident. You also must operate within
the organizations Service Level Agreements (SLAs), such as resolving a problem within a certain
timeframe or within a specific budget. In contrast, an EDST does not have to perform tasks that engineers
typically perform, such as complex analysis or design.
MCT USE ONLY. STUDENT USE PROHIBITED
1-6 Troubleshooting and Supporting Windows 7 in the Enterprise
Provide customer service, including listening to the end user or help desk, refining the definition of
the problem and solving the problem, and, where possible, educating the end user on how to avoid
the problem in the future.
Install, configure, and upgrade software, including applications and operating systems.
Update the documentation associated with an end users call, and then close or escalate a call, per
company policy and time limits set forth by SLAs.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-7
You will encounter two types of networks in a corporate support environment: workgroups and domains.
In both environments, end users can share common resources, such as files, folders, and printers. These
environments also provide security measures to secure and protect end users personal data, and your
organizations network resources and data, from outside forces. Despite their similarities, there are
important differences between workgroups and domains, which this section details.
Workgroups
Workgroups, which are logical groupings of networked computers that share resources, are often referred
to as peer-to-peer networks. The workgroup is the easiest network to set up and maintain, but it is the
least secure. Each computer maintains its own local security database, which contains the valid user
accounts for logging on to that computer. The user accounts secure the data on each computer, and
protect the computer from unwanted access, but because no single computer provides centralized
security of user accounts for all of the networks computers, the network is decentralized.
Note Workgroups typically are configured for home networks, small home offices, and
small businesses in which the computers are in close proximity to one another and are
sometimes connected by using a hub, switch, or router. Because workgroups are not the
most secure option for a network, larger corporations typically do not use them.
Domains
Domains are logical groupings of networked computers that share a common database of users and
centrally managed security on a single server, known as a domain controller, or a group of servers (domain
controllers). A single domain must have one or more domain controllers, and these computers provide
Active Directory Domain Services (AD DS), such as access to resources, security, and a single point of
administration.
MCT USE ONLY. STUDENT USE PROHIBITED
1-8 Troubleshooting and Supporting Windows 7 in the Enterprise
Domains are logical groupings, which you configure independent of the networks actual physical
structure. Domains can span a building, city, state, country, or even the globe. You also can configure
them for a small office, and you can connect a domains computers by virtual private network (VPN),
Ethernet, broadband, satellite, or wireless connections.
Note Larger companies and corporations typically configure domains because they are the
most secure option for a network, they offer centralized security and management, and they
are extensible. Smaller companies generally do not use domains because domains are more
expensive, and require more attention than workgroups.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-9
The ability to interact effectively with both end users and the staff of the help desk is vital to an EDSTs
success. You also must know how to talk to people with various levels of experience. For example, you
need to know how to ask questions, how to interpret what end users say, and how to suggest changes.
You must know where to search for answers to problems, and how to apply and document the solutions
to those problems. End users must be satisfied with your solutions and believe that you treated them fairly
and with respect.
There are many types of end users. Each end user has expertise in different areas, and each end user has
varying degrees of expertise. It is important that you can identify an end users expertise level when you
are working in an EDST role to avoid alienating the end user.
For example, reminding a technologically experienced end user to turn on the printer may cause the end
user frustration. It is still necessary to ensure that the basics have been checked, however, because even
technically experienced end users sometimes forget to turn on their printers.
Note Many organizations provide a script for help desk staff to use when performing initial
problem classification. This will help you and the help desk progress through all the
fundamental questions that can help to classify the problem. Ensure you check the incident
record in the ticketing system before you question the end user yourself otherwise you might
be repeating questions asked by the help desk.
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Troubleshooting and Supporting Windows 7 in the Enterprise
Who was operating the computer when the problem first occurred?
Who else is operating the computer, and have they experienced similar problems?
When did this problem first occur, and has it occurred since?
What steps have the help desk already taken to attempt resolution, if any?
What suggestions have the help desk received regarding a possible resolution?
Note Bear in mind that the help-desk staff may know the problems cause, but may lack
the administrative permissions to fix it.
Why does the help desk think that the problem occurred?
Note The help-desk staff may have experienced similar or identical problems, and
therefore may know the cause.
As you work through these questions with the help desk, and where necessary, the end users, document
the answers carefully in the incident record in the ticketing system, listen to everything said, be polite and
professional, and make notes of possible solutions as they occur.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-11
If necessary, leave the situation for a few minutes to digest the information, and then check company
documentation, online support, or other resources for answers.
It is likely that the end user with whom you work has spoken to the help desk before. If the end users
expectations were not met, the end user may have lost trust in the desktop support process. As an EDST,
you are in a unique position to determine if there is a value gap between what the end user expects and
what the end user receives, and to ensure that each end users needs are met.
Diagnose the problem. End users expect you to grasp the nature of their problems quickly based on
the information that they provide to the help desk and directly to you, regardless of the end users
experience levels.
Explain the plan of action. After you have diagnosed the problem, end users expect you to have a
plan of action that entails a logical sequence of steps that either you or the end users can implement
quickly.
Keep end users informed about the troubleshooting process. End users want to know what you are
doing to troubleshoot their problems, if the plan of action is working, and how close you are to
solving their problems.
Teach end users how to solve the problems and how to avoid them in the future. End users want to
understand how their problems occur, and how they can solve the problem without desktop support
in the future.
Note It may not be necessary to ask all these questions. In addition, the answers to
preceding questions may determine the order of the subsequent questions.
MCT USE ONLY. STUDENT USE PROHIBITED
1-12 Troubleshooting and Supporting Windows 7 in the Enterprise
The particulars of various troubleshooting methodologies can vary, and the processes involved in
troubleshooting computer-related problems are not precise. Most methodologies share some common
processes and procedures, which this topic aims to identify.
Classify
When an end user first discovers and reports a computer problem, a series of classification processes
begins. During these processes, you gather information from the end user in an attempt to establish the
problems nature and scope. The initial discussion might reveal information that results in an immediate
resolution to the problem, but with more complex or serious problems, you must continue to
troubleshoot the issue to arrive at a resolution.
Problems that affect many end users, rather than a few, are more serious in terms of their impact on
organizational productivity, and you must resolve them more quickly. Classification allows you time to
determine the scope and impact of problems so that you can prioritize them.
Even if you are immediately able to resolve the problem, you must log the problem by using the
methodology that your organization has in place. Appropriate logging procedures ensure that you do not
lose any incident reports. Access to detailed incident reports allows organizations to monitor their
information technology (IT) systems more effectively and make informed decisions about those systems.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-13
Test
When you have prioritized and logged a reported incident, the testing phase starts. During the testing
phase, you use a number of processes to determine the probable cause of a reported problem. You might
start by listing the possible causes. Typically, you might try to divide and isolate these possible causes.
In computer systems, dividing and isolating possible causes might mean making a distinction between:
When you reduce the list of possible causes to a manageable number, you can start a testing process. The
aim of the testing process is to determine the probable cause from your list of potential causes.
One method you can use is to reproduce the problem in a test environment. If you can reproduce a
problem easily, you likely can determine the probable cause. If a problem is more difficult to reproduce,
you must study your results, and then you may need to modify your initial thoughts about the problems
probable cause.
Escalate
In the event that you cannot find a resolution during the initial testing phase, you must either consult
additional documentation or escalate the problem. If you suspect that the issue stems from a component,
you can escalate the problem to the components manufacturer. For other issues, if have more internal
resources to call upon, you can escalate the problem in your organization. Your organization should have
an established process for handing off reported incidents to your organizations second-tier support staff.
The second-tier support staff then asks questions to classify the problems scope and assign it a priority
level.
Report
When you resolve an incident, you must document the resolution. It is important to record any changes
to your IT systems configuration. Additionally, problems have a habit of occurring more than once, and
when you document them properly, you can save time resolving subsequent occurrences of the same
problem.
MCT USE ONLY. STUDENT USE PROHIBITED
1-14 Troubleshooting and Supporting Windows 7 in the Enterprise
Lesson 2
Overview of Troubleshooting Steps
Incidents pass through a series of processes that are designed to resolve problems as quickly and
efficiently as possible.
Classification, testing, escalation, and reporting provide the backbone of any troubleshooting
methodology.
The methodology evolves over time, as technologies change and new tools become available.
This lesson details the stages of a troubleshooting methodology, and how you can develop best practices
for problem reporting, initial data collection, implementing a plan of action, and recording incident
resolution.
Objectives
After completing this lesson, you will be able to:
When you begin to troubleshoot a problem, you should define the steps clearly that you need to take
resolve the problem.
It is important that support staff keeps the end user informed of progress throughout the entire
troubleshooting process, starting with this first reporting stage, when the help-desk explains to the end
user what the next step is in the process.
Gather Information
It is possible that the support staff might resolve the reported problem during the initial reporting stage;
this often happens with relatively simple problems. If it is not possible to resolve the issue immediately,
support staff must gather more information about the problem in an effort to identify possible causes.
You can use monitoring tools, examine event logs, or simply ask the end user additional questions in an
effort to gather additional information.
The linear approach is a methodology that reveals the root cause of a problem quickly by taking you
through a logical series of steps. Start with the problem statement, and then proceed in a methodical
manner until you uncover the problems source.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-17
The subtractive approach is a methodology in which you form a mental picture of the computers
system components. Separate the components in two halves along a testable line. For example, is it a
hardware component or a network component that is causing the problem? Then, test to see on
which side of the line the problem falls, and then continue in the same manner until you isolate the
problem component.
Whichever approach you take, the aim of this stage is to isolate the cause of the problem. When you feel
you have determined the cause, you must test your assumptions. If the tests prove inconclusive, you must
continue until you determine the real cause.
After your tests prove the cause of a problem, you must plan your course of action.
For instance, if the problem requires that you replace a disk in a server, you must order the new disk,
determine a suitable time to perform the replacement, back up existing data on the old disk, shut down
the server, physically install the new disk, and perform a restore of the data to the new disk.
Many organizations use documentation to provide information about their IT systems configuration. In
the event that you reconfigured something to resolve a problem, you must update the supporting
documentation to reflect the changes that you made.
Additionally, during the information-gathering stage, it often is useful to examine incident logs to
determine whether anyone else has reported a problem similar to the one on which you are working.
Finding whether another technician has documented a similar problem is possible only if, at incident
closure, you document what you did to resolve a problem.
MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Troubleshooting and Supporting Windows 7 in the Enterprise
Your instructor will assign you a role in your organization, and during this discussion, you will consider the
benefits of a troubleshooting methodology for your role. The roles are:
End users.
During your discussion, create a list of benefits for your organizational role. To help facilitate a useful
discussion, you might consider how a troubleshooting methodology results in the following outcomes:
Faster problem resolution
Improved productivity
Better accountability
Improved communications
When you complete your discussion, share your conclusions with the class.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-19
It is important to ensure that a well-understood process exists in your organization for the proper
reporting of support problems.
Problem Detected
The process of reporting a support problem starts with an end user detecting a problem with the
computer hardware, operating system, or an application. If the problem is intermittent, the end user may
take no immediate action. If the problem occurs again, the end user may take further action. End users
may attempt to resolve the problem themselves or contact the help desk for assistance.
Self-Help
Whenever possible, encourage end users to help themselves. You can help end users resolve some
problems quickly if the end user stops and thinks about the event that just occurred.
Always provide adequate training for your end users. Not only does this allow them to get the most from
their applications, but it also means that they are less likely to encounter problems and are more likely to
resolve many problems themselves, without contacting the help desk.
If you lack the skills necessary to resolve the reported problem, assign the problem to other individuals in
your organization. For complex problems, you might assemble a specialist team to resolve the problem.
Update the incident record in the ticketing database to help track information about activity that you, or
others, have performed in relation to the reported problem.
Who else has the same problem? If the problem is widespread, this points to a more general problem
and is less likely to be the end users particular computer. Additionally, problems affecting many end
users are more urgent than those affecting only one end user.
When did you first notice the problem? For example, it might be that the computer never worked
properly. It is very useful to know if the computer never worked properly, because this might indicate
a problem with deployment rather than usage.
What changed around the same time you noticed the problem? If the end user has recently installed
new applications or updated drivers, and the problem arose after these changes, it is possible that the
changes contributed to the problem that the end user is reporting.
During this phase, you might determine a probable cause of the reported problem, but be careful not to
jump to a conclusion because you might waste a lot of time and resources. Your goal during this phase is
to define the problem accurately.
Escalation
When a problem requires escalation between support tiers or to external vendors, ensure that you record
an appropriate level of detail to pass to the next support level.
It is very helpful to have an escalation procedure that is clearly defined to ensure that you can do this
efficiently. The procedure may contain the following information:
A record of the resolution attempts that support staff make, and the results of each attempted fix.
Your organization does not have the required skills to resolve the problem.
You have identified the probable cause of the problem, and it lies with a specific third-party
component.
Whenever you escalate a problem, always retain ownership of the problem, and use the database record
to track progress toward a resolution. Also ensure that you provide any necessary assistance to other
support tiers and external vendors.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-21
Resolution
After you determine a probable cause and develop an action plan, you should perform an assessment of
this plan. The assessment should include:
Liaison with any specialist support staff involved in the plans implementation.
Details of plans to roll back the changes in the event that they do not achieve the desired result.
After you assess the proposed action plan, you can execute it. In the event that the action plan does not
resolve the problem, consider whether to roll back the changes you have made according to the action
plan assessment. You also must revisit the classification phase, because it is possible that the initial
diagnosis and classification were incorrect.
Collecting information about a reported problem is vitally important. By following a precise, logical series
of steps, you can define the nature of the problem clearly, and then work toward establishing a precise
cause.
Question
The process starts when an end user follows a defined procedure to contact the help desk, typically by
sending an e-mail or making a phone call. Members of the help desk team must question the end user
clearly and precisely about the problems symptoms so that they can begin defining the cause of the
problem.
Listen
When an end user reports a problem to you, listen carefully to what the user has to say. Often, as the user
responds to your questions, and repeats the history of a problem, he or she might unwittingly reveal its
cause. By asking users to start from the beginning and explain exactly what they were doing immediately
prior to noticing the problem, and what they were doing when they noticed the problem, you may
determine the problems cause.
Note It is important to record the problem, and any pertinent information that the user
communicates to you, in a database. You will use the database record that you create
throughout the problem life cycle to record progress toward a resolution.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-23
Consult
When you record all of the pertinent information from the user, your next task is to determine the cause
of the reported problem. Start by consulting existing documentation about known problems. It is quite
possible that the problem has occurred before. If this is the case, you can move quickly toward a
resolution, and then close the incident.
Research
If existing documentation does not reveal any probable causes, you must perform some research. You can
perform this research using a variety of sources. For example, you might search the Microsoft Support
Knowledge Base for information about the problem. You also may search online forums for related
material to aid in problem resolution.
If you are unable to determine probable causes from this initial research, you can also perform
information gathering using the tools provided in the Windows 7 operating system, including those in the
following table.
Tool Use
Remote Assistance With Remote Assistance, users can request and receive help by using
just one mechanism. The administrator that is providing remote
assistance uses Remote Assistance to take control of a problem
computer remotely, while the user remains logged on while watching
what the administrator is doing on the screen.
Remote Desktop You can use Remote Desktop to take remote control of a problem
computer. The logged-on user is disconnected, and the console is
locked.
Event Viewer You can use Event Viewer as a single interface for viewing log files on
the problem computer. These logs provide information about
applications, system events, and security-related matters.
Device Manager With Device Manager, you can examine and change the configuration
of hardware devices and device drivers.
Network Diagnostics With Network Diagnostics, you can troubleshoot and diagnose
network-related problems.
Windows System Information With Windows System Information, you can examine a computers
configuration with a single tool. You can also use the Microsoft
Windows System Information tool to produce configuration reports.
Command-Line Tools Provide access to a variety of command-line tools that you can use to
assist with the research process, including ipconfig, netstat, winrm,
and winrs.
Develop
After you determine a probable cause, you must develop an action plan, which the next topic describes.
MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Troubleshooting and Supporting Windows 7 in the Enterprise
Simple problems are easy to resolve quickly, and they might not require much consideration in terms of
an action plan. For example, an end user reports that he has forgotten his password. Your action plan
includes opening Active Directory Users and Computers, and resetting the password. However, more
complex or serious problems require careful consideration.
You may need to escalate the problem so that a test environment can be built that closely resembles the
production system, and so that appropriate support personnel use this test environment for testing your
plan of action.
Note Virtualization technologies (such as Windows Virtual PC) provide a convenient way to
build test environments without having to invest significantly in additional hardware or
software.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-25
For example, if the fix involves applying an update, removal of the update might be acceptable. If,
however, the fix involves upgrading applications to include new features that might be useful to other
end users, it might be desirable to leave the new applications installed rather than revert to the older
application. You can use the test environment to practice implementing a rollback of your proposed fix or
workaround.
Note Although the steps for the action plan in the slide are numbered, you might not
complete the steps in this order.
MCT USE ONLY. STUDENT USE PROHIBITED
1-26 Troubleshooting and Supporting Windows 7 in the Enterprise
Keep in mind that the specific stages of your plan of action may vary because of the complexities or
circumstances of a specific problem.
For example, if you apply a security update to the operating system to resolve a security problem, the
update may make applications behave differently.
When you are satisfied that you can introduce the fix or workaround without causing additional problems
and that it fixes the reported problem, proceed to the next stage.
If your organization uses a change-management procedure, you must determine what is required of you
when implementing your fix or workaround. Consult the relevant documentation, and when necessary,
discuss the proposed changes with the appropriate staff.
MCT USE ONLY. STUDENT USE PROHIBITED
Implementing a Troubleshooting Methodology 1-27
When possible, consider the use of remote management tools and utilities because these often result in
quicker problem resolutions.
If you log the incident in a database to track the status of a reported problem, you must update the
record to reflect whether you resolve the problem and whether you close the incident.
The next topic looks more closely at the process of recording a problems resolution.
MCT USE ONLY. STUDENT USE PROHIBITED
1-28 Troubleshooting and Supporting Windows 7 in the Enterprise
In most support organizations, a process exists to properly record and document a problem that a user
reports. Typically, the help-desk staff records the reported incident into a database. When a problem is
resolved, you must close the reported incident, and then communicate the resolution to the user who
reported the problem.
Your instructor will initiate a classroom discussion in the form of a brainstorming session. Please consider
the stages of a troubleshooting methodology, and share your own experiences with the class.
During the discussion, feel free to make practical recommendations on the following topics:
How does your organization apply the troubleshooting stages?
How do you typically communicate problem resolutions to other support staff to help resolve future
problems?
MCT USE ONLY. STUDENT USE PROHIBITED
2-1
Module 2
Troubleshooting Startup Issues
Contents:
Lesson 1: Overview of the Windows 7 Recovery Environment 2-3
Module Overview
Corruptions in the system registry, or issues with device drivers or system services, often cause startup-
related problems. Therefore, systematic troubleshooting is essential so that you can determine the
underlying cause of the problem quickly and efficiently.
This module describes how to identify and troubleshoot issues that affect the operating systems ability to
start, and how to identify problematic services that are running on the operating system. It also describes
how to use the Microsoft Windows 7 operating system advanced troubleshooting tools, collectively
known as the Microsoft Windows Recovery Environment (Windows RE).
Objectives
After completing this module, you will be able to:
Use Windows 7 recovery tools to troubleshoot startup problems.
Lesson 1
Overview of the Windows 7 Recovery Environment
To recover computers that are running Windows 7 and that will not start, or which are starting with errors,
you must recognize what the operating system looks like when it is starting properly. Additionally, a good
working knowledge of the recovery tools that Windows 7 provides should enable you to identify and
resolve problems that relate to startup issues.
Objectives
After completing this lesson, you will be able to:
Describe the recovery tools available at the command prompt in Windows RE.
Describe how to use Windows RE to check and fix the startup environment.
Describe the System Restore process in Windows.
The Windows 7 boot loader architecture provides a quick and secure mechanism for starting the Windows
operating system.
The boot loader architecture has three main components:
Bootmgr.exe replaces much of the functionality of the NTLDR bootstrap loader that Windows XP and
earlier versions of the Windows operating system use. Bootmgr.exe is a separate entity, and it is unaware
of other startup operations of the operating system; it switches the processor into 32-bit or 64-bit
protected mode, prompts the user for which operating system to load (if multiple operating systems are
installed), and it can start NTLDR if you have Windows XP or earlier installed.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-5
Note Boot-class device drivers have a start value of zero in the registry.
Winresume.exe reads the hibernation image file, and uses it to return the operating system to its pre-
hibernation running state.
1. The BIOS performs a Power On Self-Test (PoST). From a startup perspective, the BIOS enables the
computer to access peripherals, such as hard disks, keyboards, and the computer display, prior to
loading the operating system.
2. The computer uses information in the BIOS to locate an installed hard disk, which should contain a
master boot record. The computer calls and loads Bootmgr.exe, which then locates an active drive
partition on sector 0 of the discovered hard disk.
3. Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines
installed operating systems, and then displays a boot menu, if necessary.
5. Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers are for fundamental hardware components, such as disk controllers and peripheral bus drivers.
Winload.exe then transfers control to the kernel of the operating system, ntoskrnl.exe.
6. The kernel initializes, and then higher-level drivers and services are loaded. During this phase, you will
see the screen switch to graphical mode as the Windows subsystem is initialized.
7. The operating system displays the logon splash screen, and a user logs on to the computer.
Note Until a user has logged on, startup is not considered successful.
MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Troubleshooting and Supporting Windows 7 in the Enterprise
If your computer fails to start correctly, you can use a number of tools to help resolve the problem.
Diagnoses and repairs startup problems automatically by using the Startup Repair tool.
Accessing Windows RE
To access Windows RE:
3. After you configure language and keyboard settings, select the Repair your computer option, which
scans the computer for Windows installations and then presents you with a troubleshooting tools
menu.
Note Windows RE is also accessible from the hard disk. This is a more convenient method
for accessing Windows RE. However, bear in-mind that with certain failed startup conditions,
Windows RE is not available from the hard disk.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-7
Automatic Failover
Windows 7 provides an on-disk Windows RE. A computer that is running Windows 7 can fail over
automatically to the on-disk Windows RE if it detects a startup failure.
During startup, the Windows loader sets a status flag that indicates when the boot process starts. The
Windows loader clears this flag before it displays the Windows logon screen. If the startup fails, the loader
does not clear the flag. Consequently, the next time the computer starts, Windows loader detects the flag,
assumes that a startup failure has occurred, and then launches Windows RE instead of Windows 7.
The advantage of automatic failover to Windows RE Startup Repair is that you may not need to check the
problematic computer when a startup problem occurs.
Note that the computer must start successfully for the Windows loader to remove the flag. If the
computers power is interrupted during the startup sequence, the flag is not removed, and automatic
Startup Repair is initiated.
Bear in-mind that this automatic failover requires the presence of both the Windows boot manager and
the Windows loader. If either of these elements of the startup environment is missing or corrupt,
automatic failover cannot function, and you must initiate a manual diagnosis and repair of the computers
startup environment.
Windows RE provides access to five tools that you can use to help recover your computers startup
environment.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. The following sections describe Startup Repair tool functions.
Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Startup Repair automatically checks and, if necessary, repairs the disk metadata.
Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple
operating systems on a single computer. Another possible cause of metadata corruption is a virus
infection.
Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions
stored the boot configuration information in Boot.ini, a simple text file. However, Windows 7 uses a
configuration store that is in the C:\Boot.
If the boot configuration data is damaged or deleted, the operating system fails to start.
The Startup Repair tool checks and, if necessary, rebuilds the BCD, by scanning for Windows
installations on the local hard disks, and then storing the necessary BCD.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-9
Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver
often causes Windows to start incorrectly.
The Startup Repair tool performs device driver checks as part of its analysis of your computer. If
Startup Repair detects a driver problem, it uses System Restore points to attempt a resolution, by
rolling back configuration to a known working state.
Note Even if you do not manually create restore points in Windows 7, installing a new
device driver automatically causes Windows 7 to create a restore point prior to the
installation.
System Restore
Windows 7 provides System Restore capabilities that you can access from the System Tools folder. If you
have a system failure or another significant problem with your computer, you can use System Restore to
return your computer to an earlier state.
The primary benefit of System Restore is that it restores your system to a workable state without
reinstalling the operating system or causing data loss. Additionally, if the computer does not start
successfully, you can use System Restore by booting in Windows RE from the product DVD.
Command Prompt
Windows 7 uses a Command Prompt tool from the Windows RE tool set as its command-line interface.
The Command Prompt tool is more powerful than the Recovery Console, and its features are similar to the
command prompt that is available when Windows 7 is running normally.
Resolve Problems with a Service or Device Driver. If a computer that is running Windows 7
experiences problems with a device driver or Windows service, use the Command Prompt tool to
attempt a resolution. For example, if a device driver fails to start, use the command prompt to install a
replacement driver, or disable the existing driver from the registry. If the Netlogon service fails to
start, type Net Start Netlogon at the command prompt. You also can use the SC tool (SC.exe)
command-line tool to start and stop services.
Recover Missing Files. The Command Prompt tool also enables you to copy missing files to your
computers hard disk from original source media, such as the Windows 7 product DVD or USB
memory stick.
MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Troubleshooting and Supporting Windows 7 in the Enterprise
Access and Configure the BCD. Windows 7 uses a BCD store to retain information about the
operating systems that you install on the local computer. You can access this information by using the
BCDEdit.exe tool at the command prompt. You also can reconfigure the store, if necessary. For
example, you can reconfigure the default operating system on a dual-boot computer with the
BCDEdit.exe /default id command.
Repair the Boot Sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 7 will fail to start successfully. You can launch the
Bootrec.exe program at the command prompt to resolve problems with the disk metadata.
Run Diagnostic and Troubleshooting Tools. The Command Prompt tool provides access to many
programs that you can access from Windows 7 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can
use to determine which programs and services are running currently.
Note Windows PE is not a complete operating system. Therefore, when you use the
Command Prompt tool in Windows RE, remember that not all programs that work in
Windows will work at the command prompt. Additionally, because there are no logon
requirements for Windows PE and Windows RE, Windows restricts the use of some programs
for security reasons, including many that administrators typically run.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-11
In this demonstration, you will see how to examine the Windows 7 startup environment. To perform this
procedure, the instructor must start the computer from the product DVD, and then select the Repair your
computer option. The instructor will demonstrate how to use the command prompt and startup repair
tools.
Demonstration Steps
1. Use the Hyper-V Manager console to mount the product DVD.
3. Boot into the setup program, and then select Repair your computer.
Windows 7 enables System Restore features automatically. System Restore takes snapshots of your
computer system, and then saves them as restore points. These restore points represent a point in time for
the computers configuration when it was running successfully.
Once you enable System Restore points, Windows 7 creates them automatically when the following
actions occur:
You install a new application or driver
Once daily.
Automatically, if you choose to use System Restore to restore to a previous restore point.
In this instance, System Restore creates a new restore point before it restores the system to a previous
state. This provides you with a recovery option should the restore operation fail or result in issues.
Windows RE does not create a restore point for the current state if you are in Safe mode and you
restore to a previous state.
Note To create a restore point manually, go to the System Protection tab on the
Computer property sheet, and then click the Create button.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-13
With Windows 7 computers, you can use System Restore to perform driver rollback by accessing the
restore points, even when the computer does not start successfully.
Note If you disable System Restore, Windows deletes all existing restore points.
MCT USE ONLY. STUDENT USE PROHIBITED
2-14 Troubleshooting and Supporting Windows 7 in the Enterprise
In this practice, you will create a system restore point. You then will use both Windows 7 and Windows RE
to apply the restore point.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Before you begin the practice, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Domain: Contoso
Detailed Steps
Password: Pa$$w0rd
5. In the System Properties dialog box, click Local Disk (C:) (System), and then click Configure.
6. In the System Protection for Local Disk (C:) dialog box, click Restore system settings and
previous versions of files, and then click OK.
3. In the System Restore dialog box, click Next. The restore point you created should be listed.
4. Click Cancel.
2. When the virtual machine is restarting, when the Press any key to boot from CD or DVD message
appears, press Spacebar. Setup loads.
7. In the System Restore dialog box, click Next. The restore point you created should be listed.
MCT USE ONLY. STUDENT USE PROHIBITED
2-16 Troubleshooting and Supporting Windows 7 in the Enterprise
Password: Pa$$w0rd
Lesson 2
Configuring and Troubleshooting Startup Settings
To troubleshoot a Windows 7 computer that fails to start properly, you must understand the boot process,
and the role of the BCD store in troubleshooting. This lesson describes the BCD store and how it controls
the boot process flow, and it also describes the tools and utilities that you can use to configure the
Windows 7 boot process.
Objectives
After completing this lesson, you will be able to:
The BCD store is an extensible database of objects and elements that can include information about a
current hibernation image, and special configuration options for booting Windows 7 or an alternate
operating system. The BCD provides an improved mechanism for describing boot configuration data for
new firmware models.
The boot sector loads Bootmgr.exe, which in turn accesses the BCD, and then uses that information to
display a boot menu to the user (if multiple boot options exist) and to load the operating system.
These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the
nonvolatile RAM (NVRAM) entries in operating systems based on an Extensible Firmware Interface (EFI)).
However, Windows 7 replaces the boot.ini file and NVRAM entries with the BCD. This file is more versatile
than boot.ini, and it can apply to computer platforms that do not use the BIOS to start the computer. You
also can apply it to firmware models, such as computers that are based on EFI.
Windows 7 stores the BCD as a registry hive. For BIOS-based systems, the BCD registry file is in the active
partition \Boot directory. For EFI-based systems, the BCD registry file is on the EFI system partition.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-19
Depending on what you want to change, you can use the following tools to modify the BCD:
Startup and recovery. The Startup and recovery dialog box enables you to select the default
operating system if you have multiple operating systems installed on your computer. You also can
change the time-out value. These settings are on the Advanced tab in the System Properties dialog
box.
System Configuration Utility (MSConfig.exe). MSConfig.exe is an advanced tool that enables you to
select the following startup options:
Safe boot: Minimal. On startup, opens the Windows graphical user interface (Windows
Explorer) in safe mode running only critical system services. Networking is disabled.
Safe boot: Alternate shell. On startup, opens the Windows command prompt in safe mode
running only critical system services. Networking and the graphical user interface are
disabled.
Safe boot: Active Directory Domain Services (AD DS) repair. On startup, opens the Windows
graphical user interface in safe mode running critical system services and AD DS.
Safe boot: Network. On startup, opens the Windows graphical user interface in safe mode
running only critical system services. Networking is enabled.
No GUI boot. Does not display the Windows Welcome screen when starting.
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Troubleshooting and Supporting Windows 7 in the Enterprise
BCDEdit.exe. You can use BCDEdit, a command-line tool, to change the BCD, such as removing
entries from the list that displays operating systems. This advanced tool is for administrators and IT
professionals. BCDEdit.exe is a command-line tool that replaces Bootcfg.exe in Windows 7.
BCDEdit.exe currently enables you to:
Adding a new hard disk to your Windows 7 computer, changing the logical drive numbering.
Installing additional operating systems on your Windows 7 computer, creating a multiboot
configuration.
Deploying Windows 7 to a new computer with a blank hard disk, requiring you to configure the
appropriate boot store.
Command Description
Commands that operate on a store
/export Exports the contents of the system BCD store to a specified file
/import Restores the state of the system BCD store from a specified file
(continued)
Command Description
Commands that operate on element
/displayorder Specifies the order in which Boot Manager displays its menu
/toolsdisplayorder Specifies the order in which Boot Manager displays the tools menu
/debug Enables or disables kernel debugging for an operating system boot entry
BootRec.exe. Use the bootrec.exe tool with the /rebuildbcd option in Windows RE to rebuild the
BCD. You must run bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup
issue, you can export and delete the BCD, and then run this option again. By doing this, you ensure
that the BCD rebuilds completely.
Note You can also use the BCD WMI provider to make changes to the BCD by using
scripts. The MCD WMI provider is a management interface and is the only programmatic
interface available for BCD.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-23
In this practice, you will modify the startup environment of the NYC-CL1 computer. By using BCDEdit.exe,
you will modify the boot environment before you use Windows RE to launch the command prompt repair
tool. You then will use BCDEdit.exe and Bootrec.exe to repair the startup environment.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Detailed Steps
4. In the System Properties dialog box, under Startup and Recovery, click Settings. The default
operating system is displayed with the startup options.
5. Click OK, and then in the System Properties dialog box, click OK.
3. At the command prompt, type the following command, and then press Enter:
Bcdedit /enum
5. At the command prompt, type the following command, and then press Enter:
6. At the command prompt, type the following command, and then press Enter:
7. At the command prompt, type the following command, and then press Enter:
Shutdown /r
The computer restarts. Do not boot from CD or DVD. The boot fails with a BCD error.
5. In the System Recovery Options dialog box, click Use recovery tools that can help fix problems
starting Windows, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. At the command prompt, type the following command, and then press Enter:
E:
8. At the command prompt, type the following command, and then press Enter:
Cd\windows\system32
9. At the command prompt, type the following command, and then press Enter:
Bcdedit /enum
10. At the command prompt, type the following command, and then press Enter:
Bootrec /rebuildBcd
11. When prompted, press A at the command prompt, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-25
12. Switch to the System Recovery Options dialog box, and then click Restart.
Password: Pa$$w0rd
The System Configuration Tool (MSConfig.exe) automates the troubleshooting steps that assist you in
diagnosing issues with your systems configuration. When you use this tool, you can change the way
Windows 7 boots, and you can select options to prevent services and programs from loading during the
Windows startup process.
You can reset or change the Windows 7 configuration settings easily to include preferences for the
following:
Startup options
Changes you make are undone if later you select the Normal startup option, unless you select the check
box titled Make All Boot Settings Permanent.
The System Configuration utility dialog box has five tabs:
General. Enables you to select the startup environment. You can choose between Normal,
Diagnostic, or Selective startup.
Boot. Enables you to select boot options, such as Safe boot, No GUI boot, and Base video, and to
select Advanced options, such as selecting the number of processors that you want to use, setting
the maximum memory available, or locking PCI (Peripheral Component Interconnect) devices to
resources.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-27
Services. Provides a list of all services that start when the computer boots, and their current status,
which is Running or Stopped. You can enable or disable individual services at boot time to
troubleshoot services that might be contributing to startup problems. You can select the option to
Hide all Microsoft services, which enables you to identify nonstandard services that might be
causing a startup problem.
Startup. Enables you to view and select which applications to run at startup. Two features on the
Startup tab include the Manufacturer heading, which can help you identify an application, and the
Date Disabled heading, which can help you keep track of the date on which you disabled a startup
application.
Tools. Provides an easy method to launch various system tools. For example, you can change the
settings for User Account Control, launch the Action CTab, and access Computer Management and
other system tools.
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Troubleshooting and Supporting Windows 7 in the Enterprise
In this practice, you determine which operating system services are running. Using MSConfig.exe, you will
disable the Windows Firewall service, and then select Safe Mode. After restarting NYC-CL1, you will
permanently disable Windows Defender. Finally, you will start Windows 7 normally, and then verify that
these services are running correctly.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Detailed Steps
2. Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3. At the command prompt, type the following command, and then press Enter:
Net start
msconfig
2. In the System Configuration dialog box, click the Services tab, and then locate the Windows
Firewall service.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-29
3. Clear the Windows Firewall check box, and then click Apply.
5. Under Boot options, select the Safe boot check box, and then click OK.
Password: Pa$$w0rd
3. In the list of services, click Windows Firewall, and verify that it is disabled.
Password: Pa$$w0rd
3. In the list of services, click Windows Firewall, and then verify that it is running.
4. In the list of services, click Windows Defender, and then verify that it is disabled.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Windows 7 provides advanced boot options that you can use to start the operating system in an
advanced troubleshooting mode.
To access the Advanced Boot Options menu, you must press F8 during the startup process. This
troubleshooting boot mode enables you to start a computer that is experiencing problems, or is unable to
perform a normal boot.
The following options are available from the boot menu:
Repair your computer. Displays a collection of system recovery tools addressing startup problems.
You also can run diagnostics, and restore the system.
Safe mode. Starts Windows with a minimal set of drivers and services. This is one of the most useful
boot options, because it allows access to the operating system when a high-level service or
application prevents a normal boot. This enables you to perform diagnostics and fix the problem.
Safe mode with networking. Starts Windows in Safe mode, and includes the network drivers and
services that you need to access the Internet or other network computers.
Safe mode with command prompt. Starts Windows in Safe mode with a command prompt window
rather than the usual Windows interface. You typically use this when other startup options do not
work.
Enable log booting. Creates the ntbtlog.txt file, which can be useful for advanced troubleshooting.
This file lists all drivers that Windows installs during startup.
Enable low resolution video (640 X 480). Starts Windows using your current video driver, and low
resolution and refresh rate settings. Use this mode to reset your display settings.
MCT USE ONLY. STUDENT USE PROHIBITED
2-32 Troubleshooting and Supporting Windows 7 in the Enterprise
Last Known Good Configuration (advanced). Starts Windows with the last successful registry and
driver configuration. This is useful if a driver issue is preventing the computer from properly starting.
This does not repair corrupt or missing files.
Disable automatic restart on system failure. Prevents Windows from restarting automatically if an
error causes Windows to fail. Choose this option only if the computer loops through the startup
process repeatedly by failing to start correctly, and then attempting another restart.
Disable Driver Signature Enforcement. Allows you to install drivers that contain improper signatures.
Lesson 3
Troubleshooting Operating System Services Issues
Failures of an operating system service often result in problems that are not severe enough to prevent the
computer from starting, but that restrict functionality. Therefore, it is important that you understand how
to identify and rectify service-related startup problems.
Objectives
After completing this lesson, you will be able to:
It is important to understand the differences between software applications, operating system services,
and hardware devices and their associated device drivers.
Applications operate at a high level by integrating with the computer user, and at a lower level by
integrating with the operating system. You install applications after you install the operating system, and
you must start applications manually to use them.
Operating system services are part of the operating system rather than something that you install after
the operating system deploys. Additionally, operating system services function with no user action. In fact,
they start before a user logs on to the computer.
The difference between operating system services and device drivers is that device drivers interact directly
with hardware devices or components. Generally, a system service interacts with other software
components in the operating system. From a management perspective, the difference between device
drivers and services is more obvious: you use Device Manager to manage device drivers, and you use the
services Microsoft Management Console (MMC) snap-in to manage system services.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-35
When troubleshooting a computer that has problems with its operating system services, the operating
system may return an error after you log on to the computer. This error message may indicate that a
service failed to start.
Windows 7 provides several tools that can help you determine which operating system service failed to
start correctly. Because some services are dependent on other services or drivers to start successfully, you
always should consider that the failure of one service might be related to, or caused by, the failure of
another service.
Event Viewer
Windows 7 includes a tool called Event Viewer that allows you to examine certain log files that provide
information about applications, system events, and security-related matters. Event Viewer provides access
to the Windows logs, and also to applications and services logs.
The following information summarizes the information that you can access from the Windows logs.
Application. The application log contains events that applications generate. For example, a database
program records a file error in the application log, and the program developer decides which events
to record.
Security. The security log records security events, such as valid and invalid logon attempts, and events
related to resource use, such as creating, opening, or deleting files. An administrator specifies which
events Windows 7 records in the security log by creating a domain-wide audit policy.
System. The system log contains events that the system components in Windows 7 generate. For
example, if a driver or other system component fails to load during startup, Windows 7 records this
failure in the system log. Windows 7 predetermines the event types that the system components log.
For example, event ID 7036 identifies a service startup or shutdown.
MCT USE ONLY. STUDENT USE PROHIBITED
2-36 Troubleshooting and Supporting Windows 7 in the Enterprise
If you encounter problems with service startup, examine the system and application logs for related
events.
Information events
Warning events
Error events
When you troubleshoot startup problems with services, pay special attention to error events that the
system log records. All users can access the application and system logs, but only members of the local
Administrators group can use the security log.
Log Files
In addition to the logs accessible from Event Viewer, Windows 7 records other events in other log files. For
example, use MSConfig.exe to configure Windows 7 to record a boot log file when it starts. The boot log
file, Ntbtlog.txt, is stored in the Windows folder. It contains a list of all drivers and some services that start
during the boot process. In a problem occurs with a service, activate boot logging, and then examine the
log.
Note You also can activate boot logging from the Advanced Startup Options menu, which
is accessible by pressing F8 during the start sequence.
Stop Codes
If the Windows 7 operating system experiences a system failure, it may display a stop code on a blue
screen. The stop code may contain the name of the device driver or service that is causing the system
failure, as well as information to help you diagnose the reason for the failure.
Windows 7 records information related to the system failure in a system log file called a memory dump
file, which is located in Windows\System32. Examine the contents of this memory dump file to help
determine the reason for the system failure.
Action Center
Action Center provides a consolidated tool that enables you to track and repair reported problems. You
also can configure Action Center to determine how your computer reports problems. Additionally, you
can use Action Center to examine problems that Windows reports.
Online Reporting
Action Center contains a link that you can use to check online for solutions to problems. The link submits
information regarding the problem to Microsoft. Online reporting of problems is a valuable way to help
Microsoft identify issues with Windows 7 and create targeted product updates.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-37
Disabling Services
After you determine which service is causing the startup problem, you can disable it. Depending on the
circumstances, you can disable a service in several ways:
Safe Mode
If the Windows 7 computer does not start normally, try to start the computer in Safe Mode. Safe Mode is
accessible from the Advanced Boot Options menu, but you also can activate Safe Mode from
MSConfig.exe. In Safe Mode, a minimal set of services load during the startup process. However, these
services are sufficient to load the operating system. You then can use standard operating system tools,
such as Control Panel, Computer Management, Registry Editor, the services MMC snap-in, and Event
Viewer, to troubleshoot the service startup problem.
Use Last Known Good Configuration to roll back the computer registry System hive to an earlier working
version. Because the System hive contains information related to the starting of services, rolling back the
change to the System hive might help you resolve the problem without requiring you to disable the
newly-installed service manually.
Note Once you logon to your computer, the Last Known Good configuration is overwritten
with the Current configuration and the ability to use Last Known Good as a recovery option
is no longer available.
MCT USE ONLY. STUDENT USE PROHIBITED
2-38 Troubleshooting and Supporting Windows 7 in the Enterprise
At the command prompt, use either the Net command or SC.exe to manually start, stop, activate, and
disable services.
Remote Tools
If you can start Windows 7, but installed services do not start correctly, you might be able to troubleshoot
the services remotely. You can use most of the built-in management consoles to connect to a remote
machine and configure settings. The following list summarizes several remote tools that are available in
Windows 7:
Remote Assistance. Use Remote Assistance to offer help to a user with a computer experiencing
service-related problems. You can connect to the users computer, and then use troubleshooting tools
to diagnose and fix the problem.
Remote Desktop. Use Remote Desktop to connect to a computer with a service-related problem. You
can use Remote Desktop to connect to, and take control of, the users computer, and then use
troubleshooting tools to diagnose and fix the problem.
Windows Remote Shell (WinRS). Use this shell tool to manage another computer remotely. WinRS
operates in the context of Windows Remote Management (WinRM) which is the Microsoft
implementation of the WS-Management protocol.
Custom Management Consoles. You can add most administrative snap-ins to custom management
consoles, to connect to specific remote computers, and to configure settings on those computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-39
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The help desk has received a number of trouble tickets that they cannot resolve, and they have passed
those tickets to you. You need to determine how to resolve each problem, and then document your
solution.
Supporting Documentation
Incident Record
Incident Reference Number: 601237
Incident Details
Adam Carter has reported that his computer will not start properly.
Additional Information
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partly through
the process. Since then, his computer displays the following error message when it starts:
Plan of Action
Resolution
MCT USE ONLY. STUDENT USE PROHIBITED
2-42 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Update the Plan of Action section of the Incident Record with your recommendations.
Password: Pa$$w0rd
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
In the Actions pane, click Connect. Wait until the virtual machine starts.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-43
Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the first startup problem and documented your
solution.
MCT USE ONLY. STUDENT USE PROHIBITED
2-44 Troubleshooting and Supporting Windows 7 in the Enterprise
Supporting Documentation
Incident Record
Incident Reference Number: 601338
Incident Details
Martin contacted the help desk after attempting to install a new hard disk driver.
Since the attempt, his computer does not start correctly.
Additional Information
Help desk staff recorded the following message:
A problem has been detected, and Windows has been shut down to prevent damage to your
computer.
Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers.
Technical information:
*** STOP: 0x0000007B (0x8078BB58,0xC0000034,0x0000000,0x00000000)
Plan of Action
Resolution
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Startup Issues 2-45
2. Update the Plan of Action section of the Incident Record with your recommendations.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the startup problem and documented your
solution.
MCT USE ONLY. STUDENT USE PROHIBITED
2-46 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Review Questions
1. After installing a new video driver, your users computer becomes unstable and will not start correctly.
What would you try first to resolve this problem?
2. The boot environment of a users computer is corrupt, and you suspect a virus. Before you can run
virus removal tools, you must recover the boot environment. What command-line tool(s) could you
use?
3. Your user adds a new hard disk to the computer, which changes the computers partition numbering.
To enable the computer to start, the user needs you to change the BCD. What tool would you use?
4. A user has reported a problem to the help desk. They are experiencing problems with starting their
computer after a new device driver was added. You decide to start the computer by using a minimal
boot, but want to configure that from Windows before restarting. What tool could you use?
5. A system service is causing startup problems, and your help-desk user has started the problematic
computer into Windows RE. What command-line tools, accessible from Windows RE, enable you to
control the startup of services?
6. The help desk recently installed a new device driver on a computer. A stop code is generated along
with a blue screen during startup. What recovery mechanism would you try first?
MCT USE ONLY. STUDENT USE PROHIBITED
2-48 Troubleshooting and Supporting Windows 7 in the Enterprise
Tools
Tool Use for Where to find it
BCDEdit.exe Viewing and configuring Command-line
the BCD store
Safe Mode Troubleshooting startup Accessible from the Advanced Boot Options
menu
Sysinternals Suite Advanced configuration Download from the Microsoft TechNet website
and troubleshooting
MCT USE ONLY. STUDENT USE PROHIBITED
3-1
Module 3
Using Group Policy to Centralize Configuration
Contents:
Lesson 1: Overview of Group Policy Application 3-3
Module Overview
Group Policy is an essential tool that you can use to configure the computer systems in an enterprise
environment. With Group Policy, you can quickly and easily apply configuration settings centrally. This is
faster and more practical than configuring hundreds or thousands of computers manually.
In most cases, a server administrator administers an organizations Group Policy, rather than desktop
support staff. However, it is important for desktop support staff to understand how Group Policy works
and how to identify when an organization is not applying Group Policy objects (GPOs) properly.
Objectives
After completing this module, you will be able to:
Lesson 1
Overview of Group Policy Application
You can manage GPOs centrally, and store them on domain controllers. Client computers download GPOs
and apply them in specific ways, so it is important for you to understand how Windows 7 processes them
so that you can identify when Windows 7 is not processing correctly.
Objectives
After completing this lesson, you will be able to:
Group Policy contains thousands of settings for configuring Windows 7. Each Windows 7 computer has a
local Group Policy that you can edit to configure these settings. However, when you are managing client
computers in an enterprise environment, it is not practical to modify the local Group Policy manually on
each computer. Instead, you use AD DS to distribute GPOs. By default, Windows 7 computers download
GPOs at startup and every 90 minutes thereafter.
Note A local GPO applies to all local and domain users. The user settings in a GPO that
AD DS distributes do not apply to local users.
Inside a GPO, there are User Configuration settings and Computer Configuration settings. The User
Configuration settings apply to user accounts, and the Computer Configuration settings apply to
computer accounts. If the user account and computer account are in different organizational units (OUs),
a single GPO may apply to the user who logs on, but not to the computer itself, and vice versa.
Within the User Configuration and Computer Configuration, there are policies and preferences. Polices are
Microsoft Windows configuration setting that are enforced on the client; preferences are settings that
are applied to the client, but the user has the option to change them. Preferences include items such as
drive mappings and printers.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-5
Processing GPOs
Windows 7 applies Group Policy for computers when users start the computers, and applies Group Policy
for users when the user logs on to the computer. Computer and user settings are refreshed at regular,
configurable intervals, and the default refresh interval is every 90 minutes. You also can force an update
by running GPUpdate.exe at a command prompt.
Group Policy Objects are processed in the following order:
1. Local GPOs
2. Site-level GPOs
3. Domain-level GPOs
4. Organizational Unit (OU) GPOs, including any nested OUs, starting with the OU further from the user
or computer object
GPOs that are applied to higher-level containers pass through to all sub-containers in that part of the
Active Directory tree. For example, a policy setting that is applied to an OU also applies to any child OUs
below it. The local GPO is processed first, and the organizational unit to which the computer or user
belongs is processed last. The last GPO processed is the effective setting.
Security filtering. An individual GPO can have security filtering applied which controls which users and
computers are able to apply the GPO. By using security filtering, you limit a GPO to a specific group
of users or computers. By default, Windows 7 applies a GPO to Authenticated Users, which allows all
users and computers to apply it.
Windows Management Instrumentation (WMI) filtering. You can link a WMI filter to an individual
GPO, which restricts to which computers the GPO applies. You can base a WMI filters parameters on
a wide variety of characteristics such as installed software or hardware. An error in creating a WMI
query in a WMI filter may result in a GPO not applying to any computers.
MCT USE ONLY. STUDENT USE PROHIBITED
3-6 Troubleshooting and Supporting Windows 7 in the Enterprise
Slow link processing. By default, some GPO settings are not applied over slow links500 kilobits per
second (Kbps) or lessbecause it may take too long to download them. Administrative templates and
security settings are processed regardless of link speed. This may result in roaming users with portable
computers having a slightly different experience when they are not in the office and connected to the
corporate network.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-7
You can create and link GPOs to users and computers at a site, domain, or OU. When you apply multiple
GPOs to users and computers, this aggregates the settings in the GPOs. For most policy settings, the GPO
with the highest precedence and that contains the specific setting determines the settings final value. For
a few settings, the final value is actually the combination of values across GPOs.
GPOs that Windows 7 processes last have the highest precedence. GPOs follow the Local, Site, Domain, or
OU rule for processing: first the local GPO, then site, the domain, and lastly the OU, including nested OUs,
which are OUs that have another OU as their parent. In the case of nested OUs, GPOs associated with the
parent OUs are processed prior to GPOs associated with the child OUs. In this processing order, Windows
7 applies local GPOs first but they have the least precedence. Windows 7 processes OUs last, and they
have the highest precedence.
Several Group Policy options can alter this default inheritance behavior. These options include:
Link Order: The precedence order for GPOs linked to a given container. The GPO link with a Link
Order of one has the highest precedence on that container. Changing the Link Order has no effect
unless GPOs that link to the same location have conflicting settings.
Enforced: The ability to specify that a GPO takes precedence over any GPOs that link to child
containers. Additionally, a GPO that Windows 7 enforces at the domain level overrides a GPO that it
enforces at an OU. You typically enforce a GPO to ensure that computers use company-wide settings,
and that departmental administrators do not override these settings by creating a GPO.
Block Inheritance: The ability to prevent an OU or domain from inheriting GPOs from any of its parent
containers. Note that Enforced GPO links will always be inherited. You typically use blocking
inheritance to allow a department to manage Group Policy settings separate from the rest of the
organization.
MCT USE ONLY. STUDENT USE PROHIBITED
3-8 Troubleshooting and Supporting Windows 7 in the Enterprise
Link Enabled: The ability to specify whether Windows 7 processes a specific GPO link for the container
to which it links. When you do not enable a link, Windows 7 does not process the GPO. This is
typically done during troubleshooting when you want to disable processing of a GPO to eliminate it
as a source of configuration errors.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-9
Woodgrove Bank has a single domain with OUs that represent three regional offices. In each regional
office, there is a single Computers OU that contains all computer accounts for that region. The
organization stores user accounts for each region in various OUs based on workgroups. Each region has
the following workgroups:
Retail
Commercial
Managers
Discussion Questions
1. How would you use a GPO to distribute an application only to users in a single region?
2. You link the GPO to the computers OU in that region. Which settings are applied?
3. Why might it be a benefit for roaming users to link printer distribution to a site rather than a
specific OU?
4. How can you configure security settings in a GPO and ensure that they applied to all regions?
5. The home page for users is defined in a GPO that is linked to the domain. The home page points at
the company intranet. The managers have a new web-based application that should being defined as
their home page. This should be distributed by GPO. How can you do this?
MCT USE ONLY. STUDENT USE PROHIBITED
3-10 Troubleshooting and Supporting Windows 7 in the Enterprise
By default, Group Policy processing on Windows servers is synchronous, which means that Windows
servers complete the Group Policy processing for computers before they present the Ctrl+Alt+Delete
dialog box, and that the Group Policy processing for users completes before the shell is active and
available for the user to interact with it.
By default, Group Policy processing on client computers is asynchronous. Typically, client computers do
not wait for the network to initialize fully at startup and logon. The client computers log on existing users
by using cached credentials, which results in a shorter logon period. Windows 7 applies Group Policy in
the background after the network becomes available.
If a user with a roaming profile, home directory, or user-object logon script logs on to a computer, the
computer always waits for the network to initialize before completing the log on. If a user has never
logged on to the computer before, the computer always waits for the network to initialize, because there
are no cached credentials.
Loopback Processing
Typically, when you apply GPOs to users, the same set of user policy settings applies to those users
regardless of the computers that they use. The Group Policy loopback feature applies user policy settings
in the GPOs that relate to a computer account, which would normally only apply computer policy settings.
By enabling the loopback processing policy setting in a GPO, you can configure user policy settings to
apply on a specific computer, regardless of which user logs on. This means that you can apply different
user settings when a user logs on to a computer that this setting affects. When you use this option, you
must ensure that you enable the computer and user sections of the GPO.
You can set the loopback processing policy setting by using the User Group Policy loopback processing
mode setting, which is located at Computer Settings\Administrative settings\System\Group Policy.
Merge mode: In this mode, Windows gathers the list of GPOs for the user during the logon process.
Then, it gathers the list of GPOs for the computer. Next, Windows adds the list of GPOs for the
computer to the end of the users GPOs. As a result, the computers GPOs have a higher precedence
than those of the user.
Replace mode: In this mode, Windows does not gather the list of GPOs for the user. Instead, it uses
only the list of GPOs based on the computer object, and then it applies the User Configuration
settings from this list to the user.
In certain closely managed environment, such as for terminal servers, it is appropriate to enable loopback
processing. You also would use this setting for special-use computers, such as those in public places,
computer labs, and classrooms, where you want the user experience to be specific to the environment.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-13
Note Some of the tasks that you perform to complete this practice may not typically be the
responsibility of Tier 2 support staff. However, it is useful to learn the procedure.
MCT USE ONLY. STUDENT USE PROHIBITED
3-14 Troubleshooting and Supporting Windows 7 in the Enterprise
Instructions
For this practice, you will use the available virtual machine environment.
Before you begin the practice, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Detailed Steps
5. In the Windows 7 Remote Administration Tools window, read the instructions, and then close the
window.
9. In Control Panel, click Programs, and then click Programs and Features.
10. In Programs and Features, click Turn Windows features on or off.
11. In the Windows Features window, expand Remote Server Administration Tools, expand Feature
Administration Tools, select the Group Policy Management Tools check box, and then click OK.
X Task 2: Use the Group Policy Management Console to create a new GPO
1. On NYC-CL1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click
Contoso.com. Notice that the Default Domain Policy links to the root of the Contoso.com domain.
3. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO window, in the Name box, type Preferences, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-15
4. On the Settings tab, verify that no settings are defined in this GPO.
5. In the left pane, right-click Preferences to display the context menu. Notice that the link is enabled
but not enforced.
7. In the Group Policy Management Editor window, review the available information. Notice that there
are two categories of settings, User Configuration and Computer Configuration, which are divided
further into Policies and Preferences.
8. Under User Configuration, expand Preferences, expand Windows Settings, and then click
Shortcuts.
10. In the New Shortcut Properties window, enter the following information, and then click OK:
Name: Notepad
Location: Desktop
Target Path: C:\Windows\System32\notepad.exe
2. At the command prompt, type gpupdate /force, and then press Enter. The /force option makes sure
that all policies are applied rather than just updates.
3. When the Group Policy update is complete, close the command prompt.
Lesson 2
Resolving Client Configuration Failures and GPO
Application Issues
Most issues that relate to the application of GPOs are due to incorrect configurations on the part of an
administrator. Despite the fact that you, as a desktop support person, may not be able to resolve GPO
application issues, it is important that you can identify them. After you identify an issue with the
configuration of Group Policy application, you may need to escalate the issue to a server administrator
who has the necessary permissions to resolve the issue.
Objectives
After completing this lesson, you will be able to:
Discuss reasons for client configuration failures that incorrectly configured GPOs cause.
Explain how to resolve common client configuration issues that result from the application of GPOs.
A GPO application issue is any situation where a GPO does not have the effect on users or computers that
you expect. Common symptoms of GPO application issues are:
GPO settings, such as security restrictions or drive mapping, are not being applied to specific users or
computers.
GPO settings are being applied to a user differently based on physical location or computers.
Because a GPO can affect many users and computers, administrators should test the configuration of
GPOs thoroughly before applying them. Even after testing, there may be situations in which settings in a
GPO do not apply to users and computers in the ways that you expect.
Question: What are some of the reasons that GPO settings might not apply as you think
they should?
MCT USE ONLY. STUDENT USE PROHIBITED
3-18 Troubleshooting and Supporting Windows 7 in the Enterprise
GPO application issues often result from configuration errors. In many cases, it is just a matter of
identifying and resolving the configuration error. One of the most common errors is linking a new GPO to
an incorrect location. To avoid this error, you should verify that a GPO with user settings links to the user
objects location, and verify that a GPO with computer settings links to the computer objects location.
If you want user settings in a GPO to apply only when the user logs on to a particular computer or group
of computers, you must enable loopback processing for those computers. After you enable loopback
processing, the user settings in the GPOs that apply to the computer account are processed.
When a new GPO is applied it may not take effect immediately. By default, GPOs are processed every 90
minutes on client computers. However, you can force it to take effect immediately by running
gpupdate.exe /force at a command prompt.
If you update a GPO and it does not take effect, you may need to restart the computer, because some
settings apply correctly only during the computer startup process.
Finally, if GPOs do not take effect for remote users, you can disable slow link processing. However, if you
disable slow link processing it may result in slow logons because large GPOs download over a slow
connection. This is of particular concern when you use GPOs for software distribution.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-19
To troubleshoot GPO application issues, you should understand how Windows applies GPOs so that you
can identify at what point in that process the issue is occurring.
The following table lists some tools that you can use for troubleshooting GPO application issues.
GPResult.exe A command-line tool that displays RSoP data. You can specify a specific user
and computer account when you run the tool.
Addiag.exe This tool identifies information that relates to the installation of software by
using a GPO. This tool is part of the Windows XP Service Pack 2 (SP2) support
tools, but works with Windows 7.
You can use this tool to identify whether a GPO that distributes software is
applied to a computer by reviewing the software available for installation.
MCT USE ONLY. STUDENT USE PROHIBITED
3-20 Troubleshooting and Supporting Windows 7 in the Enterprise
(continued)
Event Viewer Windows 7 and Windows Vista include an event log specifically for Group
Policy. This log can help you identify whether the client is using slow link
processing and whether Windows is applying GPOs.
Windows 7 includes rsop.msc, which provides RSoP data similar to what is available in the GPMC.
However, to perform queries for nonlocal computers and users that are not logged on locally, the tool
requires updates to Windows Firewall on the target computer to allow WMI requests. You can use Group
Policy to enable the necessary predefined firewall rules or use the command netsh advfirewall set rule
group=windows management instrumentation (wmi) new enable=yes.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-21
You can use several tools to perform GPO application troubleshooting. It is important that you have some
hands-on experience enabling and using these tools.
In this practice, you will use GPO application troubleshooting tools to review how the tools work.
Note Some of the tasks that you perform in this practice may not typically be the
responsibility of Tier 2 support staff. However, it is useful to learn the procedure.
MCT USE ONLY. STUDENT USE PROHIBITED
3-22 Troubleshooting and Supporting Windows 7 in the Enterprise
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Detailed Steps
2. If necessary, click the Preferences GPO link, and then click OK to clear the warning message.
3. On the Settings tab, under User Configuration, beside Shortcuts, click show. Notice that the list
includes the shortcut that you created in the previous practice.
2. In the GPMC, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click
Contoso.com.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, expand Group Policy, and then click Logging and
tracing.
Note These settings are not visible from Group Policy Management on NYC-CL1 because it
is using different administrative templates.
5. In the right pane, double-click Configure shortcuts preference logging and tracing.
6. In the Configure Shortcuts preference logging and tracing window, click Enabled.
7. In Options, in the Event logging box, click Informational, Warnings, and Errors.
2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.
5. On the User and Computer Selection page, in User information, click User, click Browse, type
Adam, and then click OK.
6. In Computer information, click Computer, click Browse, type NYC-CL1, click OK, and then click
Next.
7. On the Advanced Simulation Options page, review the available options, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-23
8. On the Alternative Active Directory Paths page, review the available options, and then click Next.
9. On the User Security Groups page, review the available options, and then click Next.
10. On the Computer Security Groups page, review the available options, and then click Next.
11. On the WMI filters for Users page, review the available options, and then click Next.
12. On the WMI filters for Computers page, review the available options, and then click Next.
13. On the Summary of Selections page, click Next, and then click Finish.
14. In the Adam on NYC-CL1 report, on the Summary tab, under Computer Configuration Summary,
beside Group Policy Objects, click show.
16. Under User Configuration Summary, beside Group Policy Objects, click show.
3. Right-click Computer Configuration, and then click Properties. This displays the GPOs from which
this computer obtained its settings.
4. In the Computer Configuration Properties window, select the Display all GPOs and filtering status
check box. This allows you to see GPOs that are not being applied to due security filtering or WMI
filtering.
5. Select the Display scope of management check box. This allows you to see where each GPO is
linked.
6. Click Cancel.
2. At the command prompt, type gpresult /r, and then press Enter.
3. Scroll through and read the RSoP data. Notice that the local computer and locally logged-on user
were used for the analysis.
2. In the left pane, expand Applications and Services Logs, expand Microsoft, expand Windows,
expand Group Policy, and then click Operational.
3. Review the recent events in the log. Event ID 4004 indicated that manual processing was started.
Event ID 5311 indicates that no loopback processing is enabled. Event ID 5312 indicates which GPOs
were applicable.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
When you troubleshoot GPO application failures, first verify that the client computer is connected to the
network properly, and that it is authenticated. If a computer is unable to contact the domain, it is unable
to apply GPOs. You can verify the computers authentication by either ensuring that the user can access
network resources, or by looking in the event logs for errors related to network connectivity or computer
account authentication. Alternatively, you can run gpupdate /force to verify that GPOs are downloading.
If RSoP shows that the GPO is not applied to the computer and user, you need to determine if the GPO is
linked to the correct location. You also need to confirm that the user and computer accounts are in the
correct location. You may need to escalate this task to someone with the necessary administrative
permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
3-26 Troubleshooting and Supporting Windows 7 in the Enterprise
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6293A-NYC-CL1 and 6293A-NYC-CL2.
Lab Scenario
The help desk has received a number of trouble tickets that relate to GPO application. Because you are
the desktop support technician that is the most experienced with Group Policy, the tickets have been
assigned to you.
MCT USE ONLY. STUDENT USE PROHIBITED
3-28 Troubleshooting and Supporting Windows 7 in the Enterprise
Supporting Documentation
Incident Record
Incident Reference Number: 602085
Incident Details
User reports that research lab configuration is not being applied properly to a new computer named
NYC-CL1.
Additional Information
User reports that a new computer being used in the research computer lab is not configured properly.
All other computers in the lab, such as NYC-LAB1, have the standardize settings properly applied.
I have verified that the computer is joined to the domain properly.
Looking at NYC-LAB1, I can see that there is a desktop shortcut for the Analysis application. If this icon
appears on the desktop, then we know that the settings are being applied properly. This setting should
apply regardless of the user that logs on.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-29
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Results: At the end of this exercise, you will have resolved the GPO application problem.
MCT USE ONLY. STUDENT USE PROHIBITED
3-30 Troubleshooting and Supporting Windows 7 in the Enterprise
Supporting Documentation
Incident Record
Incident Reference Number: 602086
Incident Details
User reports that his drive mapping has not been updated with the new file share for his department.
Additional Information
The user (Alan) is not receiving the drive mapping (R:) for the new research department share on his
computer NYC-CL2.
Other people in his department are not experiencing any issues. I have checked with the Active
Directory administrators, and his computer account is in the correct OU. So the location of the
computer account is not an issue.
I also verified that he can access the files manually by using the Universal Naming Convention (UNC)
path at \\NYC-DC1\Research.
We rebooted the computer with no improvement.
Plan of action
Resolution
Note The password used for Alan and all other user accounts is Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
Using Group Policy to Centralize Configuration 3-31
2. Update the Plan of Action section of the Incident Record with your recommendations.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Results: At the end of this exercise, you will have resolved the GPO application problem.
MCT USE ONLY. STUDENT USE PROHIBITED
3-32 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Review Questions
1. You do not have permission to log on to domain controllers in your organization. However, you
would like to perform Group Policy Modeling using the GPMC. How can you use GPMC on a
Windows 7 computer?
2. Your organization has a computer lab that is used for training. When users log on to computers in
this lab, they should have only lab-specific settings. The instructor in the lab this week is indicating
that users are not getting the default home page for the Web application that they are using for
training. You know that a new GPO for the lab was created last Friday. What is the most likely cause
of this problem?
3. A new user in accounting called the help desk to explain that she does not have the departments
standard drive mappings. These drive mappings are configured by using Group Policy Preferences.
What is the most likely cause of this problem?
MCT USE ONLY. STUDENT USE PROHIBITED
3-34 Troubleshooting and Supporting Windows 7 in the Enterprise
Tools
Tool Use for Where to find it
Module 4
Troubleshooting Hardware Device, Device Driver,
and Performance Issues
Contents:
Lesson 1: Overview of Hardware Troubleshooting 4-3
Lesson 2: Troubleshooting Physical Failures 4-19
Module Overview
Devices have become complex, multifunction peripherals that have evolved from hardware that you install
in your computer to hardware that you connect to your computer via Universal Serial Bus (USB), Bluetooth
wireless technology, and Wi-Fi. To support users with computers running Windows 7, you must
understand how to troubleshoot hardware devices and drivers.
Conducting proactive monitoring of your Windows 7 computers can often help you avoid performance-
related problems. To support your users, it is important that you understand how to optimize Windows 7,
and how to collect and interpret data that pertains to performance characteristics.
Objectives
After completing this module, you will be able to:
Identify basic hardware-related issues.
Lesson 1
Overview of Hardware Troubleshooting
This lesson provides an overview of troubleshooting hardware-related problems, and discusses specific
considerations for using USB and cordless devices on computers that are running Windows 7.
Objectives
After completing this lesson, you will be able to:
Describe hardware-related problems.
Describe how you can use the built-in diagnostic tools to gather hardware information.
Explain Event Forwarding and Subscriptions.
Hardware-Related Problems
Hardware problems occur when a hardware device fails or there is a failure of a device driver that the
hardware device uses. When you are troubleshooting hardware-related problems, you first must
determine whether the underlying cause of the hardware failure is because of a device or driver failure.
Some components are more prone to failure than others. Often, the components most susceptible to
failure are those with moving parts, such as hard-disk drives, cooling fans, power supplies, and optical
drives.
Operating system version incompatibility. Drivers developed for previous Windows operating system
versions might not be completely compatible with Windows 7. To avoid incompatibility issues, always
check for a Windows 7 version of the driver, and use it if available.
Driver bugs. Although hardware vendors use every precaution to ensure that device drivers are free
from error, there occasionally are problems. Ensure that you obtain the latest driver version from the
manufacturer, particular if the manufacturer has one in which it has fixed previous driver issues. Check
that the device driver carries a signature from a trusted certificate-signing authority.
32-bit and 64-bit issues. Windows 7 is available in both 32-bit and 64-bit editions. Drivers that
manufacturers develop for the 32-bit edition do not work with the 64-bit editions, and vice versa.
Make sure that you obtain the appropriate device driver from the hardware vendor. You will be
unable to install the wrong platform driver.
MCT USE ONLY. STUDENT USE PROHIBITED
4-6 Troubleshooting and Supporting Windows 7 in the Enterprise
Early hardware devices required that you have specialized knowledge and tools to install them on your
computer. However, USB devices are much more convenient, and require no special skills or tools to
install. You simple install your new hardware by plugging the device into a free USB port, and then
following the on-screen instructions to install the driver and related software.
But this convenience poses a number of risks, including to your networks security and reliability of the
drivers manufacturer.
USB devices represent a potential security risk to your network because a malicious user could place
sensitive or confidential network data onto a mobile device, such as an external hard disk, and then
remove it from the workplace.
Because of the relative simplicity of USB device installation, USB devices can increase management
overhead, and so controlling use of these devices has become an important consideration for
administrators. As the number and variety of these devices increases, so do the associated support and
maintenance costs.
Many organizations restrict employee use of USB devices because of security and management reasons.
However, implementing restrictions on USB devices can affect user productivity, and can have a significant
impact on the hardware troubleshooting process if person performing the troubleshooting wrongly
diagnoses these restrictions as hardware faults.
Windows 7 uses two methods to control device installation: device identification strings and device setup
classes.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-7
Note You can download and use the DevCon command-line tool to determine the device
identification string for a USB device.
Identification strings are either general or specific. If specific, they identify the devices exact make and
model. There are two types of device identification strings:
Hardware identifiers. Hardware identifiers provide an exact match between a device and a driver
package. The first string in the device identifier list is the individual devices specific identifier.
Additional strings in the list identify the device in more general terms, so Windows 7 can install a
different device revision driver, if the correct one is not available.
Compatible identifiers. Windows 7 uses compatible identifiers to select a device driver only if the
driver store has no available drivers for any of the hardware identifiers that Windows 7 retrieves from
the device. These strings are optional, and they are listed in decreasing order of suitability if the
hardware manufacturer provides them. Typically, the strings are generic, and identify the hardware
device at the component level, such as a Small Computer System Interface (SCSI) hard-disk drive. This
enables Windows 7 to select a generic SCSI driver for the disk drive, but may result in limited device
functionality and slower read/write performance.
Multifunction devices are physical devices that include more than one logical device. Manufacturers
assign hardware identifiers to each logical device. To control installation of multifunction devices, you
specifically must allow or deny all hardware identifiers for each multifunction device.
The following is the relevant portion of an .inf file that Microsoft provides for a keyboard device driver.
[MsMfg]
The following is the relevant portion of an .inf file that Microsoft provides for a keyboard device driver.
[Version]
CatalogFile.NT= type32.cat ;Digital Signing
Signature="$Windows NT$" ;All Platforms
Class=Keyboard
ClassGUID={4d36e96b-e325-11ce-bfc1-08002be10318}
Provider=Microsoft
LayoutFile=layout.inf
DriverVer=06/29/2010, 8.0.219.0
Deny read or write access to users for removable devices or those that use removable media.
Restricting USB device installations can benefit hardware support in several ways:
Simpler data security. By limiting the devices that users can install, you can reduce the risk of data
theft by implementing easily understood and supported procedures. For example, allowing users to
connect only USB flash drives that are password protected provides additional protection for data
that users transfer from the corporate network.
Reduced support costs. You can ensure that users only install devices that your help desk. This benefit
reduces support costs and user confusion.
Policy management. Some manufacturers use a range of identifiers for similar device models. When
you have a batch of such devices, you may have difficulty supporting policy restrictions based on
identifiers, and the success of these policies may be inconsistent. For example, although a batch of
devices from a single vendor may appear identical, you should check each device identifier to verify
that the same identifier is used for the batch. If there is a range of identifiers, you need to modify
your Group Policy settings to include all of these identifiers.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-9
Users can connect many peripherals and devices to their computers by using cordless connections. Two
prominent cordless technologies exist to facilitate these connections: Bluetooth and Wi-Fi.
If you cannot connect a device successfully by using a Wi-Fi or Bluetooth connection, perform the
following steps:
Enable the Wi-Fi and/or Bluetooth receivers in the computers settings for the basic input/output
system (BIOS).
Turn on the Wi-Fi and/or Bluetooth receiver by using the computers switches.
Use Device Manager to verify, and if necessary update, the drivers for the computers Wi-Fi and/or
Bluetooth modules.
Discovery. Enable discovery to ensure that the computer is visible. Additionally, you might need
to enable discovery (sometimes also known as visibility) on peripheral devices.
MCT USE ONLY. STUDENT USE PROHIBITED
4-10 Troubleshooting and Supporting Windows 7 in the Enterprise
Connections. Enable the Allow Bluetooth devices to connect to this computer setting.
Optionally, you can select the Alert me when a new Bluetooth device wants to connect
setting.
Pairing. In addition to the above settings, some peripherals require that you pair them to your
computer. This process requires that the computer and the device exchange a passcode, or key,
to establish the partnership. You may need to establish this process at either the computer or
peripheral end.
Note The device manufacturer often defines a devices passcode. For example, a Bluetooth
headset does not provide you with a mechanism for defining a passcode. However, 0000
often is the default passcode. For more information, refer to the vendor documentation.
Ensure that the devices are close enough for the signals to communicate.
Configure the devices to use the same wireless protocol and security settings.
Investigate possible sources of interference.
Note Some Bluetooth peripheral devices, such as mice and keyboards, often come with a
small Bluetooth module that you insert into your computer by using a USB port. This USB
Bluetooth module allows you to use cordless devices without needing a built-in Bluetooth
module.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-11
Windows 7 includes a number of tools that you can use to gather information about the hardware
installed on a computer. By becoming familiar with the functionality offered by these tools, you can
identify the most appropriate tool for a particular hardware monitoring or troubleshooting scenario.
Event Viewer
Event Viewer is the starting point for troubleshooting hardware failures. You should check the system log
and the application log for information, warnings, or errors that hardware devices or device drivers
generate. Use Event Viewer to show logs on remote computers and on the local machine.
Event Viewer contains many features that earlier operating systems did not make available, including:
Several new logs. Access logs for many individual components and subsystems.
View multiple logs. You can filter for specific events across multiple logs, which makes it easier to
investigate issues and troubleshoot problems that might appear in several logs.
Customized views. You can use filtering to narrow searches to only events which interest you. You
also can save these filtered views.
Tasks scheduled to run in response to events. Event Viewer integrates with Task Scheduler to allow
automated responses to events.
Create and manage event subscriptions from remote computers, and then stores them locally.
Note To collect events from remote computers, you must create an exception in Windows
Firewall to permit Windows Event Log Management.
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Troubleshooting and Supporting Windows 7 in the Enterprise
Event Viewer tracks information in several different logs, which provide detailed information, including:
The Event Viewer has many built-in logs, including those in the following table.
Security log This log reports the results of auditing when it is enabled. Audit events are
described as successful or failed, depending on the event. An example is
whether a user trying access a file was successful.
System log General events are logged by Windows components and services, which
classifies the events as error, warning, or information. Events logged by system
components are predetermined by Windows.
Forwarded events This log stores events collected from remote computers. To collect events
from remote computers, you must create an event subscription.
Applications and Services logs are a new category of event logs that store events from a single application
or component rather than events that might have system-wide impact. This category of logs includes four
subtypes:
Admin
Operational
Analytic
Debug
Admin logs are of interest to Information Technology (IT) professionals who use the Event Viewer to
troubleshoot problems. These logs provide guidance about how to respond to issues, and primarily target
end users, administrators, and support personnel. The events found in the Admin logs indicate a problem
with a well-defined solution that an administrator can implement.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-13
Events in the Operational log also are useful for IT professionals, but they likely require more
interpretation. You can use operational events for analyzing and diagnosing a problem or occurrence, and
trigger tools or tasks based on the problem or occurrence.
Analytic and Debug logs are not as user-friendly. Analytic logs store events that trace an issue, and they
often log a high volume of events. Developers use debug logs when debugging applications.
Note By default, Windows 7 hides and disables both Analytic and Debug logs.
System Information
The System Information tool displays information about a computer, including complete reports on
installed hardware. You can use the System Information tool to look for hardware resource conflicts, and
to determine the resources that a hardware device is using, including the interrupt request (IRQ) line,
memory address range, and the base input/output (I/O) address range.
Device Manager
Device Manager displays information about the hardware installed on your computer, including hardware
resource settings and driver information.
The Reliability Monitor displays Windows 7 reliability over time, and any hardware failures that have
occurred. You can use the Reliability Monitor to identify hardware failure trends, so that you can
replace a device that fails periodically.
The Performance Monitor displays and collects performance information related to hardware devices
installed on the local computer and on remote computers. You can use this information to track
performance deterioration that might be a warning sign of potential hardware failure.
Memory Diagnostics
Windows 7 offers features that help improve system reliability, which improves long-term system
performance. If the Windows 7 Memory Diagnostics tool detects a faulty memory module or parity error,
it displays a message in the system tray that prompts the user to diagnose and fix the problem.
You can use Memory Diagnostics to check the computers memory during the startup process. You can
choose to restart the computer immediately and perform the check, or to schedule the memory check
during the next computer restart. If you select an immediate check, ensure that you save any work in
progress, and close any open windows before restarting the computer.
Note You must have administrative rights to run the Memory Diagnostics tool.
Action Center
Windows 7 includes the Action Center, which provides a single point of reference for reliability issues.
From the Action Center, you can launch diagnostic tools to troubleshoot hardware problems.
MCT USE ONLY. STUDENT USE PROHIBITED
4-14 Troubleshooting and Supporting Windows 7 in the Enterprise
Remote Desktop
An administrator can use Remote Desktop to collect hardware information about a remote computer on
the network. For example, you could use Remote Desktop to run tools that cannot connect to a remote
computer, such as System Information or Reliability Monitor.
Centralized Inventory
Using additional products, including those from both Microsoft and third-parties, you can gather
hardware information from devices across your enterprise network and store the analysis centrally.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-15
Event Forwarding
Windows 7 can collect copies of events from multiple remote computers, and then store them locally. To
specify which events to collect, you can create an event subscription.
Subscriptions specify which events Windows 7 collects, and into which logs Windows 7 stores them locally.
The forwarded events log exists for this purpose, but Windows 7 can forward events to any log. Once a
subscription is active and Windows collects events, you can view and manipulate forwarded events just
like other locally stored events.
The subscription functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector (Wecsvc) service. Both of these services must be running on computers that are
participating in the forwarding and collecting process. Before you can create a subscription to collect
events on a computer, you must configure both the collecting computer (collector) and each computer
from which events are collected (source).
Enabling Subscriptions
To enable subscriptions, perform the following tasks:
On each source computer, execute the following command at an elevated command prompt to
enable WinRM:
winrm quickconfig
On the collector computer, type the following command at an elevated command prompt to enable
the Wecsvc:
wecutil qc
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Troubleshooting and Supporting Windows 7 in the Enterprise
Add the computer account of the collector computer to the local Administrators group on each of
the source computers. This configures the computers to forward and collect events.
Note When you click on Subscriptions in Event Viewer, Windows 7 offers to start and
configure wecsvc.
Note You cannot use Event Viewer to create a subscription while it is connected to a
remote computer.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-17
Consider the following questions that relate to troubleshooting hardware. Discuss with the class how you
approach hardware troubleshooting. Provide any hints and tips you have about your approach and how
you handle the end-to-end process.
Discussion Questions
1. A user is unable to connect their cordless mouse to their portable computer. What would you check
first?
2. You just added a new video display to a users computer. The resolution of the display is very low,
despite being capable of displaying at 1680x1050. What would you check?
3. A users computer has repeatedly frozen. When this occurs, the computer accepts no input from
keyboard or mouse, and all processing stops. What would you suspect as the problem, and what
steps would you try to resolve the issue?
MCT USE ONLY. STUDENT USE PROHIBITED
4-18 Troubleshooting and Supporting Windows 7 in the Enterprise
Outside of component failure, hardware-related problems usually occur when you install a new hardware
device or update a device driver. Common symptoms of a hardware-related problem include spontaneous
computer restarts and error messages on a blue screen.
Verify that the computer carries the Compatible with Windows 7 logo, and that the hardware
components are on the Windows Marketplace Tested Products list. If a problematic hardware
component is not on the Windows Marketplace Tested Products list, replace it with a listed
component.
Remove or disable recently installed device drivers. If you have recently installed a third-party driver
or software package, try removing or disabling it to prevent it from loading, and then restart the
computer. If that does not fix the problem, contact the hardware vendor, and ensure that you have
the latest available driver. If you are using the latest version of the driver, contact the hardware
vendor, and log the issue as a support incident.
Use driver rollback to return to a previous driver version. If a failure occurs after installing an updated
device driver, use the driver rollback feature to return to the previous working driver version:
Access driver rollback from within Device Manager.
Use vendor support. Ensure that you have adequate support agreements and escalation procedures
with the hardware vendor, and then take advantage of this support if a hardware failure occurs. Many
hardware vendors offer extended support options, and will replace failed hardware components
within a certain period, which your organizations Service Level Agreements (SLAs) should specify.
Establish an incident recording procedure. It often is difficult for users to determine the exact
sequence of events that lead to failures. Many IT help desks adopt scripts that facilitate logical
interviewing techniques to determine whether users made changes to their computers prior to the
failure. Using a consistent procedure for recording incidents also aids with diagnosing problems.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-19
Lesson 2
Troubleshooting Physical Failures
Hardware failures can be catastrophic unless you plan for device failure and replacement. You should have
procedures in place so that you can replace failed devices efficiently, especially for your most vulnerable
devices.
Objectives
After completing this lesson, you will be able to:
Many organizations have SLAs and warranties with hardware vendors in place. Before replacing defective
hardware, consider any procedures that those SLAs detail before you can obtain replacement hardware.
Consideration of these factors may enable you to fix the hardware problem more quickly, and reduce the
impact on your users productivity and the organizations budget.
Warranties
Most hardware vendors include a warranty with their products. The warranty generally lasts for an initial
period, such as 12 months, and covers the hardware against failure during this period. A basic warranty
usually stipulates a next-business-day response for device replacement. For a fee, most hardware vendors
offer additional warranty services with shorter response and replacement times. A typical option may
specify a four-hour telephone response time, with an engineer scheduled to visit the site within eight
hours to provide an on-site fix. Ensure that SLAs are covered by the warranty agreements or other
contracts with the manufacturer or hardware vendor.
Escalation Procedures
Providing appropriate escalation procedures and resources can be as simple as providing a contact
telephone number for the hardware vendor, but also can include providing a customer account number
for the vendor, a particular contact name, and any pertinent contract details. This makes service-desk staff
aware of agreed-upon response times.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-21
Knowing more the conditions under which vulnerable devices are most likely to fail can help you avoid
those conditions. You can use reliability measures to calculate the probability of failure.
One such measure is mean time between failures (MTBF). MTBF is the average time interval, usually
expressed in thousands or tens of thousands of hours, before a component fails and requires service.
Hard-Disk Drives
There are five main reasons why hard-disk drives fail, leading to potential data loss or corruption:
Logical failure. Examples of logical errors include invalid entries in a file allocation table (FAT) or
master file table (MFT) on the NTFS file system volume. Logical failures are the least severe type of
failure, and you typically can fix them by running the Chkdsk command-line tool with the /f switch.
However, logical errors also can cause corruption and file system loss on a severely fragmented drive.
In such cases, you may need specialized tools to fix the problem.
Mechanical failure. Platters, which are one or more rotating, magnetically-coated disks, store data on
a hard disk. Data is accessed through read/write heads mounted on rotating mechanical arms. One of
the most common mechanical failures occurs when the read/write heads of the hard disk come in
contact, momentarily or continuously, with the hard-disk platters. Additionally, physical shock,
computer movement, static electricity, power surges, or mechanical read/write head failure can cause
head crashes. Hard-disk drives also may fail because of motor problems.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-23
Electronic failure. An electronic failure is a problem with the hard disks controller board. If the
controller fails, the disk may be undetectable by the system BIOS. Additionally, electronic failure can
occur because of electrical surges that damage the controller board or because of defective board
components. However, you often can recover data because the disk platters and other mechanical
components remain undamaged.
Firmware failure. Hard-disk firmware is code that controls the hardware. It is often stored on a flash
memory chip on the hard-disk controller board. If the firmware becomes corrupt or unreadable, the
computer may be unable to communicate with the disk.
Bad sector. Bad sectors can be logical or physical. A lost cluster is an example of a logical bad sector
that you typically can repair with software tools. Shock or vibrations often cause physical bad sectors.
Most hard-disk drives have firmware that marks bad sectors, and as long as the damage is minor, no
data is lost. You can use drive-monitoring tools to determine when the number of physical bad
sectors is critical enough to replace the drive.
Optical Drives
Optical drives such as CD and DVD drives tend to have shorter life spans than other hardware devices, and
the MTBF is lower than that for a hard-disk drive. Most hardware manufacturers provide a one-year
guarantee on optical drives and a three-year guarantee on hard-disk drives.
The media quality in optical drives is a significant factor in than optical drives lifespan:
Optical drives can fail due to vibration, because they require precise optical alignment in the device to
work properly. You can cause vibration by moving the computer while it is in use, or by operating the
computer in a location that is not stable.
Cooling Fans
The most common cause of failure of cooling fans is dust building up inside the computer and around the
fan area. This accumulation can lead to failures in the fan bearings, motor, or power supply.
System Memory
Memory problems can occur as a result of heat, power surges, or static electricity. You can use the
Windows 7 Memory Diagnostics tool to help identify and resolve memory issues.
MCT USE ONLY. STUDENT USE PROHIBITED
4-24 Troubleshooting and Supporting Windows 7 in the Enterprise
Power Supplies
The power supply converts regular current into low-DC voltage that the computer can use. A failing
power supply can cause erratic behavior, including computers restarting randomly, memory errors, or
power being supplied to some devices and not others.
On/Off indicator lights are visible, but there is no disk action or screen display.
To minimize the risk of a replacement device failing, adhere to the following guidelines:
When you install a device, take care to minimize the risk of damage during the installation process.
Eliminate support issues by choosing replacement devices that are compatible with Windows 7.
The root cause could be environmental, leading to heat or moisture-related failures. For example, devices
placed in direct sunlight with poor ventilation, or in a damp location where there might be condensation,
may fail after a short time. Alternatively, the root cause could be behavioral, such as users knocking or
kicking the computer.
Windows 7 Compatibility
When you buy a new computer, check for the Compatible with Windows 7 logo. The hardware in a
Windows 7 Compatible computer has been tested to run the Windows 7 operating system with no
problems.
When buying hardware devices for a computer that is running Windows 7, check that the hardware has
the approval of the Windows Logo Program for Windows 7. This means that the hardware has been
tested for Windows 7 compatibility, and that it is listed on the Windows Marketplace website. Windows
Marketplace is an online service that replaces the previous Hardware Compatibility List (HCL).
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-27
Lesson 3
Monitoring Reliability and Performance
You can use several methods to collect performance data from your organizations computers. You should
use whichever methods suit your organizations requirements.
Real-time monitoring of computers is useful when you want to determine the effect of performing a
specific action, or to troubleshoot specific events. This type of monitoring also can help you to ensure that
you are meeting Service Level Agreements (SLAs).
Analyzing historical data can be useful for tracking trends over time, determining when to relocate
resources, and deciding when to invest in new hardware to meet your organizations changing
requirements. You should use historical performance data to assist you when you plan future workstation
requirements. If you intend to gather data for historical comparison, it is important to establish a
performance baseline.
Windows 7 provides tools that enable you to identify performance problems. It is important that you
know how to use these performance tools to support your users.
Objectives
After completing this lesson, you will be able to:
Identify bottlenecks by using the Resource Monitor Screen, which provides real-time information.
Resource Monitor provides a snapshot of system performance. Since the four key system components are
processor, memory, disk, and network, Resource Monitor provides a summary of these four components
and a detailed tab for each.
If a users computer is running slowly, you can use Resource Monitor to view current activity in each of the
four component areas, and make a determination about which of the key components might be causing a
performance bottleneck.
Having determined that a particular component usage is bottlenecked, use the appropriate component
tab to view more information.
Remember that a snapshot of current activity, which Resource Monitor provides, only tells a partial story.
For instance, you might see a peak in activity, which is not representative of average performance.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-29
Performance Monitor enables you to view current performance statistics, or to view historical data that
you gather by using Data Collector Sets, which several upcoming topics detail.
Windows 7 enables you to monitor operating system performance through performance objects and
counters in the objects. Windows 7 collects data from counters in various ways, including:
Maximum value.
Minimum value.
Performance Monitor works by providing you with a collection of objects and counters that record data
about computer resource usage.
There are many counters that you can research and monitor to meet your specific requirements.
Processor>% Processor Time displays the percentage of elapsed time that the specified thread used
the processor to execute instructions, which are the processors basic unit of execution in a processor.
A thread is the object that executes instructions. Code executed to handle some hardware interrupts
and trap conditions is included in this count.
MCT USE ONLY. STUDENT USE PROHIBITED
4-30 Troubleshooting and Supporting Windows 7 in the Enterprise
Processor>Interrupts/sec displays the rate, in incidents per second, at which the processor received
and serviced hardware interrupts.
Workloads might require access to several different networks that must remain secure. Examples include
connections for:
By monitoring the network performance counters, you can evaluate your networks performance.
The Network Interface>Current Bandwidth counter indicates the current bandwidth being consumed
on the network interface in bits per second (bps). Most network topologies have maximum potential
bandwidths quoted in megabits per second (Mbps). For example, Ethernet can operate at bandwidths
of 10 Mbps, 100 Mbps, 1 gigabyte (GB) per second, and higher. To interpret this counter, divide the
value given by 1,048,576 which return the number in megabits per second. If the value approaches
the maximum potential bandwidth of the network, consider implementing a switched network or
upgrading to a network that supports higher bandwidths.
The Network Interface >Output Queue Length counter indicates the current length of the output
packet queue on the selected network interface. A growing value, or one which is consistently higher
than two, may indicate a network bottleneck, which you should investigate.
MCT USE ONLY. STUDENT USE PROHIBITED
4-32 Troubleshooting and Supporting Windows 7 in the Enterprise
A Data Collector Set is the foundation of Windows 7 performance monitoring and reporting in
Performance Monitor.
Data Collector Sets enable you to gather system and performance-related statistics for analysis by using
tools within Performance Monitor or third-party tools.
While it is useful to analyze current performance activity on a Windows 7 computer, you might find it
more useful to collect performance data over a period of time, and then analyze and compare it with data
that you gathered previously. This data comparison enables you to make determinations about resource
usage, as well as plan for growth, and identify potential performance problems.
Data Collector Sets can contain the following types of data collectors:
Event trace data. Provides information about system activities and events, which often is useful for
troubleshooting.
System configuration information. Enables you to record the current state of registry keys and to
record changes to those keys.
You can create a Data Collector Set from a template, from an existing set of data collectors in a
Performance Monitor view, or by selecting individual data collectors, and then setting each individual
option in the Data Collector Set properties.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-33
Reliability Monitor provides you with a system-stability overview and trend analysis. Additionally, it
provides detailed information about individual events that may affect the systems overall stability, such as
software installations, operating-system updates, and hardware failures. It begins collecting data when the
system installs.
You can use Reliability Monitor to help answer important question about changes on a users computer,
such as software installations, driver updates, and application failures. Reliability Monitor records these
changes, and it may indicate recent system changes.
The monitor displays a line chart with points on it that represent dates and icons that indicate events such
as errors, warnings, and informational occurrences. Clicking on a point shows you event details for that
day.
Application failures.
Windows failures.
Miscellaneous failures.
Warnings.
Information.
Lesson 4
Configuring Performance Options in Windows 7
It is important to optimize your users Windows 7 computers to enhance performance, rather than waiting
to take action when the computers perform badly.
Objectives
After completing this lesson, you will be able to:
Describe how Windows uses resources, which can affect throughput.
The four main hardware components that you should monitor in a Windows 7-based computer are:
Processor
Disk
Memory
Network
Understanding how the operating system utilizes these four key hardware components, and how they
interact, can help you understand how to optimize workstation performance.
The workstation role and workload to determine which hardware components are likely to restrict
performance.
The ability to increase workstation performance by adding power or reducing the number of
applications that the user is running.
Processor
One important factor in determining your computers overall processor capacity is processor speed, which
is determined by the number of operations that it performs over a specific time period. Computers with
multiple processors, or processors with multiple cores, generally perform processor-intensive tasks with
greater efficiency, and as a result, are faster, than single processor or single-core processor computers.
Processor architecture is also important. 64-bit processors can access more memory and have a significant
positive effect on performance. This is true especially when applications running on your users
workstations require a large amount of memory.
MCT USE ONLY. STUDENT USE PROHIBITED
4-36 Troubleshooting and Supporting Windows 7 in the Enterprise
Disk
Hard disks store programs and data. Consequently, the throughput of a workstations disk affects its
speed, especially when the workstation is performing disk-intensive tasks. Most hard disks have moving
parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
By selecting faster disks, and by using collections of disks to optimize access times, you can alleviate the
potential for the disk subsystem to create a performance bottleneck.
It also is important to remember that Windows 7 moves information on the disk into memory before it
uses it. If there is a surplus of memory, the Windows 7 operating system creates a file cache for items
recently written to, or read from, disks. Installing additional memory in a workstation often improves the
disk subsystem performance, because accessing the cache is faster than moving the information into
memory.
Memory
Programs and data load from disk into memory before the program manipulates the data. In workstations
that run multiple programs, or where datasets are very large, installing more memory can improve
workstation performance.
Windows 7 uses a memory model which does not reject excessive memory requests. Instead, Windows 7
handles them by using a process known as paging. During paging, Windows 7 moves the data and
programs in memory that processes are not currently using to the paging file on the hard disk. This frees
up physical memory to satisfy the excessive memory requests, but because a hard disk is comparatively
slow, it has a negative effect on workstation performance. By adding more memory, and by using a 64-bit
processor architecture that supports larger memory, you can reduce the need for paging.
Network
You easily can underestimate how a network that is performing poorly can affect workstation
performance, because it is not as easy to see or to measure as the other workstation components.
However, the network is a critical component for performance monitoring, because network devices store
so many of the application programs and data being processed.
Understanding Bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package also may cause a bottleneck.
By using performance-monitoring tools on a regular basis, and comparing the results to your baseline and
to historical data, you can identify performance bottlenecks before they impact users.
Once you identify a bottleneck, you must decide how to remove it. Your options for removing a
bottleneck include:
A computer suffering from a severe resource shortage may stop processing user requests, which requires
immediate attention. However, if your computer experiences a bottleneck but still operates within
acceptable limits, you might decide to defer any changes until you resolve the situation, or until you have
an opportunity to take corrective action.
Question: Which hardware components are most likely to restrict performance for a
Windows 7 computer?
MCT USE ONLY. STUDENT USE PROHIBITED
4-38 Troubleshooting and Supporting Windows 7 in the Enterprise
For most single-disk-drive computers running Windows 7, it typically is adequate to leave the pagefile
settings at the default values. Under normal circumstances, you gain little benefit by adjusting these
values. However, if your Windows 7 computer has more than one disk, you may gain a performance
benefit by following these guidelines:
Create the paging file on a different physical disk than the operating system disk. Paging is a disk-
intensive task. If you distribute the disk load across all of your computers available disks, you
minimize the likelihood of performance bottlenecks affecting the disk subsystem. By optimizing the
disk subsystem, you can make the paging process as efficient as possible.
Configure a fixed-size paging file. A paging file that can grow on the disk might encompass
fragmented areas of the disk volume. By configuring a fixed-size paging file, you can ensure that the
paging file does not encompass fragmented areas.
Ensure that the disk volume is not fragmented when you create the paging file. If you want to create
a fixed-size paging file on a computer that already has a paging file, ensure that you do not create a
paging file that encompasses fragmented areas of the disk. Additionally, you must configure the
computer to use no paging, and then defragment the volumes, before you create a fixed-size paging
file.
When you configure the paging file, ensure that its size is sufficiently large. Recommendations specify
that an initial paging file should be equivalent to the amount of installed memory, and a maximum
paging file size that is equal to twice the initial value. Consequently, you should create a fixed-size
paging file that is equal or twice the size of the physical memory.
Note For computers with 2 GB of physical memory running 32-bit versions of Windows 7,
there is no particular benefit in configuring a paging file larger than 2 GB.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-39
Portable computer users want to conserve their computers battery life, while maintaining optimum
system performance. This is not a concern for users of desktop computers. However, by default, Windows
7 uses the same initial power management settings for both portable and desktop computers, even
though the requirements for the two computer types are different.
Power Plans
In Windows 7, you can use power plans to help you maximize computer and battery performance. By
using power plans, you can change a variety of system settings to optimize power or battery usage,
depending on the scenario. There are three default power plans, which the following table outlines.
High performance plan This plan provides the highest level of performance on a mobile
computer by adapting processor speed to your work or activity,
and by maximizing system performance.
Each plan provides alternate settings for AC or DC power. The three plans differ with regards to power
and performance, as follows:
The power saver plan reduces power usage by lowering the performance.
The high performance plan causes your computer to consume more power by increasing system
performance.
The balanced plan provides the best balance between power and performance.
Optimizing Performance
When configuring power options to optimize performance, use the following guidelines:
For desktop computers, you should consider changing the power plan to use the High performance
plan.
To optimize performance, you can create your own power plan by configuring the settings manually
as follows:
Avoid Hibernate and Hybrid Sleep options. These power-saving options work by saving the computer
state, or part of the computer state, to the hard disk in a file called Hiberfil.sys. This can cause
fragmentation on your hard disk, and Windows 7 Defragmenter cannot defragment this file.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-41
Most hard disks have moving parts, and are consequently slower than other storage technologies. To
optimize disk subsystem throughput, consider the general points in the following table.
Ensure that you enable You can use Device Manager to examine the properties of any installed disks
write-caching. and to verify that write-caching is enabled.
Minimize the frequency Adding physical memory to a computer that is paging excessively reduces
of paging. the load on the disk subsystem.
Distribute the memory If your computer has multiple physical disks, consider distributing disk-
load across all available intensive activities across these disks. For example, you can install the
disks. operating system and applications on one disk, the paging file on another,
and your data files on a third disk.
Implement faster disks. Disk speed is measured in revolutions per minute (rpm), and average seek
times are measured in milliseconds. Install disks 7200 rpm disks or faster, and
choose disks with the lowest seek time.
Consider using solid- SSD disks use flash memory technology and have no moving parts. They can
state disks (SSDs). operate faster than more traditional disks, but they are more expensive.
Research the specific vendor and model of disk carefully. Some disks provide
higher write performance, some provide higher read performance, and some
provide neither, providing power-saving benefits instead.
MCT USE ONLY. STUDENT USE PROHIBITED
4-42 Troubleshooting and Supporting Windows 7 in the Enterprise
(continued)
Consider implementing You can combine physical disks into a single volume, distributing the disk
a performance- activity across all the disks in the array. Windows 7 provides a capability in
enhancing disk array. Disk Management to combine disks in this manner. However, it often is
better to buy a disk array from a storage vendor, and handle the data striping
by using the hardware in the array.
Defragment volumes You can use either the built-in disk defragmentation tool or third-party tools,
that are used heavily. some of which support the defragmentation of files such as Hiberfil.sys and
Pagefile.sys. Note that the likelihood of disk volume fragmentation increases
as the disk volume becomes filled.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-43
Lesson 5
Troubleshooting Device Driver Failures
A driver is a small software program that allows the computer to communicate with hardware or devices.
A hardware device works only if its device driver is installed correctly and functioning properly. Remember
that drivers are specific to operating systems.
A driver failure can render even the most sophisticated and expensive device useless. Malfunctioning
device drivers also can affect other hardware and may stop the computer from operating properly.
This lesson focuses on troubleshooting problems related to hardware device drivers, which can include:
Objectives
After completing this lesson, you will be able to:
Windows 7 makes it possible for users to install their own device drivers, but this can potentially introduce
security and reliability problems. As an administrator, you can copy driver packages to a protected area of
a users computer, called the driver store. A standard user, without any special user rights, then can install
drivers from the driver store. You also can configure the client computer to search particular local or
network folders automatically when a new device is attached, so that Windows does not prompt the user
to insert media.
The driver store, in conjunction with driver signing, increases computer security by ensuring that standard
users can install only those driver packages that you authorize and trust.
Driver Packages
A driver package is a set of files that make up a driver.
The catalog (.cat) file that contains the digital signature of the device driver.
Installing a driver is a two-stage process:
1. Install the driver package into the driver store. You must use administrator credentials to perform this
step.
2. Attach the device, and install the driver. A standard user can perform this step.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-45
Driver Store
The driver store is the Windows 7 driver repository. Because the driver store is a trusted location, when
compatible hardware is connected, Windows 7 installs the appropriate driver automatically from the
stores cache of device drivers.
Because standard users can install any device driver from the driver store, users can install common
hardware accessories without calling the help desk. An original equipment manufacturer (OEM) or IT
administrator can preload the driver store with the necessary drivers for commonly used peripheral
devices. The driver store is located in systemroot\System32\DriverStore.
During hardware installation, if there is no appropriate driver either in the driver store or available from
Windows Update, and the user does not have a device driver on removable media, then Windows 7
reports an unknown device.
Driver Signing
Because device drivers run with system-level privileges and can access anything on the computer, it is
critical to trust device drivers that are installed. Trust, in this context, includes two main principles:
Authenticity: a guarantee that the package came from its claimed source.
Integrity: an assurance that the package is completely intact and was not modified after its release.
Digital signatures allow administrators and end users who are installing Windows-based software to know
that a legitimate publisher is providing the software package. It is an electronic security mark that
indicates the softwares publisher, and displays a message if someone changes the original contents of the
driver package. If a publisher signs a driver, you can be confident that the driver comes from that
publisher and has not been altered.
A digital signature uses the organizations digital certificate to encrypt specific details about the package.
The encrypted information in a digital signature includes a thumbprint for each file that the package
includes. A special cryptographic algorithm generates the thumbprint. This is known as a hashing
algorithm. The algorithm generates a code that only the files contents can create, and changing a single
bit in the file changes the thumbprint. After the file generates the thumbprints, the publisher combines
them into a catalog and encrypts them.
Microsoft uses digital signatures to indicate that a driver is certified for use with Windows 7. Windows 7
checks for a drivers digital signature during installation, and prompts the user if no signature is available.
As the domain administrator, you should configure Group Policy to block the installation of device drivers
that do not have a digital signature. The signature file is stored as a .cat file with the driver file.
Use the Sigverif.exe tool to scan for unsigned drivers on a computer that runs Windows 7.
MCT USE ONLY. STUDENT USE PROHIBITED
4-46 Troubleshooting and Supporting Windows 7 in the Enterprise
If you have determined that the probable cause of a reported problem is with a device driver, you might
find it necessary to disable that particular device driver. Windows 7 has several methods that you can use
to disable device drivers.
2. Right-click the device driver that you want to disable, and then click Disable.
The difference between disabling a device and uninstalling it is that when you disable a device, you are
disabling only the drivers. The hardware configuration does not change, and the driver software is not
removed from the computer as it would be if you uninstall the device.
Note If a device appears to have failed, and Device Manager displays a problem with the
device, you can uninstall the device. Windows then detects the device, and installs the driver
again. This may resolve the problem.
Floppy disk
Hard disk
Keyboard
Mouse
Start the computer in Safe Mode if the failure of a device driver is preventing the operating system from
starting. You then can troubleshoot the device driver, which might involve disabling the problem device
before you attempt to restart the computer in Normal Mode.
MCT USE ONLY. STUDENT USE PROHIBITED
4-48 Troubleshooting and Supporting Windows 7 in the Enterprise
In this practice, you will install a new driver, which then creates a problem with the computers
configuration. You will attempt to roll back the driver by shutting down the computer and accessing the
Advanced Boot Options menu to select Last Known Good.
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice,
you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Password: Pa$$w0rd
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-49
Detailed Steps
4. In Device Manager, expand Keyboards, and then click Standard PS/2 Keyboard.
6. In the Standard PS/2 Keyboard Properties dialog box, click the Resources tab. You can see the IRQ
and I/O Range that the device is using.
7. Click the Driver tab. You can see there is no option to roll back the driver.
9. In the Update Driver Software Standard PS/2 Keyboard Wizard, click Browse my computer for
driver software.
10. On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
11. On the Select the device driver you want to install for this hardware page, click Have Disk.
12. In the Install From Disk dialog box, in the Copy manufacturers files from box, type
D:\Labfiles\Mod04\keyboard driver\type32, and then click OK.
13. In the Model list, click Microsoft Keyboard Elite for Bluetooth (106/109) (IntelliType Pro), and
then click Next.
14. In the Update Driver Warning dialog box, click Yes, and when prompted, click Close.
15. In the Microsoft Keyboard Elite for Bluetooth (106/109) (IntelliType Pro) dialog box, click Close.
Password: Pa$$w0rd
You are not successful, and you cannot use Ctrl+Alt+Delete keyboard shortcut because the driver is
incompatible.
2. On your host, in the 6293A-NYC-CL1 on Localhost Virtual Machine Connection dialog box, on
the Action menu, click Shut Down.
3. On your host, in the 6293A-NYC-CL1 on Localhost Virtual Machine Connection dialog box, on
the Action menu, click Start.
MCT USE ONLY. STUDENT USE PROHIBITED
4-50 Troubleshooting and Supporting Windows 7 in the Enterprise
4. While the computer is starting up, press F8 immediately to access the Advanced Boot Options
menu.
Note You can use Last Known Good to roll back the driver. You also can use Safe Mode,
and roll back the drive manually. Additionally, if you enable System Restore, you can use a
restore point to roll back to a point-in-time prior to the driver update. In this instance, Safe
Mode will be unsuccessful because the keyboard driver will still be used, which prevents you
from logging on.
5. In the Advanced Boot Options menu, select Last Known Good Configuration (advanced), and
then press Enter.
6. After the computer restarts, attempt to log on with the following credentials:
Password: Pa$$w0rd
9. In Device Manager, expand Keyboards, and then click Standard PS/2 Keyboard.
10. Right-click Standard PS/2 Keyboard, and then click Properties.
11. In the Standard PS/2 Keyboard Properties dialog box, click the Driver tab. You can see there is no
option to roll back the driver. This is because Last Known Good has rolled back the driver.
Note If you log on after restarting when you have installed or updated a driver, Last Known
Good no longer is a viable option. This is because Last Known Good is overwritten with the
CurrentControlSet during the logon process.
Device driver packages can include a digital signature. You should not allow anyone to install unsigned
device drivers on computers that are running Windows 7. By default, only administrators can install
unsigned device drivers. You can use Group Policy to prevent anyone else from installing unsigned drivers.
Driver Signatures
A devices hardware manufacturer typically provides a driver signature, but you also can use a Software
Publishing Certificate (SPC), if your organization has one, to add your own digital signature to drivers that
you have tested and that you trust. Unsigned device drivers could cause stability issues that you
experience on a computer after installing a new hardware device. Identifying and removing unsigned
device drivers is an essential step in the troubleshooting process.
1. Run Sigverif to scan for unsigned drivers, and then review the resulting log file.
3. Manually move any unsigned drivers from systemroot\System32\Drivers into the temporary folder.
If this resolves the problem, then the unsigned driver most likely was causing the problem. You then
should try to obtain a signed driver from the hardware vendor, or replace the hardware with a device that
is compatible with Windows 7.
You also can obtain a basic list of signed and unsigned device drivers from a command prompt by
running the driverquery command with the /si switch.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-53
When you install a device driver from an INF-based installation or from a setup application, the driver
package is copied automatically into the package store. However, you also can extract device drivers
manually by using the new Windows 7 Pnputil.exe tool. Pnputil.exe is an important troubleshooting tool
that you can use to add driver packages, remove unnecessary or problem driver packages, and list all the
driver packages that are in the driver store.
4. Windows 7 checks the drivers integrity and digital signature, and then copies the driver into the
driver store.
Note The Pnputil.exe tool only runs at a command prompt with elevated user rights. The
tool cannot invoke the User Account Control dialog box.
MCT USE ONLY. STUDENT USE PROHIBITED
4-54 Troubleshooting and Supporting Windows 7 in the Enterprise
Adds a driver to the driver store, and installs the driver in the same operation.
In this practice, you will install a driver into the driver store. This makes the driver available for standard
users to install, if necessary. First, you will see that a standard user, Adam, lacks the permissions to install
drivers. Next, you add the driver to the store.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Detailed Steps
Password: Pa$$w0rd
Domain: Contoso
4. Right-click point32 (the setup information file), and then click Install.
X Task 2: Extract and install the driver into the driver store
1. Log off, and then log on with the following credentials:
Password: Pa$$w0rd
2. Click Start, and in the Search box, type cmd.exe, and then press Enter.
3. At the command prompt, type the following command, and then press Enter:
D:
4. At the command prompt, type the following command, and then press Enter:
Cd\labfiles\mod04\mouse driver\
5. At the command prompt, type the following command, and then press Enter:
Pnputil a point32\*.inf
6. At the command prompt, type the following command, and then press Enter:
Pnputil e
Note A standard user now would plug in the hardware device. The driver would be
available automatically. This is not possible within the virtual machine environment.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
If you have a hardware device that does not come with a Windows 7 driver, consider different factors
before deciding to use a legacy device driver. Legacy drivers that were developed for previous Windows
versions might not work in Windows 7, or they might cause interoperability problems with other devices.
Compatibility Issues
Obtain a device driver written specifically for Windows 7 to maximize the benefit of the architectural
improvements. Otherwise, check with the hardware vendor to find out if there are known issues when
using a driver designed for earlier Windows versions on a computer that is running Windows 7.
Compatibility issues can include:
Installation. The driver might not install in the same way as in previous Windows versions. For
example, the user access protection feature may complicate the Windows 7 Finish-Install process.
Loading. The driver might not load the same way as in previous Windows versions. For example, the
64-bit Windows 7 editions do not load unsigned drivers.
Run time. The driver might not run the same way as in previous Windows versions. Run-time
compatibility problems include a range of issues that can occur during run time. Some issues are
quite serious, and others are relatively minor.
Functionality. The driver runs, but its behavior might differ significantly from that in earlier Windows
versions. For example, Network Driver Interface Specification (NDIS) 5.x drivers must go through a
translation layer that reduces their performance. Similarly, display drivers for the Windows XP
operating system, which are based on the display driver model of the Microsoft Windows 2000
Server operating system, may function in Windows 7. However, upon use, they may not display
premium content such as HD-DVD video, and cannot support the Microsoft Windows Aero user
experience.
MCT USE ONLY. STUDENT USE PROHIBITED
4-58 Troubleshooting and Supporting Windows 7 in the Enterprise
Testing Issues
If you cannot obtain a device driver written for Windows 7, you can try a Windows Vista or Windows XP
driver. Thoroughly test any driver not written specifically for Windows 7 prior to using it with Windows 7.
Many driver-installation errors can occur when you use a device driver that was not developed specifically
for Windows 7, particularly in the following categories:
The following table lists common installation error messages that you may encounter during testing.
Error Problem
80070002:ERROR_FILE_NOT_FOUND The driver package .inf file references a file that is missing or
does not exist.
80070003:ERROR_PATH_NOT_FOUND The driver package .inf file specifies a tag file path that is
missing or does not exist.
80070005:ERROR_ACCESS_DENIED The driver package is in a location that has an ACL that is too
restrictive.
800F0233:SPAPI_E_INVALID_TARGET The driver package has one or more incorrect tag file
references in the .inf file.
8028006E:CMIeInfinvalidSourcePath The driver package does not specify the correct path in the .inf
file.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-59
You can use Group Policy objects (GPO) to configure a number of settings that control installation of
devices and device drivers. The following table identifies the relevant Group Policy settings.
In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System,
Driver Installation.
Turn off Windows Update device Determines whether the administrator is prompted to search
driver search prompt Windows Update for drivers during device installation.
In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System,
Device Installation\Device Installation Restrictions.
Allow installation of devices using Enables the installation of devices that match the specified setup
drivers that match these device class GUIDs.
setup classes
MCT USE ONLY. STUDENT USE PROHIBITED
4-60 Troubleshooting and Supporting Windows 7 in the Enterprise
(continued)
Display a custom message when a Allows the administrator to define a customized message that
policy setting prevents installation displays when a policy setting prevents device installation.
Display a custom message title Allows the administrator to define a customized message title that
when a policy setting prevents displays when a policy setting prevents device installation.
device installation
Allow installation of devices that Enables the installation of devices that match the device identifiers
match any of these device that you specify.
identifiers
Prevent installation of devices that Prevents the installation of devices that match the device
match any of these device identifiers that you specify.
identifiers
Time (in seconds) to force reboot Enables you to define the time that the computer waits to restart
when required for policy changes after a device installation.
to take effect
Prevent installation of removable Enables you to prevent users from installing removable devices.
devices
Prevent installation of devices not Enables you to ensure that users cannot install any drivers, even if
described by other policy settings there are no policies restricting installation.
Demonstration Steps
1. Open Group Policy Management console.
2. Modify the Default Domain Policy with device installation restriction policy settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-61
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The help desk has received a number of trouble tickets that relate to device driver installation. Your
manager has asked you to determine why devices are causing so many issues, and to suggest a possible
solution. You then must implement the solution within the network.
Supporting Documentation
Charlotte Weiss
From: Ed Meadows [Ed@contoso.com]
Sent: 13 Feb 2011 09:13
To: Charlotte@contoso.com
Subject: Re: Device-related problems
Attachments: Incident Reports
Charlotte,
Here it is. Let me know if you need anything else.
Kind regards,
Ed
----- Original Message -----
From: Charlotte Weiss [Charlotte@contoso.com]
Sent: 12 Feb 2011 17:01
To: Ed@contoso.com
Subject: Device-related problems
Ed,
Have you got that incident report you promised me at the management meeting recently? I want to get
the EDSTs to take a look at it, check out the problem, and then figure out why weve been getting so
many issues.
Charlotte
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-63
Supporting Documentation
Incident Record
Incident Reference Number: 602101
Incident Details
User reports that his computer mouse is nonfunctional.
Additional Information
User reports that he attempted to install a new mouse, but abandoned the installation midway through
the process.
I attended the users computer and was unable to resolve the problem, as the mouse was totally
nonfunctional.
System Restore unavailable as currently disabled.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
4-64 Troubleshooting and Supporting Windows 7 in the Enterprise
Note It is easier to use the keyboard in a virtual machine if you switch to full-screen mode.
To do this, on your host computer, press Ctrl+Alt+Break. If you are unsure, ask your
instructor for assistance.
1. Using your knowledge of the devices and drivers, and the troubleshooting tools available for devices
and drivers, attempt to resolve the problem.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Results: At the end of this exercise, you will have resolved the hardware problem.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-65
In this exercise, you will configure Group Policy to facilitate these requirements.
Supporting Documentation
Charlotte Weiss
From: Ed Meadows [Ed@contoso.com]
Sent: 5 March 2011 10.20
To: Charlotte@contoso.com
Subject: GPO changes
Charlotte,
Can you update the Group Policy to support the following requirements? The Tier 3 guys are overloaded
at the moment, so although I realize this is out of scope for you, it would be a real help.
Research department needs to be able to install devices for setup class Mouse, Keyboard, and Printer.
All other departments must be restricted to install only printers.
I want to be sure that drivers not defined by any other policy are restricted.
Ed
Date March 5
Details
Update GPO settings to:
Restrict all users to be able to install printer drivers only
Enable Research Department users to install Printers, Mice, and Keyboard device drivers
Do not restrict administrators from installing any drivers
Additional Information
Use as few GPOs as possible
Plan of Action
1. How many GPOs do you envision using?
4. How will you accommodate the requirement to support the Research Departments needs?
Note Some of the tasks that you perform to complete this exercise may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the completed scenario.
1. Switch to NYC-DC1.
2. Open Group Policy Management, and then open the Default Domain Policy for editing.
Locate the GUID in the faxca003.INF file in the D:\Labfiles\Mod04\fax folder on NYC-CL1.
Hint Map a network drive from NYC-DC1 to \\NYC-CL1\d$\ so that you can copy and
paste GUIDs into the GPO.
Locate the GUID in the type32.INF and point32.INF files in the relevant subfolders in the
D:\Labfiles\Mod04\ folder on NYC-CL1.
Note Due to restrictions within the virtual machine environment, you cannot properly test
these restrictions.
Results: At the end of this exercise, you will have planned and implemented GPOs to support the device
installation requirements.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
A user reports performance-related problems with his computer. The help desk is unable to determine the
problem. You must investigate to ascertain which computer component the problem is affecting, and
then make recommendations about a solution or mitigation.
Incident Record
Incident Reference Number: 604121
Incident Details
Dylan contacted the help desk reporting problems with his computer. It has been running slowly, and
activities that used to take a few seconds are taking much longer.
Additional Information
We must determine which components are affected in Dylans computer, and then make
recommendations about how to solve or mitigate these performance bottlenecks.
Plan of Action
Resolution
MCT USE ONLY. STUDENT USE PROHIBITED
4-70 Troubleshooting and Supporting Windows 7 in the Enterprise
Counters to include:
Memory > Pages/sec
6. Open Microsoft Office Excel 2007 and Microsoft Office PowerPoint 2007.
7. Close all Office applications, and in Performance Monitor, stop the Contoso Baseline data collector
set.
2. Click on the report that has a name that begins with NYC-CL1_.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-71
3. After a few minutes, close the two instances of C:\Windows\System32\cmd.exe launched by the
script.
4. Switch to Performance Monitor, and stop the Contoso Baseline data collector set.
5. In Performance Monitor, locate Reports > User Defined > Contoso Baseline.
6. Click on the second report that has a name that begins with NYC-CL1_.
10. Complete the Resolution section of the incident record with your recommendations. If asked to do so,
discuss your results with the class.
Results: At the end of this exercise, you will determine the components affected on the users computer,
and then discuss solutions and mitigations with the class.
Review Questions
1. If you do not configure device restrictions in GPOs, what security risks do USB removable storage
devices pose?
2. What two methods can you use to restrict specific device installation through GPO?
3. Users are complaining that when they visit customer sites, they are unable to connect to their
customers printers because of device-installation restrictions. What two possible actions could you
take?
4. Users on the help desk have tried to install a new driver for a user in the marketing department to
enable them to use their new scanner. The driver is not part of the driver store and Group Policy
prohibits installation of additional drivers. What GPO setting would you recommend changing in
order to enable the installation of this driver?
5. You decide to install this driver into the driver store. Assuming the driver is in the D:\scanner folder
and the driver INF file is called Scanner.inf, what command would you use?
6. Your user complains of poor performance. You discover that the disk component is bottlenecked.
Before you rush out and purchase faster disks, what should you check?
7. After you complete your check, what else could you do to improve the disk throughput on your
users computer?
8. You need to view the application log on another computer without visiting that computer. How could
you do this?
MCT USE ONLY. STUDENT USE PROHIBITED
4-74 Troubleshooting and Supporting Windows 7 in the Enterprise
Tools
Tool Use for Where to find it
Sigverif.exe Verify device drivers signatures Command-line
Module 5
Troubleshooting Network Connectivity Issues
Contents:
Lesson 1: Determining Network Settings 5-3
Module Overview
Configuring network settings is a common administrative task that, in many organizations, can account
for a significant percentage of the overall administrative effort. The Windows 7 operating system
includes several tools that can help you set up and troubleshoot both wired and wireless network
connections more efficiently. To support your organizations network infrastructure, it is important that
you understand how to configure and troubleshoot network connections.
Objectives
After completing this module, you will be able to:
Lesson 1
Determining Network Settings
The network architecture in Windows 7 simplifies network management and the configuration of network
connections. By learning about this architecture, and the tools that Windows 7 provides for
troubleshooting network connections, you will be better prepared to configure network clients and
support your users.
Objectives
After completing this lesson, you will be able to:
Windows 7 includes several new tools for creating, managing, and troubleshooting both wired and
wireless network connections.
The Network and Sharing Center provides a clear view of the status for any wired or wireless connection.
It includes a network map feature that shows a topological diagram of the local network and any other
connected networks. You also can launch Network Explorer to help you find and browse network
resources easily.
Windows 7 automatically configures the firewall and file-sharing settings based on the specified network
location categories, which include:
The Public category is the default network location type when the computer is not connected to a
domain. Public category settings are the most restrictive, and help protect the computer when you
connect it to an untrustworthy network. For example, all types of file and printer sharing are turned
off in the Public category. Use the Public category for networks that have direct connections to the
Internet or those that allow unmanaged clients to connect, such as wireless hot spot networks.
Note Windows 7, by default, initially assigns the Public category to all network
connections.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-5
The Private category applies only if a user with local Administrator rights manually assigns it to a
network that you set previously to Public. Use the Private network location category only for a trusted
network. You must assign the Private network location category only for a network connection that
the public cannot directly access. A local administrator must assign this category, and Windows
remembers the assignment the next time you connect to the network.
Windows describes the Private network location category in one of two ways:
Home network. If all computers connected to the network are at your home, then select the
Home Private network location category.
Work network: If all computers connected to the network are at your workplace, then select the
Work Private network location category.
The Domain category applies when a computer that is running Windows 7 connects to a network, and
then authenticates to a domain controller that is in the computers domain.
Windows 7 is capable of assigning a separate network location category to each connected network
interface. For example, if you connect your computer to your corporate network by using a virtual private
network (VPN) that you initiate from a Wi-Fi hot spot, such as a coffee shop, then Windows 7 assigns two
network location categories: private for the corporate VPN and public for the Wi-Fi hot spot.
Note By default, on computers that are not joined to a domain, changing the network
location requires administrative privileges. By default, on domain-joined computers,
changing the network location does not require administrative privileges.
Windows 7 recognizes any unconfigured network devices on the computer, and then automates the
process of adding and configuring them. The Network Setup Wizard also recognizes any wireless
networks in range of the computer, and makes the process of configuring them simple and intuitive.
You can save network settings to a universal serial bus (USB) flash drive for use when configuring
additional computers. Saving network settings to a USB device makes configuring similar new computers
and devices quick and easy.
You also can use the Network Setup Wizard to enable sharing documents, photos, music, and other files
across your network.
NDF
The NDF (Network Diagnostics Framework) provides a single, unified set of technologies to assist in
troubleshooting and diagnosing network problems. By using the NDF, you can diagnose and repair
network problems in the context of the application that experienced the problem.
Additionally, with NDF, users can diagnose and attempt to resolve their own issues automatically before
they call the help desk. The NDF can help reduce the total cost of ownership and the volume of calls to
the help desk.
MCT USE ONLY. STUDENT USE PROHIBITED
5-6 Troubleshooting and Supporting Windows 7 in the Enterprise
Network Map
Network Map displays a topological map of the local network and any connected networks. Network Map
makes it easy to see the connections between devices on your network by clearly differentiating between
wired and wireless connections. It helps optimize the network for best performance, and is extremely
useful in troubleshooting network problems, because it displays a real-time view of the connections that
are available to your computer.
Network Explorer
Network Explorer displays a view of all of the computers, devices, and printers on the network. You can
customize the icons for various network devices, if the manufacturer allows customization. Use Network
Explorer to perform limited remote computer management, such as adjusting settings or controlling
music playback.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-7
Windows 7 computers use the new Network Discovery feature to generate accurate network topologies
with Network Map. During the troubleshooting process, Network Map enables you to view the real-time
status of any wired or wireless network connections.
Network Discovery
A computer running Windows 7 uses Network Discovery to find other computers and devices on the
network. The first time you connect to a network, use the Set Network Location dialog box to classify
the type of network to which you are connected. After you classify the network location category,
Windows 7 activates the appropriate security settings.
Note You can turn Network Discovery on or off from within the Advanced sharing settings
from the Network and Sharing Center.
Windows 7 supports LLTD through the Link-Layer Topology Discovery Mapper service. The Link-Layer
Topology Discovery Mapper service includes two components: the Link-Layer Discovery Responder, which
enables your computer to be located on the network, and the Link-Layer Discovery I/O Driver, which
discovers and locates other computers and devices on the network.
MCT USE ONLY. STUDENT USE PROHIBITED
5-8 Troubleshooting and Supporting Windows 7 in the Enterprise
Windows 7 supports automatic discovery of LLTD-capable devices. In combination with Universal Plug
and Play (UPnP) support, Windows 7 classifies the device capabilities, uses a unique embedded icon to
represent the device, and accurately positions it on the network map. UPnP-certified devices automatically
connect to each other over the network without the need for user configuration or centralized servers.
Note Not all hardware devices support LLTD. Check with the vendor for updated firmware
releases that include LLTD support.
Network Map relies on LLTD to build the network topology, and it only displays LLTD-capable devices.
You can access a devices properties by right-clicking its icon in Network Map. The device properties
include additional support information for the device, such as a link to the manufacturers website. You
can also see the media access control (MAC) address, IP address, and device serial number.
Double-click a device icon in Network Map to open the devices presentation URL, or to open the devices
embedded administration webpage.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-9
Lesson 2
Troubleshooting Network Connectivity Issues
To support the users in your organization, it is important that you know what tools Windows 7 provides to
help you troubleshoot network connections. Additionally, understanding the correct procedure with
which to tackle common network problems will help you resolve them more quickly.
Objectives
After completing this lesson, you will be able to:
Windows Network Diagnostics is an NDF tool that you activate when you encounter a network error. The
NDF is the common troubleshooting architecture in Windows 7. End users can use Windows Network
Diagnostics to diagnose and troubleshoot an issue before they call their organizations help desk.
The following are some examples of events that Windows Network Diagnostics can detect:
You can use one or more of the options in Windows Network Diagnostics to diagnose and repair network
connection issues. Additionally, Windows Network Diagnostics supports rich, detailed logging to the event
log, so that you can diagnose network connection issues easily. This reduces support costs and helps
minimize user downtime by decreasing the time necessary to fix a network problem.
1. An application or system component reports a problem with a TCP/IP connection. The user receives
both an error message and a prompt to start Windows Network Diagnostics.
2. Windows Network Diagnostics passes the problem parameters to the Network Diagnostics engine.
The Network Diagnostics engine activates helper classes to try to determine the problems cause, and
then displays a list of descriptions of possible causes and repair options. If there is only one repair
option, the Network Diagnostics engine runs the suggested repair.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-11
3. If there are multiple repair options, the user selects an option, and the Network Diagnostics engine
requests the appropriate helper class to perform the repair. Windows Network Diagnostics reactivates
helper classes to try to determine if the cause of the problem is still valid.
4. If Network Diagnostics resolves the problem, Windows Network Diagnostics displays a message
noting that the problem is fixed. If Windows Network Diagnostics does not resolve the problem, it
prompts the user to select other repair options, if available.
5. If Network Diagnostics does not resolve the problem, and no other repair options are available, the
Network Diagnostics Engine reactivates helper classes to try to determine the problems cause.
You can access Windows Network Diagnostics manually from the Action Center. In Action Center, click
Troubleshooting, and then click Network and Internet.
You can then choose from the following network troubleshooting tests:
Internet Connections
Shared Folders
HomeGroup
Network Adapter
Incoming Connections
How many users is the problem affecting? If the problem is affecting several users, this suggests a
server-side or network infrastructure problem rather than a client-side networking problem.
Is the problem persistent for the users that are affected? Intermittent problems can be more difficult
to reproduce and troubleshoot.
Does removing a problematic computer from the network solve the problem for other users? The
computer that you remove from the network may be generating a fault on the network.
From Network and Sharing Center, select Change adapter settings, display the network connection
properties, select either Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4
(TCP/IPv4), as required, and then view the protocol properties.
Open a command prompt. Type the IPConfig /all command to view the IPv4 Address and IPv6
Address configurations. Use the following command to save the IPv4 and IPv6 configuration
information as a text file for future reference:
This command creates a text file in the root of drive C that contains the IPConfig command output.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-13
Use the Netsh command to display specific configuration information. For example, to display the
TCP/IP configuration for IPv4 only, type the following command:
You also can use the Netsh command to display specific IPv6 configuration information:
Determine your wired network adapter properties by using Device Manager. To determine the hardware
configuration for the computers network adapter, including the make and model, follow these steps:
1. From Control Panel, open Device Manager, expand Network adapters, and then view the installed
network adapter properties.
2. Click the Details tab to view the Device description property value. This value displays the network
adapter make and model.
3. From the Advanced tab, in the Property list, click a property to view or edit its value.
To view information about the driver used for the network adapter, follow these steps:
2. Click Driver Details to view the full path to the driver file.
3. Update or roll back the driver, as necessary.
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Troubleshooting and Supporting Windows 7 in the Enterprise
Note An authenticator is an authentication service that the access point uses to perform
the wireless authentication and encryption.
A configuration mismatch in the authentication and encryption settings between the client and the
wireless access point can lead to problems with wireless connections.
Windows 7 includes support for Wi-Fi Protected Access 2 (WPA2) encryption that allows for more secure
wireless connections. You should take advantage of WPA2 by upgrading your wireless access points to
support WPA2.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-15
The following table summarizes the wireless authentication and encryption standards that are available in
Windows 7.
To determine the wireless network settings, either review the wireless network connection settings or
examine the Group Policy settings.
To view or configure wireless network Group Policy settings, open Group Policy Management, expand
Computer Configuration, expand Windows Settings, expand Security Settings, and then select
Wireless Network (IEEE 802.11) Policies. You can create or edit wireless network Group Policy objects
(GPOs) for Windows 7, Windows Vista, and Windows XP client computers.
The following table lists the settings that Group Policy enables you to configure.
Setting Description
Infrastructure/Ad Hoc Defines the connection type as either Ad Hoc (peer-to-peer), or
Infrastructure, which requires a wireless access point (WAP).
Connect automatically Automatically connects clients affected by this policy to the configured
when this network is in network. Enabled by default.
range
Connect to a more Ensures that the more preferred networks take precedence. Enabled by
preferred network if default.
available
Connect even if the Enables a client computer to connect to the network even if the service
network is not broadcasting set identifier (SSID) is not broadcast. Disabled by default.
(continued)
Select a network Enables you to define how computers authenticate using the Remote
authentication method Authentication Dial-In User Service (RADIUS) server in your organization.
For use with WPA2-Enterprise, WPA-Enterprise, and 802.1X
authentication methods.
Authentication mode Specifies the authentication mode. User, Computer, and Guest
authentication modes are available.
Note Many of the settings that the previous table describes apply only to infrastructure
network GPOs.
Ensure that the authentication and encryption method that you select on the client, or that you configure
by the policy, matches the access point capability.
To determine whether a Windows 7based client has obtained an IP address, at the command prompt,
type IPConfig /all command, and then review the address given to the wireless connection. If Windows 7
allocated a 169.254.x.y (Automatic Private Internet Protocol) address to the interface, the operating
system indicates that the client was unable to obtain a valid IP address from the WAP.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-17
When you experience network connectivity problems, follow a logical troubleshooting process by using
the available Windows 7 tools. Your troubleshooting process can consist of the following steps:
1. Consult Windows Network Diagnostics.
3. Use the ping command to diagnose two-way communication with a remote system. Additionally,
consider using the PortQry Command Line Port Scanner (Portqry.exe) and the Telnet terminal
program to test connectivity to a specific application.
4. Use the tracert and pathping command-line tools to identify each hop, or router, between two
systems.
If Windows Network Diagnostics cannot fix the problem, use the tools and procedures included in this
topic to troubleshoot the problem further.
MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Troubleshooting and Supporting Windows 7 in the Enterprise
IP address
Subnet mask
Host name
DNS suffixes
MAC address
How the IP configuration was obtained, for example, whether the IP configuration was obtained by
using the Dynamic Host Configuration Protocol (DHCP)
After running the IPConfig /all command, compare the IPConfig output with the IPConfig output of
another computer that is in the same subnet as the problematic host.
The subnet mask must match that of the other local host. If the subnet mask does not match, the
computer has an incorrect network ID that can cause communication failures, particularly to remote
subnets.
The default gateway must match that of the other local host. If the default gateway is incorrect or
missing, the computer cannot communicate with remote subnets.
If the DNS server is incorrect or missing, the computer might not resolve names, and communication
can fail.
Because DHCP configures most computers, if the configuration does not match that of the other local
host, verify that the computer can obtain an IP address correctly by:
1. Opening an elevated command prompt, and releasing the existing address by using the IPConfig
/release command.
If the host currently has an IP address in the range 169.254.0.0 to 169.254.255.254, the computer probably
failed to obtain a dynamically assigned address. This Automatic Private IP Addressing (APIPA) indicates
one of three problems:
Portqry reports on the current port status of TCP and User Datagram Protocol (UDP) ports on a computer
against which you run it. When you run portqry, the output returns one of the following responses about
ports on the target:
Listening. A process is listening on the computers port that you select. Portqry.exe received a
response from the port.
Not Listening. No process is listening on the target systems target port. Portqry.exe receives an
Internet Control Message Protocol (ICMP) Destination Unreachable - Port Unreachable message
back from the target UDP port. Alternatively, if the target port is a TCP port, portqry receives a TCP
acknowledgement packet with the Reset flag set.
Filtered. The port on the computer that you select is being filtered. Portqry.exe did not receive a
response from the port. A process may or may not be listening on the port. By default, Portqry.exe
queries TCP ports three times, and queries UDP ports one time before a report indicates that the port
is filtered.
Portqry can query a single port, an ordered list of ports, or a sequential range of ports.
For example, the following command tries to resolve Microsoft.com to an IP address, and then queries
TCP port 25 on the corresponding host:
The ping tool confirms two-way communication between two computers. This means that if the ping tool
fails, the local computers configuration may not be the problems cause. You can use ping to ensure
communication with a logical process, such as:
You can ping both the computers name and IP address. If you ping the IP address successfully, but
not the name, it indicates that the name resolution is failing. If you successfully ping the name, but
the response does not resolve the fully qualified domain name (FQDN) name, the resolution did not
use DNS. This means a process, such as broadcasts or Windows Internet Name Service (WINS) was
used to resolve the name, and applications that require DNS may fail.
A Request Timed Out message indicates that there is a known route to the destination computer,
but that the configuration is incorrect for one or more computers or routers along the path
including the source and destination. Use pathping or tracert to help find the problem.
A Destination Host Unreachable message may indicate that the system cannot find a route to the
destination system, and therefore, does not know where to send the packet on the next hop. If you
verify that the local IP configuration is correct, use pathping and tracert to help isolate the routing
problem.
MCT USE ONLY. STUDENT USE PROHIBITED
5-20 Troubleshooting and Supporting Windows 7 in the Enterprise
If you can successfully ping a remote host but cannot communicate with the applications installed on the
host, verify that the application is accessible from your local computer. For example, a firewall might be
blocking your communication attempt, or the remote host is not listening on the appropriate port. The
telnet and portqry tools can help identify issues that relate to blocked or nonresponsive ports.
Although tracert records the hops through which packets travel, pathping provides more information
about the routing process. Ping and pathping both use ICMP packets to test connectivity to every router
between the local host and the remote destination host. Pathping then calculates statistics about the
routes used and the routers involved, including the hop number, round-trip time, packet loss, host names,
and IP addresses or intermediate hosts.
To test routing connectivity to a remote host with pathping, open a command prompt, and type the
following command:
Pathping www.microsoft.com
The output displays all hops between local host and destination host, and then the statistical output.
To determine whether the remote computer is listening on the expected port, use either the portqry or
telnet tools. For example, to determine if the HTTP port is accessible, type the following command from
an elevated command prompt:
PortQry n server e 80
A message that the port is FILTERED or NOT LISTENING can indicate that a firewall along the path
between the two hosts is blocking the request, or that the application uses a different port or has failed
on the remote host. If other hosts on the local subnet can communicate successfully, the problem
probably exists within the local firewall configuration settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-21
You also can use telnet to verify that a port is listening. For example, if you want to verify Simple Mail
Transfer Protocol (SMTP) functionality, you can open a Telnet session to port 25 on the destination host.
Open a command prompt, and type telnet. From the Microsoft Telnet prompt, type the following
command:
Open nyc-dc1.contoso.com 25
Note To troubleshoot applications by using telnet and portqry, you must understand
which ports your applications use.
In addition to Portqry.exe and Telnet.exe, you can use netstat.exe to discover information about ports in
use between your client computer and other remote systems. The following command lists the active
connections on your client computer:
Netstat n
To determine which firewall rules are active, open Windows Firewall with Advanced Security, and click the
Monitoring node. The Monitoring section lists the active rules. Determine if any rules are responsible for
blocking your connection attempt.
Remember that the network location category might be responsible for your connectivity problem
because the public category is more restrictive than the private category. If you configure the network
with the wrong network location category, use the Network and Sharing Center to reconfigure the
network category.
Intermittent problems
When users report inconsistent or intermittent problems, you might need to approach the
troubleshooting process slightly differently. For example, if a users e-mail application functions while their
web browsing does not, this suggests a specific problem with web browsing rather than with the network
connectivity itself. The problem might lie with the client-side application, the browser, or the network
components through which web-browsing traffic passes, such as firewalls, Network Address Translation
(NAT) devices, and routers.
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Troubleshooting and Supporting Windows 7 in the Enterprise
Demonstration Steps
1. Use IPConfig.exe to verify the configuration.
6. Use Windows Firewall with Advanced Security and Netsh advfirewall to view the firewalls
configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-23
Host names are assigned to computers running TCP/IP to make the computers easier to identify. Host
name resolution is the process of resolving a host name to its corresponding IP address.
Although Windows 7 computers actually support two namesthe host name and a NetBIOS computer
nameit is the host name that is most relevant in modern IP-based networks. Windows 7 typically
enables NetBIOS by default, and derives the NetBIOS name automatically from the computers host name.
Note You can use the nbtstat command-line tool to view NetBIOS names associated with
your computer, and to troubleshoot NetBIOS over TCP/IP.
Note The host name is up to 255 characters in length, and can contain alphanumeric
characters, periods, and hyphens. The FQDN, including the host name, cannot exceed 255
characters in length.
The domain portion of the FQDN is the DNS suffix. The computers primary DNS suffix is the name of the
domain within which it is a member.
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Troubleshooting and Supporting Windows 7 in the Enterprise
For computers that are not part of a domain, you can view the primary DNS suffix from the DNS Suffix
and NetBIOS Computer Name dialog box that you access from the System Properties dialog box on
the Computer Name tab. By default, a non-domain member computer has no primary DNS suffix.
Note You can assign a separate DNS suffix to each individual network connection. View or
edit the connection-specific DNS suffixes from the Advanced TCP/IP Settings page that is
accessible from the IPv4 or the IPv6 for the relevant network connection.
1. Checks whether the host name is the same as the local host name.
4. Converts the host name to a NetBIOS name, and then checks the local NetBIOS name cache.
Note Windows 7 appends the primary and connection-specific suffixes to all names that it
is resolving. If name resolution is unsuccessful initially, Windows 7 applies parent suffixes of
the primary DNS suffix. For example, if the DNS resolver attempts to resolve the name sea-
cl1, Windows 7 appends the .contoso.com suffix to attempt resolution. If that is unsuccessful,
the operating system appends .com to the name, and attempts resolution again. You can
configure this behavior from the Advanced TCP/IP Settings page.
The primary tools for troubleshooting host name resolution are IPConfig and Nslookup.
Note You should perform standard network troubleshooting techniques, such as running
NDF and verifying basic connectivity, before you begin to test name resolution.
When you troubleshoot name resolution, you must understand what name resolution methods the
computer is using, and in what order the computer uses them. Be sure to clear the DNS resolver cache
between resolution attempts.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-25
If you cannot connect to a remote host, and you suspect a name-resolution problem, troubleshoot name
resolution by:
1. Opening an elevated command prompt, and then clearing the DNS resolver cache by typing the
following command:
IPConfig /flushdns
2. Attempt to ping the remote host by its IP address. This helps identify whether the issue is because of
name resolution. If the ping succeeds with the IP address, but fails by its host name, the problem
pertains to name resolution.
Note The remote host must allow inbound ICMP echo packets through its firewall for this
test to be viable.
3. Attempt to ping the remote host by its hostname, using the FQDN followed by a period. For example,
type the following command at the command prompt:
Ping nyc-cl1.contoso.com.
4. If the ping is successful, the problem likely does not relate to name resolution.
5. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the
appropriate entry to the end of the file. For example, add this line, and then save the file:
10.10.0.21nyc-cl1.contoso.com
6. Perform the Ping-by-host-name test again. Name resolution should now be successful. Verify that the
name resolved correctly by examining the DNS resolver cache. Do this by typing the following at a
command prompt:
IPConfig /displaydns
7. Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
8. At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
You should understand how to interpret the output so that you can identify whether the name-
resolution problem exists with the client computers configuration, the name server, or the
configuration of records within the name server-zone database.
MCT USE ONLY. STUDENT USE PROHIBITED
5-26 Troubleshooting and Supporting Windows 7 in the Enterprise
In the first section of the following output sample, the client resolver performs a reverse lookup to
determine the DNS server host name. You can view the query 10.0.10.10.in-addr.arpa, type = PTR,
class = IN in the QUESTIONS section. The returned result, name = nyc-dc1.contoso.com, identifies the
host name of the petitioned DNS server:
------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
10.0.10.10.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (73 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
10.0.10.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.0.10.10.in-addr.arpa
type = PTR, class = IN, dlen = 20
name = nyc-dc1.contoso.com
ttl = 1200 (20 mins)
------------
Server: nyc-dc1.contoso.com
Address: 10.10.0.10
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-27
In the following section, the client resolver performs a recursive query of the DNS server for the host
nyc-cl1.contoso.com, type = A, class = IN. The returned result is in the ANSWERS section, which is
shown below. Note that the answer also includes a time-to-live (TTL) value, which determines how
long the record is valid:
------------
SendRequest(), len 36
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
nyc-cl1.contoso.com, type = A, class = IN
------------
------------
Got answer (52 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
nyc-cl1.contoso.com, type = A, class = IN
ANSWERS:
-> nyc-cl1.contoso.com
type = A, class = IN, dlen = 4
internet address = 10.10.0.21
ttl = 1200 (20 mins)
MCT USE ONLY. STUDENT USE PROHIBITED
5-28 Troubleshooting and Supporting Windows 7 in the Enterprise
In the remaining section, the client resolver performs a query for the IPv6 address of the sea-cl1 host,
as indicated in the QUESTIONS section. This query returns no information, as the lack of an ANSWERS
section below indicates:
------------
SendRequest(), len 36
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
nyc-cl1.contoso.com, type = AAAA, class = IN
------------
------------
Got answer (91 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
nyc-cl1.contoso.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> contoso.com
type = SOA, class = IN, dlen = 43
ttl = 3600 (1 hour)
primary name server = nyc-dc1.contoso.com
responsible mail addr = hostmaster.contoso.com
serial = 45
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
Name: nyc-cl1.contoso.com
Address: 10.10.0.21
If you can resolve a computers name successfully, but you cannot connect to an application on that
computer, investigate whether the local or remote firewalls are blocking your attempt.
Nslookup
> Set q=mx
> Mailhost
Server: nyc-dc1.contoso.com
Address: 10.10.0.1
mail.contoso.com MX preference = 0, mail exchanger =
mail.contoso.com
mail.contoso.com internet address = 10.10.0.5
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-29
To query another name server directly, use the server or lserver commands to switch to that name server.
The lserver command uses the local server to get the address of the server to which you want to switch,
while the server command uses the current default server to get the address. For example:
Nslookup
> server 10.10.0.20
Demonstration Steps
1. Use IPConfig.exe to view and purge the host name cache.
2. Create a test record in hosts file.
Windows 7 enables the IPv6 stack by default, and it is the preferred transport for communication.
IPv4 Functionality
The Windows 7 IPv6 stack does not impair IPv4 functionality, and enables better network connectivity for
applications that support IPv6. IPv6 connections can use IPv6 transition technologies such as Teredo to
operate behind routers that use NAT, without requiring NAT configuration or application modification.
Disabling IPv6
If your applications function in a purely IPv4 environment, you might consider disabling IPv6. You cannot
uninstall IPv6, but you can disable it in two ways:
In the Local Area Connection Properties dialog box, in the list under This connection uses the
following items, clear the Internet Protocol version 6 (TCP/IPv6) check box.
MCT USE ONLY. STUDENT USE PROHIBITED
5-32 Troubleshooting and Supporting Windows 7 in the Enterprise
Troubleshooting IPv6
The steps for troubleshooting an IPv6 connection are similar to those for troubleshooting an IPv4-based
connection. You can use many of the IPv4 troubleshooting tools to gather information to help
troubleshoot IPv6 connection problems.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-33
The NDF fails to fix the problem, and the additional manual steps that this module details do not
resolve the problem.
In Windows 7, the NDF and Event Tracing for Windows (ETW) integrate more closely than they did in
previous Windows versions. This enables diagnostics to log network events and packets in a single file.
Collecting all necessary information in a single step provides an efficient method of troubleshooting
network connectivity issues.
When you run Windows Network Diagnostics, a diagnostics session log is created and stored
automatically in Action Center/Troubleshooting/View History. Each diagnostic session generates a report
with diagnostics results.
Windows 7 categorizes NDF and network tracing events that pertain to a specific issue, and then outputs
them to an Event Trace Log (ETL) file. Consequently, you can examine the entire transaction, from end to
end, as a single collection of events.
Note You can analyze the data in the ETL file by using a number of tools, such as Network
Monitor, Event Viewer, the Netsh trace convert command, or Tracerpt.exe.
Windows 7 includes a new Netsh context, Netsh trace. Netsh trace integrates with NDF and Network
Tracing, and enables you to perform comprehensive tracing, network packet capturing, and filtering.
MCT USE ONLY. STUDENT USE PROHIBITED
5-34 Troubleshooting and Supporting Windows 7 in the Enterprise
Problem Steps Recorder (PSR) is an in-built troubleshooting tool that enables you record screen activity
and user actions, and optionally comments, into a diagnostic file.
The PSR tool saves the output as a zip file containing an MHTML document that you can view in Windows
Internet Explorer.
You can launch PSR from the command line or else from the Search box in Windows 7.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-35
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: CONTOSO
Lab Scenario
Contoso is planning the deployment of branch servers. As part of this process, the deployment team has
been configuring the first branch server, NYC-SVR1, with the necessary network infrastructure services.
You are not involved in this project. However, since the project kick off, there have been a number of
network-related problems.
2. Update the Plan of Action section of the Incident Record with your recommendations.
Incident Record
Incident Reference Number: 603211
Incident Details
Scott cannot log on to his computer.
Additional Information
Error message:
There are currently no logon servers available to service the logon request.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
5-38 Troubleshooting and Supporting Windows 7 in the Enterprise
Password: Pa$$w0rd
Domain: Contoso
Note Some of the tasks that you perform to resolve this problem may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the problem resolution.
1. Using your knowledge of Windows 7 network technologies, and tools available for troubleshooting
network connections, attempt to resolve the problem.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-39
Password: Pa$$w0rd
Domain: Contoso
Results: At the end of this exercise, you will have logged on successfully by using the user account.
MCT USE ONLY. STUDENT USE PROHIBITED
5-40 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Update the Plan of Action section of the Incident Record with your recommendations.
Incident Record
Incident Reference Number: 603213
Incident Details
Scott is unable to access the intranet server.
URL required: http://intranet
IP configuration seems appropriate for subnet location.
Additional Information
Error message:
Internet Explorer cannot display the webpage.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Network Connectivity Issues 5-41
Note Some of the tasks you perform to resolve this problem may not be part of a Tier 2
support persons responsibilities; however, it is useful to see the problem resolution.
1. Using your knowledge of Windows 7 network technologies, and the tools that are available for
troubleshooting network connections, attempt to resolve the problem.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Domain: Contoso
Domain: Contoso
Results: At the end of this exercise, you will have resolved the connectivity problem.
MCT USE ONLY. STUDENT USE PROHIBITED
5-42 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Review Questions
1. You must reconfigure a client computers IPv4 configuration, but you do not have time to visit the
computer. What tool could you use, from the command line, to reconfigure the client computer?
2. To run the command-line tools, what would you need to do at the remote computer?
3. A client computer has obtained an IP address of 169.254.1.37. What would you do?
Tools
Tool Use for Where to find it
(continued)
Module 6
Troubleshooting Remote Connectivity Issues
Contents:
Lesson 1: Troubleshooting VPN Connectivity Issues 6-3
Module Overview
To support your organizations mobile workforce, it is important that you understand how to configure
and troubleshoot technologies that enable remote users to connect to your organizations network
infrastructure. These technologies can include virtual private networks (VPNs), Network Access Protection
(NAP), and Windows 7 DirectAccess.
Objectives
After completing this module, you will be able to:
Configure and troubleshoot VPN connections.
Lesson 1
Troubleshooting VPN Connectivity Issues
A VPN provides a point-to-point connection between components of a private network, through a public
network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a
connection to a virtual port that is listening on a VPN server.
To properly support a VPN environment within your organization, it is important that you understand
how to configure and troubleshoot VPNs.
Objectives
After completing this lesson, you will be able to:
Describe a VPN.
A VPN emulates a point-to-point connection between components of a private network, through a public
network, such as the Internet.
To emulate this point-to-point link, the VPN client encapsulates the data and prefixes it with a header.
The header provides routing information that enables the data to traverse the shared or public network to
reach its endpoint.
To emulate a private link, the VPN client encrypts data, which helps to ensure confidentiality. Without
encryption keys, packets intercepted on the shared or public network are indecipherable. The link, or VPN
connection, is where the VPN client encapsulates and encrypts private data.
There are two types of VPN connections:
Site-to-site VPN
From the users perspective, the VPN is a point-to-point connection between the computer, which is the
VPN client, and your organizations server. The exact infrastructure of the shared or public network is
irrelevant, because it appears logically as if it is sending the data over a dedicated private link.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-5
Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices, or between your office and another
organization over a public network. This helps maintain secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN)
link. When networks connect over the Internet, a router forwards packets to another router across a VPN
connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN client)
authenticates itself to the answering router (the VPN server). Then, if you are using mutual authentication,
the answering router authenticates itself to the calling router.
In a site-to site VPN connection, the packets sent from either router across the VPN connection typically
do not originate at the routers.
Authentication
Data encryption
Encapsulation
With VPN technology, private data is encapsulated with a header that contains routing information that
allows the data to traverse the transit network.
Authentication
Authentication for VPN connections takes three different forms, including:
User-level authentication by using Point-to-Point Protocol (PPP) authentication.
To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the
connection by using a PPP user-level authentication method, and then verifies that the VPN client has
the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the
VPN server, which provides protection against computers that are masquerading as VPN servers.
The particulars of various troubleshooting methodologies can vary, and the processes involved in
troubleshooting computer-related problems are not precise. Most methodologies share some
common processes and procedures, which this topic aims to identify.
MCT USE ONLY. STUDENT USE PROHIBITED
6-6 Troubleshooting and Supporting Windows 7 in the Enterprise
Incidents pass through a series of processes that are designed to resolve problems as quickly and
efficiently as possible.
Classification, testing, escalation, and reporting provide the backbone of any troubleshooting
methodology.
The methodology evolves over time, as technologies change and new tools become available.
To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol
to exchange either computer certificates or a preshared key. In either case, the VPN client and
server authenticate each other at the computer level. Computer-certificate authentication is
recommended because it is a much stronger authentication method than computer-level
authentication, which occurs only for L2TP/IPsec connections.
Data Encryption
To ensure the confidentiality of data as it traverses the shared or public transit network, the sender
encrypts the data, and the receiver decrypts it. The encryption and decryption processes will not work
unless both the sender and the receiver use the same encryption key. Furthermore, intercepted packets
sent along the VPN connection in the transit network are unintelligible to anyone who does not have this
common encryption key.
The encryption keys length is an important security parameter. You can use computational techniques to
determine the encryption key, which requires more computing power and computational time as the
encryption keys get larger. Using the largest possible key size helps ensure data confidentiality.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-7
To troubleshoot VPNs, you first must understand the various VPN configuration options, including the
selection of the appropriate VPN tunneling protocols.
PPTP
Point-to-Point Tunneling Protocol (PPTP) enables you to encrypt and encapsulate multiprotocol traffic in
an IP header that you send across an IP network, or across a public IP network, such as the Internet. You
can use PPTP for remote access or site-to-site VPN connections. When using the Internet as the VPN on a
public network, the PPTP server is a PPTP-enabled VPN server, with one interface on the Internet and a
second interface on the intranet.
L2TP
Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP) enables you to encrypt multiprotocol
traffic for transfer over any medium that supports point-to-point datagram delivery, such as IP or
asynchronous transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), and
combines the best features of both.
Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams; it uses
IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as
L2TP/IPsec.
SSTP
Secure Socket Tunneling Protocol (SSTP) is a new tunneling protocol that uses the Secure Hypertext
Transfer Protocol (HTTPS) protocol over TCP port 443 to pass traffic through firewalls and web proxies
that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over
the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong
authentication methods, such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).
SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
MCT USE ONLY. STUDENT USE PROHIBITED
6-8 Troubleshooting and Supporting Windows 7 in the Enterprise
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. Because
of its support for mobility (MOBIKE), IKEv2 is much more resilient to changing network connectivity, which
makes it a good choice for mobile users who move between access points and who switch between wired
and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client moves from
one wireless hotspot to another or when it switches from a wireless to a wired connection. This ability is a
requirement of VPN Reconnect.
The authentication of access clients is an important security concern. Authentication methods typically use
an authentication protocol that is negotiated during the connection establishment process. Often, the
reason a VPN does not connect is a mismatch between authentication settings in the VPN client, the VPN
server, or the Network Policies. It is important to understand the various VPN authentication methods.
PAP
Password Authentication Protocol (PAP) uses plaintext passwords, and is the least secure authentication
protocol. You would use PAP for negotiation only if the remote access client and remote access server
cannot negotiate a more secure form of validation. Windows Server 2008 R2 includes PAP to provide
support for older VPN clients.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol
that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. Various
vendors of network access servers and clients use CHAP. A server running routing and remote access
supports CHAP to enable authentication of remote access clients that require it. Because CHAP requires
the use of a reversibly encrypted password, you should consider using another authentication protocol,
such as MS-CHAP version 2.
MS-CHAPv2
Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) is a one-way, encrypted password,
mutual-authentication process that avoids the need to store passwords using reversible encryption.
MCT USE ONLY. STUDENT USE PROHIBITED
6-10 Troubleshooting and Supporting Windows 7 in the Enterprise
EAP
An Extensible Authentication Protocol (EAP) authentication scheme is known as an EAP type. Both the
remote access client and the authenticator must support the same EAP type for successful authentication
to occur. EAP-TLS is an EAP type that you use in certificate-based security environments. If you use smart
cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS
exchange of messages provides mutual authentication, negotiation of the encryption method, and
encrypted key determination between the remote access client and the authenticator. EAP-TLS provides
the strongest authentication and key determination method.
PEAP
Protected Extensible Authentication Protocol (PEAP) uses TLS to create an encrypted channel between an
authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a Network
Policy Server (NPS) or Remote Authentication Dial-in User Service (RADIUS) server.
PEAP does not specify an authentication method. However, it provides additional security for other EAP
authentication protocols, such as EAP-MSCHAPv2, that can operate through the TLS encrypted channel
that PEAP provides. PEAP is an authentication method for 802.11 wireless client computers. However, VPN
and other remote access clients do not support it.
Smart Cards
Using smart cards for user authentication is the strongest form of authentication in the Windows Server
2008 family of products. For remote access connections, you must use EAP with the smart card or other
certificate (TLS) EAP type, also known as EAP-TLS. To use smart cards for remote access authentication,
you must:
Enable smart card authentication on the dial-up or VPN connection on the remote access client.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-11
In this demonstration, you will see how to configure a VPN connection. This process involves configuring
some server-side settings that a Tier 2 support person typically would not configure.
Demonstration Steps
1. From NYC-DC1, using Active Directory Users and Computers, verify the dial-in permission for Adam
Carter.
2. From NYC-SVR1, open Server Manager, and then install the Network Policy and Access Services role.
5. Test the connection. There is no matching policy, and the test fails.
MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Troubleshooting and Supporting Windows 7 in the Enterprise
Network policies determine whether a connection attempt is successful. Network policies also define
connection characteristics for successful connections, such as day and time restrictions, session idle-
disconnect times, and other settings.
Network policies are sets of conditions, constraints, and settings that enable you to designate who is
authorized to connect to your network, and the circumstances under which they can, or cannot, connect.
Additionally, deploying NAP adds a health policy to the network policy configuration so that NPS
performs client health checks during the authorization process.
You can view network policies as rules, and each rule has a set of conditions and settings. NPS compares
the rules conditions to the properties of connection requests. If a match occurs between the rule and the
connection request, NPS applies the settings that you define in the rule.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-13
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the lists first rule, then the second, and so on, until a match is found. The
diagram below shows this process:
Note Once NPS finds a matching rule, it disregards further rules. Therefore, it is important
that you order your network policies appropriately.
Each network policy has a Policy State setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate the policy when authorizing connection requests.
1. Overview
2. Conditions
3. Constraints
4. Settings
Properties in the Overview category allow you to specify whether to enable the policy; whether the policy
grants or denies access; and whether a specific network connection method, or type of network access
server, is required for connection requests. Overview properties also enable you to specify whether to
ignore the dial-in properties of user accounts in Active Directory Domain Services (AD DS). If you select
this option, NPS uses only the network policys settings to determine whether to authorize the connection.
MCT USE ONLY. STUDENT USE PROHIBITED
6-14 Troubleshooting and Supporting Windows 7 in the Enterprise
Properties in the Conditions category allow you to specify the conditions that the connection request must
have to match the network policy. If the conditions configured in the policy match the connection
request, NPS applies the network-policy settings to the connection. For example, if you specify the
network access server IP version 4 (IPv4) address (NAS IPv4 Address) as a condition of the network policy,
and then NPS receives a connection request from a NAS that has the specified IP address, the condition in
the policy matches the connection request.
Constraints are additional parameters of the network policy that are required to match the connection
request. If the connection request does not match a constraint, NPS automatically rejects the request, and
then denies the request. Unlike the NPS response to unmatched conditions in the network policy, if a
constraint is not matched, NPS does not evaluate additional network policies.
Settings allow you to specify the properties that NPS applies to the connection request if it finds matches
for all of the policys network policy conditions.
When you add a new network policy using the NPS Microsoft Management Console (MMC) snap-in, you
must use the New Network Policy Wizard. After you create a network policy by using the wizard, you can
customize the policy by double-clicking it in NPS to obtain the policy properties.
NPS uses network policies and the dial-in properties of user accounts to determine whether to authorize a
connection request to your network. You can configure a new network policy in either the NPS MMC
snap-in or the Routing and Remote Access Service MMC snap-in.
On the Specify Access Permission page, you must select Access granted if you want the policy to
allow users to connect to your network. If you want the policy to prevent users from connecting to
your network, select Access denied. If you want user account dial-in properties in AD DS to
determine access permission, you can select the Access is determined by User Dial-in properties
(which override NPS policy) check box.
Note To complete the following procedure, you must be a member of either the Domain
Admins group or the Enterprise Admins group.
2. In the console tree, right-click Network Policies, and then click New. The New Network Policy
Wizard opens.
4. Configure the Network Policy properties, which the following section describes.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-15
Policy name. Type a friendly and meaningful name for the network policy.
Access Permission. Designate whether the policy grants or denies access. Also, specify whether NPS
should ignore the dial-in properties of user accounts in AD DS when using the policy to perform the
connection attempts authorization.
Note If you have many user accounts in AD DS, consider configuring the dial-in properties
of user accounts to control network access through network policy. However, you can
accomplish the same result for individual policies by configuring them to ignore dial-in
properties of user accounts.
The following table details network connection methods that you can use to create a connection request.
Remote Desktop Gateway Specifies that NPS must evaluate the network policy for connection
requests that originate from servers that are running Remote Desktop
Gateway.
Remote Access Server (VPN- Specifies that NPS must evaluate the network policy for connection
Dial-up) requests that originate from a computer that is running the Routing and
Remote Access service configured as a dial-up or VPN server. If you use
another dial-up or VPN server, the server must support the RADIUS
protocol and the authentication protocols that NPS provides for dial-up
and VPN connections.
Dynamic Host Configuration Specifies that NPS must evaluate the network policy for connection
Protocol (DHCP) Server requests that originate from servers that are running DHCP.
Health Registration Authority Specifies that NPS must evaluate the network policy for connection
requests that originate from servers that are running the Health
Registration Authority.
Host Credential Authorization Specifies that NPS must evaluate the network policy for connection
Protocol (HCAP) server requests that originate from servers that are running HCAP.
Groups Enables you to specify the user or computer groups that you configure in AD DS,
and specify the groups to which you want the network policys other rules to apply
when group members attempt to connect to the network.
HCAP Enables you to integrate your NPS NAP solution with Cisco Network Admission
Control. To use these conditions, you must deploy Cisco Network Admission
Control and NAP. You also must deploy an HCAP server running both Internet
Information Services (IIS) and NPS.
Day and Time Enables you to specify, at a weekly interval, whether to allow connections on a
Restrictions specific set of days and times.
For example, you can configure this condition to allow access to your network only
between the hours of 08:00 and 17:00, Monday through Thursday. With this
condition value, users whose connection requests match all conditions of the
network policy cannot connect to the network on Fridays, Saturdays, Sundays, and
during other weekdays between the hours of 17:00 and 08:00, but they can
connect between Monday and Thursday between 08:00 and 17:00.
Conversely, you can specify the days and times during which you want to deny
network connections, which means that users can access your network only on the
unspecified days and times. For example, if you configure this condition to deny
connections on Sundays, users cannot connect at any time on Sundays, but they
can connect Monday through Saturday at any time.
NAP Includes several settings, such as Identity Type, MS-Service Class, NAP-Capable
Computers, Operating System, and Policy Expiration.
Note The Identity Type condition is for NAP DHCP and IPsec deployments to
allow client health checks in circumstances where NPS does not receive an Access-
Request message that contains a value for the User-Name attribute. In these
circumstances, client health checks are performed, but authentication and
authorization are not.
Connection Includes several settings, such as Access Client IPv4 Address, Access Client IPv6
Properties Address, Authentication Type, Allowed EAP Types, Framed Protocol, Service Type,
and Tunnel Type.
RADIUS Client Includes several settings, such as Calling Station ID, Client Friendly Name, Client
Properties IPv4 Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.
Gateway Includes several settings, such as Called Station ID, NAS Identifier, NAS IPv4
Address, NAS IPv6 Address, and NAS Port Type.
Important Client computers, such as laptops and other computers that are running client-
operating systems, are not RADIUS clients. RADIUS clients are network access serverssuch
as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers
because they use the RADIUS protocol to communicate with RADIUS servers, such as NPS
servers.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-17
The following table describes the constraints that you can configure in network policy.
Constraint Description
Authentication Enables you to specify the authentication methods that are required for the
Methods connection request to match the network policy.
Idle Timeout Enables you to specify the maximum time, in minutes, that the network access
server can remain idle before the connection disconnects.
Session Timeout Enables you to specify the maximum amount of time, in minutes, that a user
can be connected to the network.
Called Station ID Enables you to specify the telephone number of the dial-up server that clients
use to access the network.
Day and time Enables you to specify when users can connect to the network.
restrictions
NAS Port Type Enables you to specify the allowable access media types that users can use to
connect to the network.
RFC 2866
RFC 2867
RFC 2868
RFC 2869
RFC 3162
RFCs and Internet drafts for vendor-specific attributes (VSAs) define additional RADIUS attributes.
Important If you plan to return to RADIUS clients any additional RADIUS attributes or
VSAs with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs to
the appropriate network policy.
MCT USE ONLY. STUDENT USE PROHIBITED
6-18 Troubleshooting and Supporting Windows 7 in the Enterprise
With NAP Enforcement, you can specify how you want to:
Enforce NAP.
Troubleshoot URLs.
Use auto-remediation.
Encryption
IP settings
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-19
Troubleshooting VPNs
In general, when you are troubleshooting, it is important that you verify that the settings for the client-
side tunneling protocol and authentication protocols match those configured on the Routing and Remote
Access server and the Network Policy Server. Also ensure that the client is attempting to connect to the
correct Routing and Remote Access server.
When using an authentication protocol that requires a certificate, you may discover that your users are
unable to connect because an inappropriate certificate is configured on the Routing and Remote Access
server. If you suspect this is the problem, try reconfiguring to use an authentication protocol that does not
require certificates. If this is successful, then examine the certificates used, and then verify that the
certificate purpose and subject names are appropriate for your configuration.
Logging
Aside from general troubleshooting techniques, you also can enable logging for Remote Access.
Remote Access Service (RAS) trace logs can help you troubleshoot RAS connection-related issues. To
enable RAS logging, run the command:
Windows creates and stores the trace logs in the %windir%\tracing folder. You can flush the logs with the
following command:
Some of the trace log files that help diagnose problems are:
PPP.log
RASMAN.log
IASHLPR.log
RASIPCP.log
Note RAS Trace logs can be difficult to interpret, and you may need to escalate them to
the appropriate experts so that they can debug them.
For additional troubleshooting help, you also can check the Event Viewer System log, and
look for events with the sources of RemoteAccess or Rasman.
Cause: PPTP/L2TP/SSTP packets from the VPN client cannot reach the VPN server.
Solution: Ensure the appropriate ports are open on the firewall:
PPTP: For PPTP traffic, configure the network firewall to open TCP port 1723 and to forward
IP protocol 47 for GRE traffic to the VPN server.
L2TP: For L2TP traffic, configure the network firewall to open UDP port 1701 and to allow
IPsec ESP formatted packets (IP protocol 50).
Cause: This issue can occur if the network firewall does not permit GRE traffic (IP protocol 47).
PPTP uses GRE for tunneled data.
Solution: Configure the network firewall between the VPN client and the server to permit GRE.
Additionally, make sure that the network firewall permits TCP traffic on port 1723. Both of these
conditions must be met to establish VPN connectivity by using PPTP.
Note The firewall might reside on or in front of the VPN client, or in front of the VPN
server.
Cause: These errors occur if the VPN client requests an invalid encryption level or if the VPN
server does not support an encryption type that the client requests.
Solution: Check the properties on the Security tab of the VPN connection on the VPN client. If
Require data encryption (disconnect if none) is selected, clear the selection, and retry the
connection. If you are using NPS, check the encryption level in the network policy in the NPS
console or policies on other RADIUS servers. Ensure that the encryption level that the VPN client
requested is selected on the VPN server.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-21
Using the ping command, verify that the host name is being resolved to its correct IP address. The
ping itself might not be successful due to packet filtering that is preventing the delivery of Internet
Control Message Protocol (ICMP) messages to and from the VPN server.
Verify that the credentials of the VPN client, which consist of user name, password, and domain name,
are correct, and that the VPN server can validate them.
Verify that the user account of the VPN client is not locked out, expired, disabled, or that the time the
connection is being made does not correspond to the configured logon hours. If the password on the
account has expired, verify that the remote access VPN client is using MS-CHAP v2. MS-CHAP v2 is
the only authentication protocol that Windows Server 2008 R2 provides that allows you to change an
expired password during the connection process.
For an administrator-level account with an expired password, reset the password using another
administrator-level account.
Verify that the user account has not been locked out due to remote access account lockout.
Verify that the Routing and Remote Access service is running on the VPN server.
Verify that the VPN server is enabled for remote access from the General tab in the properties of a
VPN server in the Routing and Remote Access snap-in.
Verify that the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices are enabled for inbound
remote access from the properties of the Ports object in the Routing and Remote Access snap-in.
Verify that the VPN client, the VPN server, and the network policy corresponding to VPN connections
are configured to use at least one common authentication method.
Verify that the configuration of the VPN client and the network policy corresponding to VPN
connections use at least one common encryption strength.
Verify that the connections parameters have permission through network policies.
No certificate. By default, L2TP/IPsec connections require that, for IPsec peer authentication, an
exchange of computer certificates occur between the remote access server and remote access client.
Check the Local Computer certificate stores of the remote access client and remote access server
using the Certificates snap-in to ensure that a suitable certificate exists.
Incorrect certificate. The VPN client must have a valid computer certificate installed that was issued by
a certification authority (CA) that follows a valid certificate chain from the issuing CA to a root CA that
the VPN server trusts. Additionally, the VPN server must have a valid computer certificate installed
that was issued by a CA that follows a valid certificate chain from the issuing CA to a root CA that the
VPN client trusts.
MCT USE ONLY. STUDENT USE PROHIBITED
6-22 Troubleshooting and Supporting Windows 7 in the Enterprise
A NAT device exists between the remote access client and remote access server. If there is a NAT
between a Microsoft Windows 2000, Windows Server 2003, or Windows XP-based L2TP/IPsec client,
and a Windows Server 2008 L2TP/IPsec server, you cannot establish an L2TP/IPsec connection unless
both the client and server support IPsec NAT-T.
A firewall between the remote access client and remote access server. If there is a firewall between a
Windows L2TP/IPsec client and a Windows Server 2008 R2 L2TP/IPsec server, and you cannot
establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec traffic.
The current date must be within the certificates validity dates. When certificates are issued, they are
issued with a range of valid dates, before which they cannot be used and after which they are
considered expired.
The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing CA
maintains a list of certificates that are not considered valid by publishing an up-to-date certificate
revocation list (CRL). By default, the authenticating server checks all certificates in the VPN clients
certificate chain (the series of certificates from the VPN client certificate to the root CA) for
revocation. If any of the chains certificates have been revoked, certificate validation fails.
For the VPN client to validate the authenticating servers certificate for either EAP-TLS authentication,
the following must be true for each certificate in the certificate chain that the authenticating server
sends:
The certificate must have a valid digital signature. CAs digitally sign certificates that they issue. The
VPN client verifies the digital signature of each certificate in the chain, with the exception of the root
CA certificate, by obtaining the public key from the certificates issuing CA and mathematically
validating the digital signature.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-23
In dynamic business scenarios, users must be able to access data securely at any time, from anywhere, and
be able to access it continuously, without interruption. For example, users might want to access data
securely on the companys server while in the head office, or from a branch office, or while on the road.
To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows
Server 2008 R2 and Windows 7. This enables users to access the companys data securely by using a VPN
connection, which reconnects automatically if connectivity is interrupted. It also enables roaming between
different networks.
VPN Reconnect uses the IKEv2 technology to provide seamless and consistent VPN connectivity. VPN
Reconnect automatically reestablishes a VPN connection when Internet connectivity becomes available.
Users who connect by using a wireless mobile broadband benefit most from this capability.
Consider a user with a laptop that is running Windows 7. When the user travels to work in a train, the user
connects to the Internet by using a wireless mobile broadband card, and then establishes a VPN
connection to the companys network. When the train passes through a tunnel, the Internet connection is
lost. After the train comes out of the tunnel, the wireless mobile broadband card reconnects automatically
to the Internet. With earlier versions of Windows client and server operating systems, VPN did not
reconnect automatically. Therefore, users had to repeat the VPN connection process manually each time
their connection was lost. This was time-consuming for mobile users who often experienced intermittent
network connectivity.
VPN Reconnect enables Windows Server 2008 R2 and Windows 7 to reestablish active VPN connections
automatically when the network reestablishes Internet connectivity. Even though the reconnection might
take several seconds, users stay connected and have uninterrupted access to internal network resources.
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Troubleshooting and Supporting Windows 7 in the Enterprise
The system requirements for using the VPN Reconnect feature are:
Public key infrastructure (PKI), because a computer certificate is required for a remote connection
with VPN Reconnect. You can use certificates that either an internal or public CA issues.
To enable VPN Reconnect, after selecting IVEv2 as your preferred tunneling protocol, select the
Advanced Properties, and ensure that you enable the Mobility setting and configure the Network
outage time (default is 30 minutes).
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-25
Lesson 2
Using Remote Desktop
The Remote Desktop Protocol (RDP) provides remote display and input capabilities over network
connections for Windows-based applications. It is important that you understand how to enable,
configure, and troubleshoot Remote Desktop connections to support your organizations users.
Objectives
After completing this lesson, you will be able to:
Apply best practices for troubleshooting issues with Remote Desktop connections.
MCT USE ONLY. STUDENT USE PROHIBITED
6-26 Troubleshooting and Supporting Windows 7 in the Enterprise
The Remote Desktop Connection feature, simply called Remote Desktop, is a technology that uses RDP,
and allows you to connect to a remote computers console. The Remote Desktop client is installed in
Windows 7, but is not enabled by default.
Allow connections from computers running any version of Remote Desktop (less secure).
If you are unsure of the version for the remote desktop client software, this is the best choice.
Allow connections only from computers running Remote Desktop with Network Level Authentication.
This setting limits connections to computers that are running the Windows XP operating system with
Service Pack 3 (SP3), Windows 7, and the Windows Server 2008 operating system or newer.
Important Granting a user remote access by adding them to the Remote Desktop Users
group does not grant administrative rights to that user it simply allows them to make the
connection.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-27
Remote Desktop uses RDP over TCP port 3389. By default, once you enable Remote Desktop, authorized
users can connect from any computer that is running the appropriate Remote Desktop client software.
You can use Windows Firewall to limit which computers can access port 3389.
Note You can change the listening port for Remote Desktop by editing the registry.
To launch Remote Desktop, from the Start menu, click All Programs, click Accessories, and then click
Remote Desktop Connection. You also can type mstsc.exe in the Search box to launch a remote
session.
To connect to the remote computer, you can type in the name or the IP address of the remote computer.
You will be asked for credentials when you connect. If another user is logged on when you attempt to
connect, that user has 30 seconds to refuse to allow your connection. If the logged-on user allows your
connection or does not respond, your connection will occur successfully.
The following table lists the client options that you can configure by using the Options tabs on the
Remote Desktop Connection dialog box.
Tab Options
General Enter the computer and user name, and whether to save the connection as an
RDP file.
Display Choose the remote displays screen size and color quality.
Local Resources Use remote computer resources in your session, such as the printer or
clipboard.
Experience Configure the way you want the remote session to appear visually. The more
features that you add, the more bandwidth it takes.
Advanced Tell the Remote Desktop client how to behave if the RDP server fails to prove
its authenticity. You can choose whether to connect without warning or to
receive a warning, and whether you want to connect or prevent the
connection.
You can configure Remote Desktop connections, then save them to RDP files, and then distribute them to
users. You can open these files in Remote Desktop.
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Troubleshooting and Supporting Windows 7 in the Enterprise
In this practice, you will enable and configure Remote Desktop. This involves configuring Windows
Firewall rules.
Instructions
For this practice, you will use the available virtual machine environment. 6293A-NYC-DC1,
6293A-NYC-SVR1, and 6293A-NYC-CL1 should be running.
Detailed Steps
Password: Pa$$w0rd
Domain: Contoso
3. Click Start, and then in the Search box, type Firewall.
5. In the Windows Firewall dialog box, click Allow a program or feature through Windows Firewall.
6. In the Name list, select the Remote Desktop check box, and then select the check boxes for the
Domain, Home/Work, and Public profiles. Click OK.
3. Under Remote Desktop, click Allow connections from computers running any version of Remote
Desktop (less secure).
3. In the Remote Desktop Connection dialog box, in the Computer box, type nyc-cl1, and then click
Options.
5. Under Server authentication, in the If server authentication fails list, click Connect and dont warn
me.
6. Click Connect.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
You can use Group Policy to control Remote Desktop behavior across your organization. You also can
control all aspects of Remote Desktop through policy settings for Remote Desktop Services.
Access policy settings for the computer by using Group Policy Management, and then edit the
appropriate policy by expanding Computer Configuration, expanding Policies, expanding
Administrative Templates, expanding Windows Components, and then expanding Remote Desktop
Services.
Computer policy settings for Remote Desktop include the policies that the following table details.
Remote Desktop Connection When you enable this setting, a user is prompted on the client
Client>Prompt for credentials on computer instead of on the terminal server to provide
client computer credentials for a remote connection to a remote desktop server.
If user credentials are saved and available on the client
computer, the user is not prompted to provide credentials.
Remote Desktop Session When enabled, users who are members of the Remote Desktop
Host>Connections>Allow users to Users group on the target computer can connect remotely to
connect remotely using Remote the target computer using Remote Desktop Services.
Desktop Services
MCT USE ONLY. STUDENT USE PROHIBITED
6-32 Troubleshooting and Supporting Windows 7 in the Enterprise
(continued)
Remote Desktop Session Host If you enable this setting, all communications between clients
>Security>Set client connection and terminal servers during remote connections must use the
encryption level encryption method that this setting specifies. By default, the
encryption level is set to High.
Remote Desktop Session Host This policy controls session time limits for disconnected, idle,
>Session Time Limits and active sessions, and controls whether to terminate sessions
when limits are reached.
You can access policy settings for the user by expanding User Configuration, expanding Policies,
expanding Administrative Templates, expanding Windows Components, and then expanding
Terminal Services.
The following table lists the options for user policy settings for Remote Desktop.
Remote Desktop Session This policy specifies a program to run automatically when a user logs on
Host >Remote Session to a remote computer. By default, Remote Desktop Services sessions
Environment> Start a provide access to the full Windows desktop, unless otherwise specified
program on connection with this setting. Enabling this setting overrides the Start Program
settings set by the server administrator or user.
Remote Desktop Session This policy controls session time limits for disconnected, idle, and active
Host>Session Time Limits sessions, and controls whether to terminate sessions when users reach
these limits.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-33
Remote Desktop sessions typically are successful. However, a number of things can go wrong during the
connection and authentication process. This section and the following table discuss some of the most
common issues.
Issue Cause
Cannot connect to the Check the Windows 7 edition. Home editions do not allow inbound,
remote computer remote connections.
Verify that the Windows Firewall is allowing traffic to port 3389.
If the target computer is behind a Network Address Translation (NAT)
device, configure port forwarding through NAT to the target computer.
Check the system properties, and ensure that Remote Desktop is enabled
on the target computer.
Ensure that the target computer is not in sleep mode or hibernation.
Ensure that the user who is attempting to connect has permission to make
a connection.
Lesson 3
Troubleshooting User Issues by Using Remote Assistance
Remote Assistance is a built-in tool that allows users to control another operating system by connecting
to it remotely. Windows Remote Assistance is a useful tool for providing remote assistance when users
need help. Remote Assistance is available in all Windows 7 editions.
Objectives
After completing this lesson, you will be able to:
When you connect to a users computer with Remote Assistance, you can see their desktop, any open
documents, and any visible private information. Remote Assistance creates a chat session between you
and the user to communicate via text messages.
Additionally, if the user allows you to control his or her computer by remotely operating his or her mouse
and keyboard, you can perform various administrative functions, such as deleting files or changing
settings.
When you ask to share control of the desktop, a check box is visible. When the user selects this checkbox,
it enables you to respond to User Account Control prompts. You can respond to requests for
administrator consent or administrator credentials, such as a user name or password. You then can run
administrator-level programs without the users participation.
For you or another helper to share the control of a computer, the user must grant permission. Likewise, if
the user wants to stop you or another helper from sharing control, they can click Cancel, and then click
Stop sharing, or press E.
You can offer Remote Assistance to users in anticipation of users requesting assistance from you. This is
useful in situations where you predict that users may require assistance, such as after you deploy a new
application or implement a new procedure.
The Help and Support Center provides links to assist helpers in offering Remote Assistance to users. By
using the computer name or IP address, you can send an invitation to the user. A remote session begins
when the user accepts the request.
MCT USE ONLY. STUDENT USE PROHIBITED
6-36 Troubleshooting and Supporting Windows 7 in the Enterprise
Remote Assistance provides a way for users to get the help they need, and makes it easier and less costly
for corporate help desks to assist users. Remote Assistance enables users to invite you to connect to their
computers so that you can view their desktops when they need assistance. With the users permission, the
helper can even share control of the users computer to resolve issues remotely. Windows 7 enables
Remote Assistance by default.
In Windows XP, you can access Remote Assistance only through Help and Support. In Windows 7, the
Help and Support Center still provides a link to Remote Assistance, but Remote Assistance also appears as
a stand-alone application. It is in the Maintenance section of All Programs on the Start menu, or you
can launch it by executing msra.exe.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-37
Sending an Invitation
A user who needs assistance can initiate a Remote Assistance session by sending an invitation to the
helper.
The following table lists the methods by which users can send invitations.
Email Email the invitation to the helper. Remote Assistance automatically launches a
blank email form. If the user does not have an email client configured, then
Windows Mail prompts for configuration.
Saving a file Save the invitation to a file in a network location that the helper can access.
You can use the Help and Support Center links to assist in saving the invitation
as a file.
After creating the invitation, the user must create a password to protect the invitation. The requester must
transmit the password to the helper in a separate communication. A Remote Assistance window then
appears and waits for an incoming connection. Do not close this window, or the helper will be unable to
respond.
Administrators can control many aspects of the invitation, such as how long an invitation remains valid,
and whether someone can control the computer remotely. These settings are in the Advanced section of
the Remote tab in System Properties. The default settings allow remote control, and invitations are valid
for six hours.
Note You must configure Windows Firewall to allow communication through port 3389.
Accepting an Invitation
After the recipient receives your invitation, the recipient can respond by saving and then opening the
attached file, and then entering the password. Remote Assistance creates an encrypted connection either
over the Internet or over the network that connects the computers. The requesting user has to click Yes to
complete the transaction.
MCT USE ONLY. STUDENT USE PROHIBITED
6-38 Troubleshooting and Supporting Windows 7 in the Enterprise
In this demonstration, you will see how to use Remote Assistance to help to resolve a users problem with
an Office feature.
Demonstration Steps
1. On NYC-CL1, create a Microsoft Office Word document.
You can manage some aspects of Remote Assistance by using Group Policy. Configure Group Policy
objects (GPOs) on the local computer or in AD DS to control the Remote Assistance behavior. You can
access Remote Assistance policy settings by expanding Computer Configuration, expanding Policies,
expanding Administrative Templates, expanding System, and then expanding Remote Assistance.
Turn on session Turn logging on. Log files are located in the users Documents folder under
logging Remote Assistance.
Turn on This policy improves performance in low bandwidth scenarios. This setting scales
bandwidth incrementally from No optimization to Full optimization.
optimization
Solicited Enable Solicited Remote Assistance on this computer. Disabling this setting
Remote prevents users from asking for Remote Assistance. You also can configure
Assistance invitation time limits, and whether to allow remote control.
Offer Remote Turn on Offer (Unsolicited) Remote Assistance on this computer. You must enable
Assistance this policy for users to receive unsolicited Remote Assistance.
MCT USE ONLY. STUDENT USE PROHIBITED
6-40 Troubleshooting and Supporting Windows 7 in the Enterprise
Lesson 4
Troubleshooting NAP Issues
Network Access Protection (NAP) enables you to create customized health-requirement policies to
validate computer health before allowing access or communication. NAP also updates compliant
computers automatically to ensure ongoing compliance and limit the access of noncompliant computers
to a restricted network until they become compliant.
Understanding how NAP works enables you to determine why client computers are unable to connect to
your organizations network resources when they are not compliant.
Objectives
After completing this lesson, you will be able to:
Troubleshoot NAP.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-41
What Is NAP?
NAP for Windows Server 2008 R2, Windows 7, and Windows Vista, provides components and an
application programming interface (API) that help you enforce compliance with your organizations
health-requirement policies for network access or communication.
NAP enables you to create solutions for validating computers that connect to your networks, and it
provides the necessary updates or access to necessary health-update resources. Additionally, it limits the
access or communication of noncompliant computers.
You can integrate NAPs enforcement features with software from other vendors or with custom
programs. You also can customize the health-maintenance solution that developers within your
organization may develop and deploy, whether for monitoring the computers that are accessing the
network for health policy compliance, automatically updating computers with software updates to meet
health-policy requirements, or limiting the access to a restricted network of computers that do not meet
health-policy requirements.
It is important to remember that NAP does not protect a network from malicious users. Rather, it helps
you maintain the health of your organizations networked computers automatically, which in turn helps
maintain your networks overall integrity. For example, if a computer has all the software and
configuration settings that the health policy requires, the computer is compliant, and will have unlimited
network access. However, NAP does not prevent an authorized user with a compliant computer from
uploading a malicious program to the network or engaging in other inappropriate behavior.
MCT USE ONLY. STUDENT USE PROHIBITED
6-42 Troubleshooting and Supporting Windows 7 in the Enterprise
Aspects of NAP
NAP has three important and distinct aspects:
Health state validation. When a computer attempts to connect to the network, NAP validates the
computers health state against the health-requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant. In a monitoring-only environment, NAP
evaluates the health state of all computers, and then logs the compliance state of each computer for
analysis. In a limited access environment, computers that comply with the health-requirement policies
have unlimited network access. Computers that do not comply with health-requirement policies may
have access which is limited to a restricted network.
Health policy compliance. You can help ensure compliance with health-requirement policies by
choosing to update noncompliant computers automatically with missing software updates or
configuration changes through management software, such as Microsoft System Center
Configuration Manager. In a monitoring-only environment, computers will have network access
before they are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically, and you can define exceptions for computers that are not compatible with
NAP.
Limited access. You can protect your networks by limiting the access of noncompliant computers. You
can base limited network access on a specific amount of time, or on what resources the noncompliant
computer can access. In the latter case, you define a restricted network containing health update
resources, and the limited access will last until the noncompliant computer comes into compliance.
You also can configure exceptions so that computers that are not compatible with NAP do not have
their network access limited.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-43
Components of NAP
Components Description
NAP clients Computers that support the NAP platform for system health-validated network
access or communication.
NAP enforcement Computers or network-access devices that use NAP, or that you can use with
points NAP, to require evaluation of a NAP clients health state, and then provide
restricted network access or communication. NAP enforcement points use a
Network Policy Server (NPS) that is acting as a NAP health policy server to
evaluate the health state of NAP clients, whether network access or
communication is allowed, and the set of remediation actions that a
noncompliant NAP client must perform.
NAP enforcement points include the following:
Health Registration Authority (HRA). This is a computer that runs Windows
Server 2008 R2 and IIS, and that obtains health certificates from a certification
authority (CA) for compliant computers.
VPN server. A computer that runs Windows Server 2008 R2, and Routing and
Remote Access, and that enables VPN intranet connections via remote access.
DHCP server. A computer that runs Windows Server 2008 R2 and the DHCP
Server service, and that provides automatic IPv4 address configuration to
intranet DHCP clients.
Network access devices. These are Ethernet switches or wireless access points
that support Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X
authentication.
MCT USE ONLY. STUDENT USE PROHIBITED
6-44 Troubleshooting and Supporting Windows 7 in the Enterprise
(continued)
Components Description
NAP health policy These are computers that run Windows Server 2008 R2 and the NPS service, and
servers that store health-requirement policies and provide health-state validation for
NAP. NPS is the replacement for the Internet Authentication Service (IAS), and the
Remote Authentication Dial-In User Service (RADIUS) server and proxy that
Windows Server 2003 provides.
NPS also acts as an authentication, authorization, and accounting (AAA) server for
network access. When acting as an AAA server or NAP health policy server, NPS
typically runs on a separate server for centralized configuration of network access
and health-requirement policies. The NPS service runs also on Windows Server
2008-based NAP enforcement points that do not have a built-in RADIUS client,
such as an HRA or DHCP server. However, in these configurations, the NPS service
is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health
policy server.
Health requirement These computers provide the current systems health state for NAP health policy
servers servers. An example of these would be a health-requirement server for an
antivirus program that tracks the latest version of the antivirus signature file.
AD DS This Windows directory service stores account credentials and properties, and
stores Group Policy settings. Although not required for health-state validation,
Active Directory is required for IPsec-protected communications, 802.1X-
authenticated connections, and remote access VPN connections.
Restricted network This is a separate logical or physical network that contains remediation servers
and NAP clients with limited access.
Remediation These are computers that contain health update resources that NAP clients can
servers access to remediate their noncompliant state. Examples include antivirus
signature distribution servers and software update servers.
NAP clients with These are computers placed on the restricted network when they do not comply
limited access with health-requirement policies.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-45
The need to enforce client health requirements varies between organizations. Some organizations have
already implemented a solution, while others are just evaluating it. NAP is the Microsoft solution for
enforcing client health requirements.
DHCP
VPN
802.1x
IPsec
TS Gateway
Question: Can you envision using NAP? If so, what NAP enforcement method would be
suitable?
MCT USE ONLY. STUDENT USE PROHIBITED
6-46 Troubleshooting and Supporting Windows 7 in the Enterprise
You should remember these basic guidelines when you configure NAP clients:
Some NAP deployments that use Windows Security Health Validator require that you enable Security
Center.
The Network Access Protection service is required when you deploy NAP to NAP-capable client
computers.
You must also configure the NAP enforcement clients on the NAP-capable computers.
Note To complete this procedure, you must be a member of one of the following groups
on the local computer: Domain Admins, Enterprise Admins, or Administrators.
2. In the Select Group Policy Object dialog box, click Finish, and then click OK.
3. In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.
4. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-47
Note To complete this procedure, you must be a member of one of the following groups
on the local computer: Domain Admins, Enterprise Admins, or Administrators.
1. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then
double-click Services.
2. In the services list, scroll down to, and then double-click, Network Access Protection Agent.
3. In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.
1. Open the NAP client configuration console: click Start, click All Programs, click Accessories, click
Run, type NAPCLCFG.MSC, and then click OK.
2. Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to
enable or disable, and then click Enable or Disable.
Note To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to
perform this procedure. As a security best practice, consider performing this procedure by
using the Run as command.
MCT USE ONLY. STUDENT USE PROHIBITED
6-48 Troubleshooting and Supporting Windows 7 in the Enterprise
When a NAP-capable client attempts to connect to your network, several NAP components assess its
health.
Troubleshooting Procedure
If a problem occurs when a client attempts a connection, you can troubleshoot the connection by using
the following procedures:
Determine that all the client-side components are running. You should ensure that Windows Security
Center is enabled, and that the client-side NAP Enforcement clients are configured correctly.
Determine the requirements of the system health validator (SHV). Reasons that the client is not
compliant may include the absence of a firewall or absence of installed security updates which are
current.
Verify that the settings of the health policies are appropriate. The health policy determines network
access by assessing the client against the SHV requirements. You should verify that the health policy
grants the appropriate access.
Verify that the client matches the conditions and constraints on the health policy. You should ensure
that the clients settings meet the health policy conditions and constraints that you configure.
Check to ensure that the client is NAP-capable. The client will only connect if it is NAP-capable.
NAP Tracing
You can use the NAP Client Configuration snap-in to configure NAP tracing, in addition to
troubleshooting by using the preceding general troubleshooting procedures. NAP tracing records NAP
events in a log file, which you can use for troubleshooting and maintenance. You also can use tracing logs
to evaluate your networks health and security. You can configure three levels of tracing: Basic, Advanced,
and Debug.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-49
You evaluate the overall health and security of your organizations computers.
The NAP Client Configuration console is part of the Windows user interface.
1. Open the NAP Client Configuration console by clicking Start, clicking Programs, clicking
Accessories, clicking Run, typing napclcfg.msc, and then clicking OK.
2. In the console tree, right-click NAP Client Configuration (Local Computer), and then click
Properties.
3. In the NAP Client Configuration (Local Computer) Properties dialog box, choose Enabled or
Disabled.
Note To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a
security best practice, consider performing this operation using the Run As command.
4. If enabled is chosen, under Specify the level of detail at which the tracing logs are written, select
Basic, Advanced, or Debug.
1. Open a command prompt by clicking Start, clicking All Programs, clicking Accessories, and clicking
Command Prompt.
2. The following are your options for enabling or disabling NAP tracing, and configuring NAP tracing:
To enable NAP tracing and configure for basic or advanced logging, type: netsh nap client set
tracing state=enable level =[advanced or basic].
To enable NAP tracing for debug information, type: netsh nap client set tracing state=enable
level =verbose.
To disable NAP tracing, type: netsh nap client set tracing state=disable.
Note To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a
security best practice, consider performing this operation using the Run As command.
MCT USE ONLY. STUDENT USE PROHIBITED
6-50 Troubleshooting and Supporting Windows 7 in the Enterprise
Restriction state.
This command displays the local configuration settings on a NAP client, including:
Cryptographic settings.
This command displays the Group Policy configuration settings on a NAP client, including:
Cryptographic settings.
The events in the following table provide information about NAP services running on an NPS server.
6276 Network Policy Occurs when the client-access request matches a network policy
Server quarantined a that is configured with a NAP enforcement setting of Allow
user. limited access.
6277 Network Policy Occurs when the client-access request matches a network policy
Server granted that is configured with a NAP enforcement setting of Allow full
access to a user but network access for a limited time when the date specified in the
put it on probation policy has passed.
because the host did
not meet the
defined health
policy.
6278 Network Policy Occurs when the client access request matches a network policy
Server granted full that is configured with a NAP enforcement setting of Allow full
access to a user network access.
because the host
met the defined
health policy.
MCT USE ONLY. STUDENT USE PROHIBITED
6-52 Troubleshooting and Supporting Windows 7 in the Enterprise
Lesson 5
Troubleshooting DirectAccess Issues
Organizations often rely on VPN connections to provide remote users with secure access to data and
resources on the corporate network. VPN connections are easy to configure, and several different clients
support them. However, users must establish VPN connections before they can use these clients, which
may require additional configuration of the corporate firewall. Additionally, VPN connections usually
enable remote access to the entire corporate network, and typically organizations cannot manage remote
computers effectively.
To manage remote computers easily and overcome limitations in VPN connections, organizations can
implement DirectAccess, which provides a seamless connection between the internal network and the
remote computer, as long as there is an Internet connection.
Objectives
After completing this lesson, you will be able to:
Describe DirectAccess.
Configure DirectAccess.
What Is DirectAccess?
Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamless
remote access to intranet resources without users having to first establish a VPN connection. The
DirectAccess feature also ensures seamless connectivity for internal users and remote users on application
infrastructure.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application on the client computer to have complete access to intranet resources.
DirectAccess also enables you to specify resources and client-side applications that are restricted for
remote access.
Organizations benefit from DirectAccess because remote computers can be managed as if they are local
computersusing the same management and update serversto ensure they are always current and in
compliance with security and system health policies. You also can define more detailed access-control
policies for remote access when compared with defining access control policies in VPN solutions.
Automatically connects the client computer to the corporate intranet when it is connected to the
Internet.
Uses various protocols, including HTTPS, to establish IP version 6 (IPv6) connectivity. HTTPS typically is
allowed through firewalls.
Supports selected server access and IPsec authentication with an intranet network server.
Always-on connectivity. Whenever the user connects the client computer to the Internet, the client
computer is connected to the intranet also. This connectivity enables remote client computers to
access and update applications easily, makes intranet resources always available, and enables users to
connect to the corporate intranet from anywhere and anytime which maximizes their productivity
and performance.
Bidirectional access. You can configure DirectAccess so that DirectAccess clients have access to
intranet resources, and computers on the intranet have access from the intranet to those DirectAccess
clients. This enables DirectAccess to be bidirectional, so that DirectAccess users have access to intranet
resources, and you can have access to DirectAccess clients when they are connecting over a public
network. This ensures that the client computers always have the most recent security updates, as well
as enforcement of the domains Group Policy, and that there is no difference whether users are on the
corporate intranet or on the public network.
This bidirectional access also results in:
Increased security.
Decreased update miss rate.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This tighter degree of control allows security architects to precisely control remote
users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so
that users can ensure that their communication is safe. You can use a granular policy to define who
can use DirectAccess, and from where.
Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and NAP solutions,
resulting in the seamless integration of security, access, and health requirement policies between the
intranet and remote computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-55
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
The DirectAccess client computer that is running Windows 7 detects whether it is connected to a
network.
The DirectAccess client computer attempts to connect to an intranet website that is specified during
the DirectAccess configuration. If the website is available, the DirectAccess client verifies that the
client computer is connected to the intranet, and the DirectAccess connection process stops. If the
website is not available, the DirectAccess client verifies that the client computer is connected to the
Internet, and the DirectAccess connection process continues.
The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to occur.
If a firewall or proxy server prevents the client computer from using 6to4 or Teredo from connecting
to the DirectAccess server, the client computer attempts to connect automatically by using the IP-
HTTPS protocol, which uses an SSL connection to ensure connectivity.
To establish the IPsec session, the DirectAccess client and server authenticate each other by using
computer certificates.
By validating AD DS group memberships, the DirectAccess server verifies that the computer and user
are authorized to connect by using DirectAccess.
If you enable and configure NAP for health validation, the DirectAccess client obtains a health
certificate from an HRA located on the Internet prior to connecting to the DirectAccess server.
MCT USE ONLY. STUDENT USE PROHIBITED
6-56 Troubleshooting and Supporting Windows 7 in the Enterprise
The HRA forwards the DirectAccess clients health status information to an NAP health policy server.
The NAP health policy server processes the policies that the NPS defines, and then determines
whether the client is compliant with systems health requirements. If the client is compliant, the HRA
obtains the health certificate for the DirectAccess client. When the DirectAccess client connects to the
DirectAccess server, the health certificate is submitted for authentication.
The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet
resources to which the user has been granted access.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-57
Configuring DirectAccess
1. Install Windows Server 2008 R2 on a server computer with two physical network adapters.
2. Join the DirectAccess server to an Active Directory domain.
3. Install the DirectAccess Management feature, and configure the DirectAccess server so that it is on
the perimeter network with one network adapter connected to the Internet and at least one other
network adapter connected to the intranet. Ensure that both network adapters are enabled and have
their respective IPv4 addresses configured, if there is no native IPv6 connectivity available. This is
critical for the DirectAccess server to derive its configuration information automatically. Otherwise,
you will need to configure detailed configuration manually.
4. Verify that the ports and protocols necessary for DirectAccess and ICMP Echo Request are enabled in
the firewall exceptions, and are opened on the perimeter and Internet-facing firewalls.
5. The DirectAccess server needs at least two consecutive public, static IPv4 addresses that can be
resolved externally through DNS. Ensure that you have an IPv4 address available, and that you have
the ability to publish that address in your externally-facing DNS server.
6. If you have disabled IPv6 on clients and servers, enable IPv6 because DirectAccess requires it.
7. Create a security group in Active Directory, and then add all client computer accounts that will be
accessing the intranet through DirectAccess.
8. Install a web server on the DirectAccess server to enable DirectAccess clients to determine if they are
inside or outside the intranet.
9. Designate one of the server network adapters as the Internet-facing interface. This interface will
require two consecutive, public IPv4 addresses. You must assign both of these IPv4 addresses to the
same interface.
MCT USE ONLY. STUDENT USE PROHIBITED
6-58 Troubleshooting and Supporting Windows 7 in the Enterprise
10. On the DirectAccess server, ensure that you configure the Internet-facing interface to be either a
public or a private interface, depending on your network design. Configure the intranet interfaces as
Domain interfaces. DirectAccess supports no other combinations. If you have more than two
interfaces, ensure that you select no more than two classification types.
11. Add and configure the Certificate Authority server role, create the certificate template and the CRL
distribution point, publish the CRL list, and then distribute the computer certificates.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-59
The process that you would use to troubleshooting the DirectAccess server configuration is beyond the
scope of an EDST. However, you do need to understand how to troubleshoot DirectAccess from the
clients perspective.
If you have difficulty locating a specific server on the internal network, it may not have an IPv6 address. All
servers that you can access by using DirectAccess must have an IPv6 address.
The following is the general process for troubleshooting DirectAccess clients:
1. Verify that the client version is Windows 7 Enterprise Edition or Windows 7 Ultimate Edition. Those
are the only supported versions.
2. Verify that the client is joined to the domain. The computer account also must be a member of the
security groups selected for access during server-side configuration.
3. Verify that the client has downloaded the necessary GPOs with DirectAccess configuration
information. You can use RSoP to verify that the correct GPO has been applied.
4. Verify IPv6 connectivity with the DirectAccess server by using the ping protocol to verify connectivity
to the servers IPv6 address.
5. Verify that the client is correctly identifying whether it is on the internal network or the Internet. Use
the netsh dnsclient show state command, and then read the Machine location field.
6. Verify that clients on the Internet are not using the domain profile, by using Windows Firewall with
Advanced Security or the netsh advfirewall monitor show currentprofile command.
MCT USE ONLY. STUDENT USE PROHIBITED
6-60 Troubleshooting and Supporting Windows 7 in the Enterprise
7. Verify that connected clients can resolve DNS names on the internal network. Use NSLookup to verify
that a DNS name can be resolved to an IPv6 address.
8. Verify that IPsec connectivity has been negotiated successfully. Use Windows Firewall with Advanced
Security to view IPsec connections, or use the netsh advfirewall monitor show mmsa and netsh
advfirewall monitor show qmsa commands.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-61
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat these steps two through four for 6293A-NYC-SVR2 and 6293A-NYC-CL1.
Lab Scenario
A user reported a recent problem connecting to the corporate intranet from his home. He cannot connect
to the intranet, and receives the error that the help-desk ticket documents. The help desk checked the
basic network settings, but is unsure how to proceed.
Supporting Documentation
Incident Record
Incident Reference Number: 603321
Incident Details
Max reports that he cannot connect to the corporate intranet site from home. He uses a preconfigured
VPN.
The intranet site is accessible when Max connects his computer locally in the Contoso domain.
Additional Information
The intranet site is accessible when Max connects his computer locally in the Contoso domain.
VPN settings for Contoso home users:
Users connecting using VPN must use EAP authentication.
The preferred RAS server is NYC-SVR2.
NAP has been implemented in Contoso in recent weeks using VPN enforcement. IPv4 filters
restrict connectivity to remediation servers.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Remote Connectivity Issues 6-63
Password: Pa$$w0rd
Password: Pa$$w0rd
Domain: Contoso
Note Some of the tasks that you perform to resolve this problem may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the problem resolution.
1. Using your knowledge of remote connectivity issues, and tools available for troubleshooting the
remote networking environment, attempt to resolve the problem.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Actions pane, click Connect. Wait until the virtual machine starts.
MCT USE ONLY. STUDENT USE PROHIBITED
6-64 Troubleshooting and Supporting Windows 7 in the Enterprise
Password: Pa$$w0rd
Domain: Contoso
Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the remote connectivity problem.
Review Questions
1. Users are complaining that they are unable to connect to the corporate network using VPNs
following recent firewall configuration changes. The team responsible for implementing security
policies has determined that only TCP port 443 is allowed through into the internal network. Which
tunneling protocol supports this restriction?
2. A user from accounts has attempted to connect to the corporate network using a VPN, and keeps
receiving error 800. To help resolve the issue, what would you attempt?
3. What tools could you use to help resolve the preceding problem?
4. You have a VPN server with two configured network policies. The first has a condition that grants
access to members of the Contoso group, to which everyone in your organization belongs, but has a
constraint of day and time restrictions for office hours only. The second policy had a condition of
membership of the Domain Admins group and no constraints. Why are administrators being refused
connections out of office hours, and what can you do about it?
Tools
Module 7
Troubleshooting Logon and Resource Access Issues
Contents:
Lesson 1: Troubleshooting User Logon Issues 7-3
Module Overview
It is essential that users gain access to all of the resources that they need to perform their jobs, such as the
data stored in their profiles, their files, and access to their printers. The first step in gaining access to these
resources is a successful logon.
User profiles, file access, and printer access all have unique issues that can affect the user experience
negatively. You need to be able to troubleshoot and resolve issues related to all of these areas.
Objectives
After completing this module, you will be able to:
Lesson 1
Troubleshooting User Logon Issues
To troubleshoot the logon process successfully, you need a thorough understanding of the logon process,
including how Windows 7 uses cached credentials, and Active Directory Domain Services (AD DS)
password and user policies. Additionally, you must be aware of the methods that you can use to identify
the cause of logon issues.
Objectives
After completing this lesson, you will be able to:
Discuss potential problems in the logon process.
Your users must be able to log on successfully so that they can access the files, printers, and other
resources that they require to do their jobs. There are a wide variety of reasons that a user might not be
able to log on.
Question: What are some logon problems that users may experience?
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-5
The logon process authenticates both computer and user accounts. Domain controllers perform the
authentication:
If you do not configure the list of DNS servers on a Windows 7 computer appropriately, then it cannot
obtain a list of domain controllers, and the following may occur:
Authentication fails. The user is unable to access the local computer or network resources.
Windows 7 uses cached credentials. The user is able to access the local computer and may be able to
access some network resources.
Authentication is very slow but successful. This occurs when a suitable domain controller is on the
local subnet, and the client computer can locate the domain controller by using NetBIOS broadcasts.
During the logon process, Windows assigns a security token for both the computer and the user accounts.
The security token contains a list of groups of which the computer or user account is a member. Windows
uses this list of groups to identify permissions when the computer or user attempts to access resources. If
you add a computer or user account to a group, you must ensure that you reauthenticate the account to
update the security token with group membership.
MCT USE ONLY. STUDENT USE PROHIBITED
7-6 Troubleshooting and Supporting Windows 7 in the Enterprise
Cached Credentials
Cached credentials allow users to authenticate to a local computer by using domain credentials when a
domain controller is unavailable to perform authentication.
Cached credentials are useful particularly for a roaming user who works on a laptop computer. When you
use cached credentials, the user can log on to a local computer by using the cached domain logon
credentials, even when the users computer is not connected to the domain. Users must have cached
credentials to access offline files and folders when they are not connected to the network.
When a domain controller is available and then a user logs on to a Windows 7 computer successfully,
Windows 7 creates and stores cached credentials locally. Windows 7 updates cached credentials each time
a user logs on to the domain.
Note If a user has not authenticated successfully to the domain from a computer since
their last password change, the cached credentials still contain the previous password. The
user must logon by using the previous password when using those cached credentials.
If a user does not have cached credentials on a computer, and the domain controller is unavailable, then
Windows 7 cannot authenticate the user. In most cases, Windows 7 notifies the user when cached
credentials are used during the logon process.
By default, Windows 7 caches the credentials of the last 10 user accounts to log onto a specific computer,
and you can modify this number either by editing the registry (HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount) or by using Group Policy
(Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\Interactive Logon: Number of previous logons to cache).
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-7
The default number of cached credentials that Windows 7 can store is ten, however you can configure
Windows 7 to store up to a maximum of 50. If you set the number of cached credentials to zero, then
Windows 7 must contact a domain controller before users can obtain access to the local computer.
Note You should be aware of any modifications that you organization makes to the default
configuration of cached credentials.
MCT USE ONLY. STUDENT USE PROHIBITED
7-8 Troubleshooting and Supporting Windows 7 in the Enterprise
In a corporate environment, password policies define the configuration of user passwords. Although
domain administrators configure password policies, you should know the available password policy
options so that you recognize when they are affecting the ability of users to log on.
Group Policy
You configure password policies in Group Policy, which contains settings for account lockout. When you
enable account lockout, a user that attempts to log on using an incorrect password is locked out after a
defined number of attempts. It is important to remember that account lockouts can occur based on
attempted logons to any system that authenticates users to AD DS. The most common scenario is users
logging on at workstations, but account lockout also applies to applications such as Outlook Web App.
The following table lists important Group Policy settings that can affect user logons.
Maximum Maximum password age is the longest By default, users must change their
password age span of time that a password can exist password every 42 days.
before it must be changed by the user.
Minimum Minimum password age is the By default, user must keep a password
password age minimum amount of time that a user for one day. This prevents users from
must keep a password. cycling quickly through a list of
passwords and defeating the password
history requirement.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-9
(continued)
Passwords must If Passwords must meet complexity Three of the four elements must be
meet complexity requirements is enabled, users must present. This is enabled by default.
requirements create complex passwords that include
uppercase and lowercase characters,
numbers, and symbols.
Account lockout This defines the number of invalid logon The default value is 0, which means
threshold attempts that users can make before accounts never become locked.
Windows locks their account. When you
enable Account lockout threshold, you
can define the period within which the
invalid attempts must occur, and how
long the account remains locked.
Note Windows Server 2008 introduced the ability to configure fine-grained password
polices for individual groups and users by using password policies. Fine-grained password
policies enable you to specify multiple password policies, and apply different password
restrictions and account-lockout policies to different sets of users within a single domain.
Please note that configuration of fine-grained password policies is beyond this courses
scope.
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Troubleshooting and Supporting Windows 7 in the Enterprise
AD DS stores user accounts, which network administrators or other support staff, such as help desk,
manage. Each user account has settings that are relevant to the logon process. You need to be aware of
these settings so that you can identify them as potential sources of logon issues, and then escalate the
issue to the appropriate group in your organization.
The following table lists user account settings that can impact user logon.
Setting Description
User logon name This is the username that should be used when logging on.
Unlock account If you believe that an account is locked due to invalid logon attempts, use this
check box to unlock the account.
User must change When this setting is enabled, the user must change their password during the
password at next next log on. If the user does not change their password, they may not be able
logon. to log on.
User cannot change If this setting is enabled, the user cannot change their password. This setting
password overrides any requirements to change a password in the domain password
policy. This setting is typically used only for service accounts.
Password never When this setting is enabled, the user cannot be forced to change their
expires password. This setting overrides any requirements to change a password in the
domain password policy. This setting often is used for service accounts, but
may also be used for some users that are exempt from changing passwords for
political reasons.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-11
(continued)
Setting Description
Account is disabled Enabling this setting prevents users from logging on using this account. This
setting is typically used when an employee is out of the office for a long period
of time or when an employee is terminated.
Smart card is When this setting is enabled a user is required to use a smart card to perform
required for logons. Requiring a smart card enhances security in environments with
interactive logon infrastructure to support smartcard-based logons.
Account expires Allows configuration of a date after which an account is disabled. Typically
used only for contract employees or other temporary staff.
MCT USE ONLY. STUDENT USE PROHIBITED
7-12 Troubleshooting and Supporting Windows 7 in the Enterprise
You can resolve most of errors that relate to logons quickly, once you identify the problem. You can use
the following methods and tools to help you troubleshoot logon errors:
On-screen errors. Most user logon errors provide an accurate description on the screen. However,
many users may not interpret these messages correctly. Often viewing the error yourself is more
accurate than relying on a users description of it.
Active Directory Users and Computers. You can use this tool to verify the users logon name and if the
account is disabled. You also can use this tool to unlock the account and reset the password, if
necessary.
Event logs. You can use Event Viewer to view event logs that may give some indication why a logon
error is occurring. The Security logs on a computer or on a domain controller that indicates if
authentication errors are occurring. The System log of a computer indicates if the computer account
is not authenticating correctly.
If a user is able to log on, but is unable to access network resources, the logon process might be using the
users cached credentials. If this happens, you should verify network connectivity for the computer, and
verify that the computer account is authenticating properly.
If your organization does not restrict user logon to specific computers, the user can attempt to log on to a
second computer, which identifies whether the authentication issue pertains to a specific computer. You
can use the results of this test to limit your troubleshooting to appropriate items. For example, if the issue
is not computer-specific, then it is not a local computer configuration issue.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-13
Lesson 2
Troubleshooting User Profile Issues
User profiles contain user settings that configure a computer for use by a specific user. In some cases, you
can configure roaming profiles to enable a user to retain their settings when they work on more than one
computer. You must understand user profiles, and how to troubleshoot them, to configure computers
correctly for users.
Objectives
After completing this lesson, you will be able to:
Describe user profiles and their contents.
A user profile is a collection of user-specific settings in Windows 7. Each user has a folder in C:\Users that
contains the users profile. The profile folders in C:\Users are named after the user account. For example, if
the user account is Adam, then the profile folder is C:\Users.Adam. In some cases, you can append the
domains name to the profile, if the account name conflicts with an existing local user.
A user profile contains:
Desktop
Start Menu
Favorites
My Documents
Downloads
Windows 7 also has a public profile that it stores in C:\Users\Public. All users profiles include the contents
of this public profile when a user logs on. For example, if you create a shortcut in C:\Users\Public\Desktop,
it appears on the desktop of all users that log on to that computer. For this reason, some applications
store system-wide configuration information in the public profile.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-15
Windows 7 profiles are local by default, which means that Windows 7 stores them only on the local
computer. If a user logs on to a second computer, none of that users settings are configured on the
second computer, and any customization in the profile is not available. For example, application
configurations, such as that for Microsoft Office Outlook or customizations in Microsoft Office Word,
are not available on the new computer.
You can use roaming profiles to allow users to roam between computers and still access their
configuration settings. A network file shares stores the roaming profile, and when a user logs on to a new
computer, Windows copies the roaming profile from the network file share to the local computer. When
the user logs off, Windows saves the profile locally, and then uploads it to the network file share.
If you copy a profile, be sure to use the Copy To functionality in the Profiles window of Advanced System
Settings. This ensures that Windows updates the security permissions, which allows other users to access
the profile.
Note You should never copy a profile by using a simple file copy, because Windows does
not update security permissions properly.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-17
Because user profiles contain the user-specific configuration settings for Windows 7, the configuration of
user profiles has a high impact on user satisfaction. If user profiles are not working correctly, the user may
not have settings such as drive mappings, desktop shortcuts, and application settings.
Question: What are some of the issues that can occur that relate to user profiles?
MCT USE ONLY. STUDENT USE PROHIBITED
7-18 Troubleshooting and Supporting Windows 7 in the Enterprise
The first time that users log on to computers, Windows 7 creates their profiles by copying the default
profile on the local computers. All of the files and settings in the default profile become part of the user
profile, including the user-specific registry settings in NTUSER.DAT. If users move to a new computer, they
will lose all of their profile customizations, and will have to use a default profile unless you use Windows
Easy Transfer or the User State Migration Tool to migrate profile contents to the new computer.
Windows 7 stores the default profile in C:\Users\Default, which is a system folder that is not visible
normally. Modifying the default profile allows you to configure settings for users before they log on
initially to a computer. Simple modifications, such as adding a desktop shortcut, are easy to accomplish by
placing the appropriate file in the default profile.
Modifying the registry settings in the default profile is relatively complex. The method that Microsoft
supports to modify the default profile (including the registry) is to run sysprep.exe, a tool that prepares a
computer for imaging. Sysprep.exe copies the current administrative profile to be the default profile. It is
not possible to copy and paste another profile over the default profile, as was possible in earlier Windows
versions.
Note Because changes to the default profile do not propagate to user profiles after the
first logon, we do not recommend that you configure user profiles by modifying the default
profile. For this reason, most organizations use Group Policy to configure user environments
instead of modifying the default profile.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-19
Lesson 3
Troubleshooting File Access Issues
One of the most common tasks that users perform is to access and modify documents, which requires that
users have access to those documents.
Most users access documents over the network by using mapped drives. You can configure mapped
drives manually, by using logon scripts, and by using Group Policy Preferences. When users disconnect
from the network, they can use offline files and folders to continue working on cached copies of network
documents. You need to understand and be able to troubleshoot all of these methods for accessing files.
Objectives
After completing this lesson, you will be able to:
Describe how you can use logon scripts for drive mappings.
Most organizations store files centrally on a file share. Users can access files shares by using a Universal
Naming Convention (UNC) path, but that is too complex for most users. Typically, users are given a drive
mapping that connects them to a file share. Windows 7 also provides the option to redirect folders and
use offline files and folders.
Question: What are some of the issues that can occur with file access?
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-21
Drive mapping provide an easy way for users to access network files. It is common for organizations to
have standardized drive mappings for access to network files. For example, drive S maps to a shared
folder with shared files, and drive H maps to a users home folder.
You can create drive mappings manually for users on their computer. However, Windows does not retain
drive mappings that you create manually for multiple logon sessions, unless you check the Reconnect at
logon option during creation, which makes the drive mapping persistent. Windows stores persistent drive
mappings in the user profile.
Configuring drive mappings manually typically is beneficial and prudent only for very small organizations.
It is time-consuming and not efficient to create drive mappings manually in each user profile, because
changing drive mappings requires you to visit each users computer.
Note Creating a drive mapping does not configure the necessary permissions so that a user
can access and modify files. You must configure permissions in a separate step.
MCT USE ONLY. STUDENT USE PROHIBITED
7-22 Troubleshooting and Supporting Windows 7 in the Enterprise
One common way to implement drive mappings is by using logon scripts. You can configure a logon
script in the properties of a user or in a Group Policy object (GPO). Logon scripts that reference user
properties are in the Netlogon share of each domain controller. Logon scripts that are configured in a
Group Policy object are stored as part of the Group Policy object on the Sysvol folder of domain
controllers.
The main benefits of using logon scripts for drive mappings are:
Cross-computer application. A logon script runs on each computer to which a user logs on. This
ensures that the drive mapping appears on each computer to which the user logs on, without having
to use roaming profiles.
Simplified updates. When you need to update drive mapping, you only have to update a single,
central logon script, rather than having to update multiple user profiles individually and manually.
Increased flexibility. You can configure scripts to perform drive mappings that are specific to users,
groups, and computers.
The syntax for creating drive mappings varies depending on the type of logon script that you are using.
Two of the most common types of logon scripts are batch files (.bat) and Visual Basic Scripting Edition
(VBScript) (.vbs). Windows Server 2008 R2 and Windows 7 add the ability to user Windows PowerShell for
logon scripts. The following examples map drive S to \\Server1\SharedData.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-23
Windows Server 2008 introduced Group Policy Preferences that you can use to map network drives.
Mapping drives with Group Policy Preferences provides all of the benefits of centralized control that
logon scripts provide, but are simpler to implement because you do not need to memorize the correct
syntax.
In this demonstration, you will see how to use a Group Policy preference to map a drive letter for the
Marketing group.
Demonstration Steps
1. On NYC-DC1, open Group Policy Management.
4. Create a new Mapped Drive for \\NYC-DC1\Marketing that uses the letter M.
Offline files are a Windows 7 feature that caches copies of network files on the local computer. When the
network is available, users work on the network version of the file, and then update the local version
automatically.
When the network is unavailable, users work automatically on the local version of the file. To the user, it
appears that they are working on the network version of the file. When the network becomes available
again, Window 7 updates the network version of the file.
Each time that users connect to a shared folder that is enabled for offline files, Windows 7 scans for
changes to files that are cached locally, and then updates the cached copies, as necessary. If the network
version of a file and the locally cached version of a file are both modified, a sync conflict occurs.
When a sync conflict occurs, users receive an error symbol on the Sync Center icon in the notification area.
Many users may not notice this icon, and even if they notice it, they may not know how to respond to it.
When a sync conflict occurs, users must view sync conflicts in Sync Center to resolve them. If users do not
resolve sync conflicts, Windows 7 does not upload the local computers cached document to the network,
and the network version of the document never downloads to that computer. This creates a situation in
which there are two versions of the document. However, users typically are unaware of this.
In Sync Center, users can choose which version of a file to keep when a sync conflict occurs. Alternatively,
users can choose to keep both versions of a file. You must teach users how to use Sync Center to select
which version to keep. In many cases, the users should keep both versions of the file, and then
synchronize the content between them manually.
Sync Center also may show you sync errors. Sync errors occur when Windows cannot sync with a particular
location. This typically occurs when the location, such as a file share, is unavailable to the user. Review the
specific error message to determine the course of action necessary to correct a sync error.
MCT USE ONLY. STUDENT USE PROHIBITED
7-26 Troubleshooting and Supporting Windows 7 in the Enterprise
Synchronization errors are the main problem that occurs related to offline files. However, there may also
be situations where offline files are not available. If offline files are not available, you should verify the
following:
Offline files are enabled in Windows 7. By default, offline files are enabled in Windows 7, but may
have been disabled manually by the user or by a Group Policy object.
Offline files are enabled on the share. It is possible that the share is not configured to allow offline
files. In such as case, users cannot use the files offline. A shared volume for many users may have
offline files disabled to avoid conflicts.
The user cached the file. The default configuration for a file share specifies that only files specifically
selected for offline use are cached. If the user did not manually select that the file should be made
available offline, then it is not. A file share can be configured so that all files that are accessed are
cached.
The user is logged on with a domain account. A user must be logged on by using the same
credentials as were used when the files were made available offline for the files to be available offline.
If the user is logged on by using a local user account when not connected to the domain then files
are not available offline. Cached credentials should be used when disconnected from the domain.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-27
Folder redirection centralizes storage of some user profile folders on a network file share instead of in the
local profile. Unlike roaming profiles, the folders are not synchronized between the network file share and
the local computer. The content for redirected folders exists only on a network file share. This means that
large amounts of data can exist in a redirected folder without affecting logon times.
Some reasons to use folder redirection include:
Ensuring My Documents is backed up. Many users save documents in My Documents by default. If
this is on the local hard drive, Windows 7 may never back up these files. However, you can redirect
the contents of My Documents to a home folder or a shared network drive.
Minimizing the size of roaming profiles. Redirecting folders takes them out of a roaming profile. This
reduces the size of roaming profiles, which results in better logon performance.
You can configure folder redirection manually or by using a GPO. For example, for the My Documents
folder, you can configure redirection on the Location tab in the properties of My Documents, or by using
a GPO.
When you redirect a folder, you have the option to copy the files from the current location to the new
location. If you forget to copy the files, they are not available to the user. The files continue to exist in the
old location, and users can copy them at a later time.
If you configure folder redirection by using Group Policy, the most common issue that occurs is that the
Group Policy object does not apply to the user properly. This typically occurs because the user account is
not in the correct organizational unit (OU).
MCT USE ONLY. STUDENT USE PROHIBITED
7-28 Troubleshooting and Supporting Windows 7 in the Enterprise
Lesson 4
Troubleshooting File Permissions Issues
Objectives
After completing this lesson, you will be able to:
When you share a folder, the files in that folder and its subfolders are accessible over a network. You can
use share permissions to control access to a shares contents and control what actions users can take with
them. Share permissions apply when users go through the share to access files over the network. The
share permissions also are consistent for all share contents. Share permissions cannot vary by file or folder.
The share permissions are:
Full control. Allows all permissions, including the ability to change permissions.
Read. Allows users to read existing files, but not modify them or create new files.
Change. Allows users to create new files or delete, modify, and read existing files.
When you assign permissions, you can set each permission to Allow, or to Deny. For example, you can
assign a read permission of Allow to a group, while assigning a single user in the group a read permission
of Deny, which denies that user read permissions.
Note Most organizations store all files on a network server that a network administrator
manages.
The default share permissions on a file share vary, depending on the version of Windows that is sharing
the folder, and by how you create the shared folder. Incorrectly configured share permissions are most
likely to occur when you create a new share or when you move a share to a new server.
MCT USE ONLY. STUDENT USE PROHIBITED
7-30 Troubleshooting and Supporting Windows 7 in the Enterprise
NTFS Permissions
You can use NTFS permissions to control which users or groups can access or modify files and folders on
partitions that you format with NTFS. These permissions are much more flexible than share permissions,
because you can assign them individually for each file or folder, as necessary. NTFS permissions apply
when users access files locally or over the network.
In most cases, the default NTFS permissions that you configure on a Windows 7 computer are sufficient
and require no modification. For example, NTFS permissions define a user profile as a users private
workspace, which is the configuration that most users desire. However, you typically configure custom
permissions for a network file share to allow only users that you specify to access specific files.
To modify NTFS permissions, you must assign the full control NTFS permission to a folder or file. The one
exception is for file and folder owners: the owner of a file or folder can modify NTFS permissions even if
they do not have any current NTFS permissions. Administrators are able to take ownership of files and
folders to make modifications to NTFS permissions.
There are both basic and advanced NTFS permissions. You most commonly use the basic permissions.
With advanced NTFS permissions, you have very fine control over access to files and folders, but they are
complex to manage.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-31
Permission Parameters
Full control Allows all permissions, including the ability to modify NTFS permissions and take
ownership.
Modify Allows all file and folder modification activities, except modification of NTFS
permissions and taking ownership.
Read and Execute Allows execution of a file. When applied to folders, it also allows the listing of
folder contents.
List folder contents Allows the listing of a folders contents. This applies only to folders.
Write Allows the modification of file contents and attributes, but not NTFS permissions
or ownership. This does not allow file deletion. For a folder, this allows the
creation of new files in the folder.
MCT USE ONLY. STUDENT USE PROHIBITED
7-32 Troubleshooting and Supporting Windows 7 in the Enterprise
By using permissions inheritance, you can set NTFS permissions on a folder, and NTFS applies those
permissions to that folders files and subfolders automatically. This means that you can set NTFS
permissions for an entire folder structure at a single point, and when you need to modify them, you can
modify them at a single point.
You can block permissions inheritance if you want to restrict access to a subdirectory. For example, say
you assign change permissions to all accounting users for the ACCT folder. On the subfolder WAGES, you
can block the inherited permissions from the ACCT folder, so that only a few specific users have access to
the WAGES folder.
When you block permissions inheritance, you have the option to copy existing permissions or begin with
blank permissions. If you want to restrict a particular group or user, then copying existing permissions
simplifies the configuration process.
You also can add permissions to files and folders below the initial point of inheritance, without modifying
the original permissions assignment. You do this to grant a specific user or group a different file access
than its inherited permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-33
When you combine NTFS and share permissions, whichever permission is most restrictive applies. For
example, if you assign a user Full Control NTFS permissions to a file, but that user is accessing the file
through a share with Read permission, the user has read access only to the file.
To simplify permission assignment, you can grant the Everyone group Full control share permission to all
shares, and use only NTFS permissions to control access. Restrict share permissions to the minimum
necessary to provide an extra security layer in case you configure NTFS permissions incorrectly.
MCT USE ONLY. STUDENT USE PROHIBITED
7-34 Troubleshooting and Supporting Windows 7 in the Enterprise
Effective permissions are the permissions any user actually has to a file or folder, which may be different
from the permissions that you assign or grant to a specific user. User and group permissions combine to
determine effective permissions. For example, you assign a user Read permission, and then you assign
Change permission to a group of which the user is a member. The effective permissions of the user are
Change.
When you combine permissions, Deny permission overrides Allow permission. For example, if you assign a
group Change permission to a folder, and you deny a user that is a member of that group Change
permission for the same folder, the user is ultimately denied the Change permission for the folder.
Note Calculations for effective permissions include only NTFS permissions. If effective
permissions are correct, but a user still does not have the necessary access to a file, verify the
share permissions are correct.
Demonstration Steps
1. On NYC-CL1, open the Properties of C:\Program Files.
3. On the Effective Permissions tab, select Contoso\Adam, and then read the effective permissions.
If you connect a client computer properly to a network, then most network file access problems are due
to permissions that you configure incorrectly. This is most likely to occur for new users or during the
creation of new file shares.
The first troubleshooting step that you should perform is checking the users effective NTFS permissions. If
the effective permissions are not what you expect them to be, you must identify how to assign the correct
permissions to that user. In most cases, you assign a group the appropriate NTFS permissions, so your first
step is to verify that the user is a member of the correct group(s).
When you are evaluating NTFS permissions, be aware that the Deny permission overrides the Allow
permission. For example, if your group has the Modify permission set to Allow, and a user in that group
has the Modify permission set to Deny, the user is denied the Modify permission.
If the effective NTFS permissions are correct, then you should verify that the share permissions are
configured correctly. Share permission can limit the ability of users to access and modify files, even if the
appropriate NTFS permissions are assigned. For example, if you assign a group Read share permission and
Modify NTFS permission, the members of the group are limited to Read permission.
To simplify the interaction of share and NTFS permissions, many organizations assign the Everyone group
Full Control share permission. This means that NTFS permissions control access to files.
MCT USE ONLY. STUDENT USE PROHIBITED
7-36 Troubleshooting and Supporting Windows 7 in the Enterprise
Lesson 5
Troubleshooting Printer Access Issues
When users finish working with documents, they often print them. If users cannot print their documents,
they may become frustrated.
To ensure that printing is available to users, and that it functions correctly, you must understand the
Windows 7 printing architecture and how to install printers. You also need to understand how to install
printer drivers and how location-aware printing works.
Objectives
After completing this lesson, you will be able to:
Printing is one of the core network services that your organization provides to users. When users cannot
print properly, they typically become frustrated and often call the help desk.
Question: What are some the issues that can arise that relate to printing?
MCT USE ONLY. STUDENT USE PROHIBITED
7-38 Troubleshooting and Supporting Windows 7 in the Enterprise
Windows Vista and Windows Server 2008 introduced a new printing process based on XLM Paper
Specification (XPS). This printing process included a number of improvements in print quality and color
management, and it lowered processing requirements. Windows Server 2008 R2 and Windows 7 continue
to use XPS-based printing, which is used only by newer applications that are using the Windows
Presentation Foundation (WPF) Application Programming Interface (API).
Windows 7 is backward compatible with printing based on Graphics Device Interface (GDI) that Win32
applications use. Windows 7 also supports using GDI-based printer drivers. If necessary, Windows 7
converts a print job from GDI to XPS, or from XPS to GDI.
Some older printer drivers written for Windows XP were written to function in Kernel mode, and do not
work with Windows 7, which does not allow applications to run in Kernel mode. Many older print drivers
written for Windows XP work with Windows 7. However, you should obtain a printer driver specifically
written for Windows 7 if one is available.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-39
One of the most important tasks when you are configuring network printing is the installation of printers
on client computers. There are several ways to install printers on Windows 7 client computers, which the
following table details.
Manually search Active When a printer is shared, the print administrator has the option to list the
Directory printer in AD DS.
Users that run the Add Printer Wizard can search AD DS to locate the printer.
The printer can also be configured with a location property that makes it
easier to locate an appropriate printer.
GPO configured by Print You can use the Print Management administrative tool that is available on
Management Windows Server 2008 print servers, Windows Vista, and Windows 7 to add
printers to a GPO for distribution to computers or users.
The GPO applies to users and computers based on the Active Directory OU to
which the GPO is linked.
MCT USE ONLY. STUDENT USE PROHIBITED
7-40 Troubleshooting and Supporting Windows 7 in the Enterprise
(continued)
Manual methods for printer installation generally are not scalable in even mediums-sized organizations. It
is too time-consuming to add and remove the required printers manually to users computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-41
Installation of printer drivers, and the permissions required to install printer drivers, vary depending on
how you install the printer. Standard users have the necessary permissions to install both local and
network printers, but not to add new printer drivers.
When you add a new local printer, Windows 7 searches for an appropriate printer driver in the driver
cache. If Windows 7 does not find an appropriate driver in the driver cache, standard users are unable to
install the printer. To allow a standard user to install the printer, you may add an appropriate printer
driver to the driver cache by using pnputil.exe. Alternatively, you can edit the local security policy to allow
standard users to load and unload device drivers.
Using a print server makes the installation of printer drivers much easier to manage. When you install
network printers from a print server, Windows 7 downloads the printer driver from the print server, and
then installs it. This is true even if a standard user is adding the printer manually.
MCT USE ONLY. STUDENT USE PROHIBITED
7-42 Troubleshooting and Supporting Windows 7 in the Enterprise
Windows 7 computers download printer drivers from the print server during the printer installation
process. You must ensure that a print server has appropriate drivers available for various types of client
computers. For example, the 64-bit version of Windows 7 requires a different driver than the 32-bit
version.
If the print server is an older version of Windows, such as Windows Server 2003, you may need to use the
Print Management administrative tool on a newer version of Windows, such as Windows 7, to add the
appropriate driver to the print server.
In this demonstration, you will see how to add a printer driver for a network printer.
Demonstration Steps
1. On NYC-DC1, open Server Manager.
2. Add the Print and Document Services role with the Print Server role service.
4. Create a new printer using an existing printer port with all default settings.
5. Open the Properties of the new printer.
7. Start the installation of an x86 driver for the printer, and then Cancel the installation.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-43
Location-Aware Printing
Location-aware printing helps roaming users move between locations, while maintaining access to the
correctly configured default printer.
As users connect to a new network, they can set the default printer for that network. The next time they
reconnect to that network, the default print setting changes automatically to the default printer that they
defined previously for that specific network.
When a Windows 7 computer connects to a new network, it identifies the media access control (MAC)
address of the default gateway. Windows 7 uses this address as a unique identifier for the network.
If your organizations network equipment changes, and the MAC address of the default gateway changes,
Windows 7 identifies the network as a new network. This may cause the default printer to be set
incorrectly for the network. You should make users aware of this possibility when changing a networks
default gateway.
MCT USE ONLY. STUDENT USE PROHIBITED
7-44 Troubleshooting and Supporting Windows 7 in the Enterprise
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 and 3 for 6293A-NYC-CL1 and 6293A-NYC-CL2. Do not log on until directed to do so.
Lab Scenario
The help desk has received a number of trouble tickets that relate to file access. Because you are the
desktop support technician that is the most experienced with file access, the tickets have been assigned to
you.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-45
Supporting Documentation
Incident Record
Incident Reference Number: 602567
Incident Details
A user with a laptop computer reports that offline files are not synchronizing properly when he
disconnects from the network.
Additional Information
User reports that when he roams in the office and reconnects to the wired network, his updated files
are not synchronizing properly. This is a problem, because other users also have access to these files,
and if the files are not synchronized, users have to look through the files and merge changes
manually, which is time-consuming.
Steps to recreate the problem:
1. On NYC-CL1, create and open a file on the research share at \\NYC-DC1\Research.
2. Modify the contents of the file, and then save it.
3. Keep the file open, and then disconnect from the network.
4. Modify the contents of the file, and then save it.
5. Reconnect the computer to the network and close the file.
6. On NYC-CL2, open the file on the research share, and then verify that the latest changes are not
synchronized.
Plan of Action
Resolution
MCT USE ONLY. STUDENT USE PROHIBITED
7-46 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Update the Plan of Action section of the Incident Record with your recommendations.
To perform your troubleshooting, you first need to recreate the issues, and then verify the
problem.
To simulate disconnecting from the network, you can disable the network adapter in NYC-CL1.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
Results: After this exercise, you will have resolved a problem with offline files not synchronizing properly
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-47
Supporting Documentation
Incident Record
Incident Reference Number: 602568
Incident Details
User reports that he does not have access to the research share.
Additional Information
User reports that he started his job last week, and does not have access to the research share, which is
at \\NYC-DC1\Research. He is logging on to NYC-CL1.
I walked the user through accessing the share by using the UNC path. This is an acceptable short-term
solution. However, this user should have the drive letter R mapped to the research share like other
users.
Drive mappings have been converted to Group Policy Preferences. Ive confirmed that the user
account is in the correct OU.
Other research users like Alan Brewer have no problems with the drive mapping.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Domain: Contoso
Results: After this exercise, you will have resolved a problem with a missing drive mapping.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-49
Supporting Documentation
Incident Record
Incident Reference Number: 602093
Incident Details
User reports that files are missing from the My Documents folder after being given a new computer
with our standard operating system configuration.
Additional Information
The user has a new workstation configured with our default image. We have trained users not to save
information into My Documents, and have warned them that the files in My Documents are not
backed up.
I logged onto the users old computer, and no files were in his My Documents folder. Eventually, we
found the files in his home folder, which was mapped to drive H.
I dont know how it was configured before, but this user wants My Documents to include the files in
his home drive instead of accessing them through drive H. Because this user is a department head, we
need to do this.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
7-50 Troubleshooting and Supporting Windows 7 in the Enterprise
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps for 6293A-NYC-CL1.
Results: After this exercise, you will have resolved a problem with missing files in My Documents.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Logon and Resource Access Issues 7-51
Supporting Documentation
Incident Record
Incident Reference Number: 603033
Incident Details
New peer-based application for research is not working properly.
Additional Information
The research department is semiautonomous for Information Technology (IT). Department members
install and run many of their own applications, and they store data on their local workstations.
Additionally, they back up their workstations daily to prevent data loss.
They have a new application, which they installed on all workstations, that is not functioning properly.
The installation instructions indicate that there must be a file share to which all computers have
read/write permissions.
All computers are configured to use \\NYC-CL1\Modeling as the file share. The file share is created,
but users do not appear to have the proper permissions. The application generates the error Shared
data access error.
I connected to \\NYC-CL1\Modeling and verified that I could not create or modify files from my
computer.
Plan of Action
Resolution
MCT USE ONLY. STUDENT USE PROHIBITED
7-52 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Update the Plan of Action section of the Incident Record with your recommendations.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have configured a share successfully with read/write permissions for
users in the Research group.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Review Questions
1. A user has called the help desk and complained about not being able to access some files. After the
call was passed to you, you determined that the user was not added to the correct group. After
adding the user to the correct group, the user is still unable to access the files. What other step is
required?
2. You are distributing new laptop computers to executives in your organization. Is any additional
configuration required to allow them to log on by using their domain user account and password
when they are out of the office?
3. Your organization has recently introduced roaming user profiles to support users who move between
computers that are in cubicles. Some users report very slow logon and logoff times. Where would you
start the troubleshooting process?
4. You are distributing new laptop computers to executives in your organization. You have redirected
the My Documents folder to each users home folder to ensure that the information is backed up.
What feature do you need to implement to allow the executives to access these files when they are
travelling without access to the network?
5. A colleague has configured a new network printer with an IP address. He wants users to print directly
to the printer over the network rather than print by using a print server. Users will add this printer
manually, only if it is required. Why is the configuration a concern?
6. One department in your organization is using a new application that creates two folders in the root of
the drive C. One folder is for the program executables, the other folder is for program data. What files
permissions do you need to configure for these folders?
MCT USE ONLY. STUDENT USE PROHIBITED
7-54 Troubleshooting and Supporting Windows 7 in the Enterprise
Tools
Module 8
Troubleshooting Security Issues
Contents:
Lesson 1: Recovering Files Encrypted by EFS 8-3
Module Overview
Windows 7 uses a wide range of security functions to secure data, including both Encrypting File System
(EFS) and BitLocker Drive Encryption. Windows Internet Explorer also has a large number of security
configuration options. You also use file permissions to limit file access, usually on file servers, to
authorized users. In this module, you will learn how to work with all of these features.
Objectives
After completing this module, you will be able to:
Lesson 1
Recovering Files Encrypted by EFS
You can use EFS to encrypt files on portable computers. If your organization uses EFS, you must be aware
of how to recover EFS-encrypted files in case the person who encrypted the files originally cannot recover
them.
Objectives
After completing this lesson, you will be able to:
EFS is a feature that you can use to encrypt files stored on a partition that you format with NTFS file
system. After a file is encrypted by using EFS, only authorized users can access it. An authorized user can
open the file as if it were unencrypted. Users who do not have the authorization to access it will receive an
access denied message when they try to open the file.
To protect your files, EFS uses a combination of two encryption methods, which Windows 7 applies
sequentially:
Symmetric Encryption
Symmetric encryption is the typical method of encrypting large amounts of data, and uses the same key
to encrypt and decrypt a file. This type of encryption is faster and stronger than public key encryption.
However, the difficulty of securing the key during a cross-network transfer requires additional security for
the symmetric key.
To decrypt files, the user can open the file, remove the encryption attribute, or decrypt the file by
using the cipher tool. When this occurs, EFS decrypts the FEK by using the users private key, and
then decrypts the data by using the FEK.
You can use the cipher command-line tool to perform various EFS actions, such as encrypting and
decrypting files. Use the /? option with the cipher tool to view detailed information about the available
options. The syntax for decrypting a file is:
Cipher /D filename
Note In addition to the user that encrypted the file, EFS encrypts additional copies of the
symmetric key with the public key of the recovery agent and any other authorized users.
MCT USE ONLY. STUDENT USE PROHIBITED
8-6 Troubleshooting and Supporting Windows 7 in the Enterprise
EFS uses public key encryption to secure the FEK that encrypts file contents. Public key encryption uses
digital certificates that contain a public key and a private key. To use EFS, users must obtain a digital
certificate.
Self-Signed Certificates
By default, EFS generates a user certificate with a key pair automatically for a user if one does not exist
already. Because of this, users can encrypt files with no administrative setup.
When you encrypt a file on the local computer, EFS stores the self-signed certificate in the local user
profile.
When EFS encrypts a file on a file server, it stores the self-signed certificate in a user profile on the
server.
Using self-signed certificates is very easy to implement, but difficult to manage, because certificates are
stored in many locations, and there is no centralized control.
CA-Issued Certificates
Windows Server 2008 includes the Active Directory Certificate Services (AD CS) role that you can use to
issue EFS certificates to users, or you can use a third-party certification authority (CA) to issue EFS
certificates to users.
The primary benefit of issuing certificates from an internal CA is manageability: administrators have the
ability to control which users have certificates and the length of time that certificates remain valid.
Additionally, with an internal CA, you can issue as many certificates as necessary with no incremental cost.
A third-party CA offers the same manageability benefits as an internal CA. However, you pay a fee for
each certificate that a CA issues, which is a significant disadvantage. Unlike some other certificate-related
security, the trusted nature of a certificate that a third-party CA issues is not relevant for EFS.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-7
You should back up the user certificate that EFS uses to secure a file, because if you do not back up the
certificate and it is lost, access to the file is lost. Another advantage to backing up the user certificate is
that you can import it on a different computer. Once you import the certificate, you can use it to access
encrypted files.
The most common scenario for using EFS is the default configuration where you use a self-signed
certificate. In this scenario, the EFS certificate that is required to decrypt the file exists only in the local
user profile. The user receives a prompt to back up the certificate, but EFS does not enforce backing up.
Users also can back up the certificate manually by using the Certificates Microsoft Management Console
(MMC) snap-in.
In the default configuration, when you store an EFS-encrypted file on a server, the certificate exists only
on the server, and you must include it in the server backup.
When you use AD CS as an internal CA, user certificates publish automatically to Active Directory Domain
Services (AD DS). The certificate becomes a property of the user object, but does not include the private
key. Since the private key is required to recover the certificate and decrypt files, on its own, the certificate
published in AD DS does not allow you to recover the certificate and decrypt files. You must perform
another step.
When a network administrator wants to recover the entire certificate, including the private key, the
administrator must enable a key recovery agent. This agent then enables recovery of the certificate from
the CA. The key recovery agent is able to recover the entire certificate, including the private key.
If a user works from multiple computers, you must ensure that the certificate imports to every computer.
Because certificates are stored in user profiles, you can use roaming user profiles to move the certificates
between computers. As an alternative, network administrators can implement a system called credential
roaming to allow certificates to move between computers when a user logs on.
MCT USE ONLY. STUDENT USE PROHIBITED
8-8 Troubleshooting and Supporting Windows 7 in the Enterprise
Backing up a user certificate is one method you can use to recover EFS-encrypted files. First back up the
user certificate, import it into another profile, and then use it to decrypt the file. This method is difficult to
implement if your organization has many users. A better method to use in that case is to implement a
recovery agent.
A recovery agent is an individual who is authorized to decrypt all files that are encrypted with EFS. The
default recovery agent is the domain administrator, though you can delegate this responsibility to any
user.
When you add a new recovery agent through Group Policy, Windows 7 adds the recovery agent
automatically to all newly encrypted files. However, it does not add the recovery agent to existing
encrypted files. The recovery agent for a file is set at the time that you encrypt the file. Therefore, you
must access the encrypted file, and then save it to update the recovery agent. You also can use the cipher
command to force an update of the recovery agent.
Note To update the recovery agent on a file, run cipher /u filename. This command also
updates user encryption keys if necessary.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-9
You should ensure that the certificate for a recovery agent always exports with the private key, and you
should keep it in a secure location that you can back up. There are two reasons to back up the recovery
key:
1. To secure against system failure. The domain administrator private key that Windows uses by default
for EFS recovery is stored only on the domains first controller. If anything were to happen to this
domain controller, then EFS recovery would be impossible.
2. To make the recovery key portable. The recovery key may not be available to the recovery agent on
all computers. You must install the recovery key in the recovery agents profile. If you do not use
roaming profiles, then you can export and import the recovery key to update the recovery agents
profile on a specific computer.
MCT USE ONLY. STUDENT USE PROHIBITED
8-10 Troubleshooting and Supporting Windows 7 in the Enterprise
Most EFS issues relate to the inability of users to encrypt or decrypt files. The following table lists common
issues and resolutions related to using EFS.
Issue Resolution
A user is unable to open a file that he has This is most common when a user roams between computers
encrypted. and the private key is not present on all computers. To
resolve this, use roaming profiles or import the certificate and
private key manually on the new computer.
A user is unable to open a file that was This is expected behavior unless the user that encrypted the
encrypted by another user. file explicitly shared the file with the second user. To resolve
this issue, have the original user share the file with the second
user or use a recovery agent to decrypt the file.
A user is unable to encrypt a file that has This is expected behavior. If you need to encrypt the file, then
been compressed by using NTFS you must decompress it.
compression.
After you configure a new recovery The recovery agent for a file is not updated unless you
agent, you cannot access older files with modify it. Use the cipher /u command to update batches of
the new recovery agent. files. However, you must be capable of decrypting the file to
update the recovery agent information.
Users are unable to encrypt files on a file If you are not using certificates from a certification authority
share, but can encrypt files locally. and you want to allow EFS to be used on a file share, then
you must configure the file server computer account to be
trusted for delegation in the computer accounts properties.
Users are unable to encrypt files on FAT This is by design. You can use EFS only for files that you store
formatted partitions. on NTFS-formatted drives.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-11
You can configure a recovery agent by using a Group Policy object (GPO). First, you import a certificate
into the GPO, and then the user with the private key corresponding to that certificate is able to decrypt
EFS encrypted files. The certificates in the GPO do not contain the private key.
In this practice, you will identify an EFS recovery agent, and then use the recovery agent certificate to
recover an encrypted file.
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice,
you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 1-3 for 6293A-NYC-CL1. Do not log on until directed to do so.
MCT USE ONLY. STUDENT USE PROHIBITED
8-12 Troubleshooting and Supporting Windows 7 in the Enterprise
Detailed Steps
2. In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, expand
Contoso.com, and then click Group Policy Objects.
3. In the right-pane, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click
Encrypting File System. Notice that a recovery agent exists, by default, for EFS.
X Encrypt a file
1. On NYC-CL1, logon as Adam with a password of Pa$$w0rd.
2. Right-click the desktop, point to New, and then click Microsoft Office Word Document.
6. In the Advanced Attributes window, select the Encrypt contents to secure data check box, and then
click OK.
8. In the Encryption Warning window, click Encrypt the file only, and then click OK. Wait a few
moments for the file to encrypt.
Note Encrypted files have a green filename in Windows Explorer, but not on the desktop.
2. In the Console1 window, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, click Certificates, and then click Add.
6. Double-click the Adam Carter certificate, and then read the information. Notice that the certificate
was just created, and that you have a private key for this certificate.
8. Right-click the Adam Carter certificate, point to All Tasks, and then click Export.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-13
11. On the Export file format page, click Next to accept the default selections.
Note In step 11, if you select the option to Delete the private key if the export is
successful, then you cannot decrypt files after the export.
12. On the Password page, type Pa$$w0rd in both boxes, and then click Next.
13. On the File to Export page, type D:\EFSCertificateBackup.pfx, and then click Next.
14. On the Completing the Certificate Export Wizard page, click Finish.
4. Click OK to clear the message indicating you do have access privileges to the file.
Note Administrator is unable to open the file even though Administrator is the recovery
agent because the necessary private key is not present on NYC-CL1. The private key is
located only on NYC-DC1.
2. In the Console1 window, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, click Certificates, and then click Add.
4. In the Certificates snap-in window, verify that My user account is selected, and then click Finish.
7. Right-click the Administrator certificate, point to All Tasks, and then click Export.
8. In the Certificate Export Wizard, click Next.
9. On the Export Private Key page, click Yes, export the private key, and then click Next.
10. On the Export file format page, click Next to accept the default selections.
11. On the Password page, type Pa$$w0rd in both boxes, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Troubleshooting and Supporting Windows 7 in the Enterprise
12. On the File to Export page, type C:\AdminCert.pfx, and then click Next.
13. On the Completing the Certificate Export Wizard page, click Finish.
2. In the Console1 window, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, click Certificates, and then click Add.
4. In the Certificates snap-in window, verify that My user account is selected, and then click Finish.
6. In the Console1 window, expand Certificates Current User, and then click Personal.
9. On the File to Import page, in the File name box, type \\NYC-DC1\C$\AdminCert.pfx, and then
click Next.
10. On the Password page, in the Password box, type Pa$$w0rd.
11. Select the Mark this key as exportable check box, and then click Next.
13. On the Completing the Certificate Import Wizard page, click Finish.
5. In the Advanced Attributes window, clear the Encrypt contents to secure data check box, and then
click OK.
7. Notice that the filename is black instead of green because it no longer is encrypted.
Lesson 2
Recovering BitLocker-Protected Drives
You can use BitLocker to encrypt entire partitions, and you typically use it on portable computers where
there is a risk of the computer being lost. You cannot access data on a drive that users encrypt with
BitLocker by using utilities, by resetting the local Administrator password, or by placing the encrypted
drive in an alternate computer. You must understand how to recover drives that users encrypt with
BitLocker in case the encryption keys become inaccessible after a hardware failure.
Objectives
After completing this lesson, you will be able to:
BitLocker is a feature in Windows 7 that encrypts entire partitions. The primary purpose of BitLocker is to
protect the data on a hard drive that you remove from a computer, but it also protects the integrity of
boot files. You typically use BitLocker for portable computers, which users are most likely to lose.
To enable BitLocker, a Windows 7 computer must have at least two partitions. The system volume
contains the boot files for Windows 7, and the boot volume contains the operating system files. Windows
7 creates this type of partition structure automatically during installation, unless an unattended
installation file provides alternate instructions.
BitLocker uses several encryption keys to protect the partitions on which it is enabled. When you enable
BitLocker, the following process is performed:
1. BitLocker creates a Full Volume Encryption Key (FVEK) for each volume and uses it to encrypt each
volume. This key never changes because it would take too long to re-encrypt the partition.
2. BitLocker encrypts each FVEK and stores it on the system partition. It reads each FVEK during startup,
and uses them to decrypt the volumes and allow Windows to start.
3. BitLocker generates a Volume Master Key (VMK) which is used to encrypt the FVEKs. This key is read
during startup, and is required to access the FVEKs.
For additional security, you can require a password during startup, which provides a second layer of
security to the logon process.
Note BitLocker typically has less than a 10 percent performance impact on disk activity.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-17
A TPM is a chip on a computer system board for storing encryption keys and certificates, and it is a
trusted location for that computer.
The preferred configuration for BitLocker is to store the VMK in a TPM. During startup, BitLocker retrieves
the VMK from the TPM and uses it to decrypt the FVEKs for encrypted volumes.
Not all computers have a TPM. Some vendors only implement a TPM on their business-class computers. If
you use BitLocker on a computer without a TPM, the VMK is stored on a Universal Serial Bus (USB) flash
drive instead of stored on the computer. This USB drive must be present during Windows 7 startup. This is
somewhat risky because a lost flash drive means that you cannot start the computer.
MCT USE ONLY. STUDENT USE PROHIBITED
8-18 Troubleshooting and Supporting Windows 7 in the Enterprise
BitLocker encrypted drives become inaccessible if the VMK for a computer system cannot be accessed.
This can occur if:
When you enable BitLocker, it generates a 256-bit recovery key and a 48-digit recovery password.
BitLocker provides you with the options to print the recovery password key, save the recovery password to
a file, or save both to a USB flash drive. You can use either the recovery key or the recovery password to
decrypt the drive when the VMK is no longer available.
You also can store the recovery password in AD DS, also. To do this, you must enable the option by using
Group Policy. This is a scalable solution, and much better than requiring administrators to store the
recovery password during the encryption process. BitLocker stores BitLocker recovery passwords in the
properties of the computer account. You can view them by using the BitLocker Recovery Password Viewer,
which the Remote Server Administration Toolkit for Windows Server 2008 R2 includes, and which you can
install on Windows 7. It extends the functionality of Active Directory Users and Computers so that you can
view the BitLocker recovery password in the properties of a computer account.
Note The Group Policy setting to store BitLocker recovery passwords in Active Directory is
\Computer Configuration\Policies\Administrative Templates\Windows Components
\BitLocker Drive Encryption\Store BitLocker recovery information in Active Directory Domain
Services (Windows Server 2008 and Windows Vista).
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-19
To recover an encrypted operating system drive, you must use the Windows recovery console that is
accessible during startup or by booting from the Windows 7 installation DVD. In the recovery console, you
can provide the USB flash drive with the recovery key or type the recovery password. Drives that do not
contain the operating system prompt you for the recovery information when you attempt to use them
from within the operating system.
Note If you are typing the recovery password, you typically need to use the function keys.
For example, pressing F1 is equivalent to pressing 1.
Your final option for recovering BitLocker encrypted drives is to use a data recovery agent. Similar to a
recovery agent in EFS, a data recovery agent for BitLocker has a certificate that BitLocker uses to access
encrypted drives. You configure a data recovery agent by importing its certificate into a GPO.
To configure a data recovery agent by using Group Policy you must configure two settings:
You can use BitLocker to encrypt entire disk volumes. In most cases, a TPM is used to store the encryption
keys for BitLocker. However, not all computers have a TPM. In such a case, you can store the encryption
keys on a USB flash drive or a floppy disk.
In this demonstration, you will see how to configure BitLocker when a TPM is not available.
Demonstration Steps
1. On the virtual host, verify that BitLocker.vfd is attached to the floppy drive of NYC-CL1.
Enabled
10. Open Windows Explorer, and then open Manage BitLocker for Local Disk (C:).
12. Open the BitLocker Recovery Key text file stored on A:, and then read the recovery key.
MCT USE ONLY. STUDENT USE PROHIBITED
8-22 Troubleshooting and Supporting Windows 7 in the Enterprise
BitLocker To Go
BitLocker To Go is a new feature in Windows 7. You can use it to encrypt removable storage that you want
to use on other computers. It safeguards the data while it is in transport, which ensures that if the
removable storage is lost, the person who finds it cannot access the data.
When you enable BitLocker To Go for removable media, you are prompted to use either a password or a
smart card to unlock the drive. Using a password makes it simple to unlock the removable storage on
other computers because anyone with the password can unlock it. Requiring a smart card is more
complicated because you must have a smart card, and then the computer that you use to unlock the
removable storage also requires a smart-card reader.
Windows 7 computers can read and modify removable storage that you encrypt by using BitLocker To Go.
Windows XP and Windows Vista computer can read data from removable storage that you encrypt by
using BitLocker To Go if users use the BitLocker To Go Reader. All removable storage that you encrypt by
using BitLocker To Go includes the reader, which is accessible before you decrypt the content.
The recovery options for BitLocker To Go are the same as for standard drives. You can save recovery keys
to a file, publish recovery keys to AD DS, or use a data recovery agent.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-23
Lesson 3
Troubleshooting Internet Explorer and Content
Access Issues
Internet Explorer is commonly used to access web-based applications, many of which are business critical.
You must understand how to troubleshoot issues with Internet Explorer and content access to ensure that
users are able to continue using these web-based applications.
Objectives
After completing this lesson, you will be able to:
Describe authentication for web-based applications hosted on Internet Information Services (IIS).
Authentication to IIS
Many organizations use web-based intranets and applications as an important part of their business.
These websites are not just collections of webpages, but rather they are components of an organizations
critical business infrastructure. Windows Server hosts many websites Windows Server by using IIS.
When you troubleshoot issues with access to web-based applications, you must know which
authentication methods are available to you.
Basic. This type of authentication sends the username and password in cleartext over the network,
and it provides the best compatibility through firewalls, and between various browser and web
servers. You always should secure Basic authentication by using Secure Sockets Layer (SSL), which you
configure on the server. You can identify SSL-secured websites by the lock icon that displays in
Internet Explorer. Additionally, the address for SSL secured websites start with https://.
Windows. This type of authentication uses either Windows Challenge/Response, also known as NT
Local Area Network Manager (NTLM), or Kerberos authentication. In either case, Internet Explorer
automatically encrypts the username and password as they pass over the network. In some cases,
Windows authentication does not pass properly through firewalls.
The primary benefit of using Windows authentication is the ability for workstation credentials to pass
automatically to the web server. However, this is possible only when you are using a single label name for
the server that you are accessing. For example: http://webserver.
Digest. This type of authentication is an Internet standard that secures credentials automatically
during the authentication process. You typically use it for external users.
Certificate mapping. This type of authentication maps a certificate to a user, and enables the user to
authenticate by presenting that certificate. This is more secure than the process of requiring a
username and password, however, it is more difficult to implement and rarely used.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-25
Internet Explorer includes security zones that allow you to control security settings for groups of websites.
Depending on the security zone in which a website is included, Internet Explorer enables you to use
different security settings. For example, some zones enable Protected Mode or do not allow ActiveX
controls.
Note Protected Mode in Internet Explorer prevents code on websites from affecting the
operating system by isolating Internet Explorer processes and limiting their permissions.
Internet. This zone is the default zone for all websites. It has medium-high security settings, which
enables users to perform most tasks. However, users may receive prompts to accept some riskier
behaviors.
Intranet. This zone is only for websites that have a single label name. It has medium-low security
settings that allow most websites to run without any end-user prompts, because it assumes the sites
are trustworthy. Additionally, it does not use Protected Mode.
Trusted sites. This zone has no websites, by default. You must add sites manually to the Trusted sites
zone, and it has medium security settings, which enables users to run most web-based applications. It
does not use Protected Mode. Typically, you use this zone for web-based applications that are hosted
externally.
Restricted sites. This zone has no websites, by default. You must add sites manually to the Restricted
sites zone. This zone has high security settings, and is suitable for browsing websites that you are
concerned may contain malware (malicious software).
MCT USE ONLY. STUDENT USE PROHIBITED
8-26 Troubleshooting and Supporting Windows 7 in the Enterprise
Other Internet Explorer settings that may be a concern for web-based applications include:
Privacy settings. The privacy settings in Internet Explorer control the use of cookies, which some web-
based applications use to track user states. You can allow cookies specifically from a website that
hosts a web-based application, so that the application performs properly.
Pop-up Blocker. The purpose of the Pop-up Blocker in Internet Explorer is to prevent annoying
advertisements from displaying. However, some web-based applications use these pop-ups, so you
may need to allow them for websites that are hosting a web-based application.
Advanced settings. Individual web-based applications may require unusual security settings that you
can adjust only in Advanced settings. For example, an externally hosted website may require the use
of an older version of SSL.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-27
You can extend the functionality of Internet Explorer by installing add-ons. One of the most important
uses of add-ons is displaying content on webpages that Internet Explorer does not understand natively.
For example, add-ons may help display non-HTML document formats or video within a webpage.
You can use the Manage Add-ons function in Internet Explorer to view the installed add-ons so that you
can disable them. If Internet Explorer is experiencing performance problems, you can disable add-ons that
you think may be responsible.
One of the most common causes of Internet Explorer performance issues is users installing toolbars.
Removing third-party toolbars often improves performance. However, some toolbars do not uninstall
properly. As a final option, you can reset Internet Explorer settings, which reverts Internet Explorer to its
default state.
MCT USE ONLY. STUDENT USE PROHIBITED
8-28 Troubleshooting and Supporting Windows 7 in the Enterprise
Most issues related to Internet Explorer and security are easy to resolve. A key part of the troubleshooting
process for accessing websites is identifying the following:
These questions help you isolate what is causing the problem: a firewall, server configuration, or Internet
Explorer configuration.
The following table lists some common ways that you can resolve problems related to accessing websites
and web-based applications.
Issue Resolution
Users are unable to access a Verify that there is proper network connectivity, and that a firewall
website. or proxy is not blocking the website.
Users are being prompted for Verify that users are accessing the website by using a single label
credentials when accessing an domain name. Also, verify that users are accessing the website
internal website configured to from an internal domain joined computer.
use Windows authentication.
Users are unable to use a web- If the web-based application is from a trusted source, then add the
based application because website to Trusted sites. This disables protected mode and allows
Internet Explorer security or many web-based applications to function properly.
Protected Mode is blocking
required functionality.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-29
(continued)
Issue Resolution
A web-based application is not Ensure that privacy settings allow the web-based application to set
retaining settings properly cookies.
between screens or between
sessions.
A web-based application is not Ensure that pop-up blocker allows the necessary windows to open
opening new windows that are by adding the website to the list of allowed sites.
required for proper operation.
Internet Explorer is running more Disable any unauthorized add-ons that may be malware.
slowly than normal and may be
displaying unusual information
on webpages.
Users are unable to view Install the necessary add-on for Internet Explorer that is required to
embedded contentsuch as view the content.
audio or videoin a website.
Internet Explorer is experiencing Clear the Internet Explorer browsing history, including temporary
unusual problems authenticating Internet files, cookies, and passwords.
to a website or accessing website
content.
Internet Explorer is not displaying Clear the temporary Internet files and then press F5 to refresh, or
updated website content that you press Ctrl+F5 to force a refresh of a single website in the cache.
know has been updated.
An older website is not displaying Enable Compatibility View for the website. This may also be
properly in Internet Explorer 8. required for some web-based applications. Compatibility View
renders the website as though you are using an older version of
Internet Explorer.
When accessing a secure website If the website is trusted, users can choose Continue to this
with https, users get the error website (not recommended). This error occurs because the
There is a problem with the certificate installed on the server is not trusted. This may result
websites security certificate. from expired certificates, users accessing websites by using the
wrong DNS name, or by using self-signed certificates. You can
import a self-signed certificate on the client computer to remove
this error.
Malware is installed as an add-on Reset Internet Explorer settings. This can resolve unexplained
that you cannot remove. problems with Internet Explorer, but causes the loss of all
customizations such as Favorites and changes to other
configuration settings. If other malware continues to exist on the
computer, Internet Explorer may be infected again.
MCT USE ONLY. STUDENT USE PROHIBITED
8-30 Troubleshooting and Supporting Windows 7 in the Enterprise
The two most common problems that users experience with Internet Explorer are poor performance and
the inability to access web-based content. To resolve performance problems, you can manage Internet
Explorer add-ons, and reset Internet Explorer settings. To resolve issues accessing content, you can
configure the Pop-up blocker and privacy settings. In some cases, clearing the Internet Explorer history
can also resolve content access issues.
In this practice, you will configure various Internet Explorer options and features.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Detailed Steps
2. In Internet Explorer, click Tools, point to Pop-up Blocker, and then click Pop-up Blocker Settings.
3. In the Pop-up Blocker Settings window, in the Address of website to allow box, type
webapp.contoso.com, and then click Add.
4. Click Close.
4. In the Show box, select Run without permission. Take note of the large list installed by default.
5. Click Close.
2. In the Internet Options window, on the General tab, in the Browsing history area, click Delete.
3. In the Delete Browsing History window, read the default selections, and then click Delete.
3. In the Per Site Privacy Actions window, in the Address of website box, type webapp.contoso.com
and click Allow.
4. Click OK.
3. In the Reset Internet Explorer Settings window, read the information, and then click Reset.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The help desk has received a number of trouble tickets that relate to security. Because you are the
desktop support technician that has the most experience with security, the tickets have been assigned to
you.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-33
Supporting Documentation
Incident Record
Incident Reference Number: 603012
Incident Details
Executive user is reporting that she has data that is encrypted with BitLocker Drive Encryption that she needs to
recover from a failed laptop.
Additional Information
The user uses her personal laptop to work on company documents. The laptop had a secondary hard
drive on which she stored the documents. She encrypted all drives with BitLocker to secure them.
Internal laptops are configured with a recovery agent to simplify data recovery. Because this is a personal
laptop, using a recovery agent is not an option.
She has given us the encrypted drive, and a printout she made after the drive was encrypted.
She has requested that we configure the drive so that she can attach it to another computer easily by
placing the drive in an external USB enclosure. Preferably, it should require only a password to unlock.
Plan of Action
Resolution
MCT USE ONLY. STUDENT USE PROHIBITED
8-34 Troubleshooting and Supporting Windows 7 in the Enterprise
To verify that this is the correct recovery key, compare the identification with what appears on the
recovery screen:
2. Update the Plan of Action section of the Incident Record with your recommendations.
8. Click OK.
9. Start the 6293A-NYC-CL1 virtual machine, and then log on as NYC-CL1\WSAdmin with the
password of Pa$$w0rd. If you are prompted to restart NYC-CL1, click Restart Now.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-35
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have recovered a BitLocker-protected drive.
MCT USE ONLY. STUDENT USE PROHIBITED
8-36 Troubleshooting and Supporting Windows 7 in the Enterprise
Supporting Documentation
Incident Record
Incident Reference Number: 603026
Incident Details
User is being prompted for security credentials when accessing the intranet site.
Additional Information
When the user attempts to access the corporate intranet by using http://nyc-dc1.contoso.com, he is
prompted for credentials.
I coached him through the process of entering his credentials as Contoso\Sten and his password. This
authenticates him successfully, and he can use this as a short-term workaround, but he does not want
to be prompted.
I asked him to check if other users in his department were having the same issue, and he told me that
they said No. He is the only user having this issue. After he authenticates, everything is fine.
When the issue is resolved, please configure the corporate intranet as his home page.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Security Issues 8-37
Password: Pa$$w0rd
Domain: Contoso
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps for 6293A-NYC-CL1.
Results: After this exercise, you will have authenticated successfully to the intranet website, without
requiring the user to enter credentials.
MCT USE ONLY. STUDENT USE PROHIBITED
8-38 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Review Questions
1. An employee that the organization recently dismissed had used EFS to encrypt files on a domain-
joined portable computer. The user account is deleted from the domain, and no backup of the user
account exists. No specific configuration of EFS has been performed. Can you recover the EFS
encrypted files?
2. You just received a new batch of 10 laptop computers that do not have a TPM. Is it still possible to
protect the hard drive contents by using BitLocker?
3. One of the users in your organization wants to use BitLocker To Go when transporting files between
work and home on a USB flash drive. The user has Windows XP on his computer at home. Is it
practical to use BitLocker To Go when one of the computers is running Windows XP?
4. A user in purchasing accesses various websites to order supplies. She is concerned that her actions on
these sites may be insecure. What two ways can she identify a website as using Secure Sockets Layout
(SSL) to encrypt data communications?
Tools
Module 9
Troubleshooting Operating System and Application Issues
Contents:
Lesson 1: Troubleshooting Application Installation Issues 9-3
Module Overview
Computer users require applications for every task they perform, including editing documents, querying
databases, and generating reports. Supporting the installation and operations of applications is a critical
part of desktop support. To ensure that applications continue to function correctly, and to prevent
security issues, you must also apply updates in a timely way.
Objectives
After completing this module, you will be able to:
Lesson 1
Troubleshooting Application Installation Issues
Most large organizations automate application installation from a central location. However, desktop-
support personnel are involved in application deployment during initial development of the deployment
process and when troubleshooting failed installations. You must know how to identify the reasons why an
application installation fails, and know how to resolve any issues that prevent application installation.
Objectives
After completing this lesson, you will be able to:
Describe application deployment methods.
Deploying applications is a critical part of supporting users. Generally, you should automate the
application deployment process. This simplifies the process from the users perspective.
Manual installation. This method requires that the person installing the applicationa user or support
personknow the location of the application setup files, and then initiate the installation. This
method of installation is suitable only when you are installing applications on a small number of
computers.
Group Policy. This method uses a Group Policy object (GPO) to automate application installation from
a network share. You can make applications available for users to select, or you can configure
applications so they install automatically for specific users or on specific computers. To automate the
installation process completely, some applications require you to create a transform file (.mst) to
automate the installation process.
Microsoft System Center Configuration Manager 2007. This method uses the application deployment
capabilities of Configuration Manager 2007 to automate application installation from a network
share. The main benefits of Center Configuration Manager 2007, versus deployment by using Group
Policy, are increased flexibility and detailed reporting. You also can use Center Configuration
Manager 2007 to distribute application updates.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-5
Virtualized applications. With the RemoteApp feature in Windows Server 2008 R2, you can avoid
having applications installed on desktop computers. An icon on the user desktop opens a Remote
Desktop Protocol (RDP) session to a server that hosts the application. The application is remote-
controlled in a Window. This simplifies application updates because you must update only a single
central copy of the application. This method works best with applications that need to access data in
a central location.
Note In Windows Server 2008, the RemoteApp feature was named Terminal Services
RemoteApp (TS RemoteApp).
Inclusion in operating system image. Many organizations include common applications in the base
operating-system image that they deploy on desktop computers. With this method, you can avoid
having a specific deployment process for the application. However, it does result in increased image
maintenance over time as your organization releases application updates and new application
versions.
MCT USE ONLY. STUDENT USE PROHIBITED
9-6 Troubleshooting and Supporting Windows 7 in the Enterprise
Application deployment may fail for a variety of reasons, including the configuration of the deployment
process or of the computer on which you deploy the application. Understanding the reasons why
applications fail to deploy helps you resolve the issues preventing installation.
Question: What are some reasons that application deployment or installation may fail?
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-7
Many applications require specific operating-system features to function properly. For example, many
applications require a specific version of the .NET Framework. Additionally, some applications use the
functionality of other applications to function properly. For example, some financial applications use
Microsoft Excel to perform calculations.
Documentation. Most vendors provide installation documentation that clearly defines the application
requirements. By reading the documentation before attempting to perform an installation, you can
ensure that all application dependencies are in place.
Contact the vendor. If the vendor does not provide installation documentation that defines the
application requirements, you can request them from the vendors application support department.
Errors during installation. Most software performs checks during installation to verify that the
computer on which the software is installed meets all application requirements. If an application
dependency is not in place, then the application generates an error to indicate which dependency is
missing.
In most cases, software does not install at all if the application dependencies are not in place. Setup stops,
and the software-installation program generates an error that requests installation of all prerequisites
before another installation attempt occurs. However, some applications install even if the application
dependencies are not met. In those cases, the user encounters errors while operating the software, rather
than during installation.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Troubleshooting and Supporting Windows 7 in the Enterprise
The ability to resolve application deployment issues depends on your understanding of the issues cause.
Once you understand why an application is not deploying properly, you can determine the correct
methods to resolve the issue.
Run as Administrator. For application installations that do not properly elevate permissions to
perform installation, you can elevate permissions manually by right-clicking the installation file, and
then selecting Run as Administrator.
Install the necessary dependencies. If you cannot install an application because of missing
dependencies, then you must install the necessary dependencies. If the missing dependency affects
multiple computers, you need to determine the best way to deploy the missing dependency to all
computers. You may need to update the base image, which deploys with the dependency.
Note You can enable features by using the Programs and Features in Control Panel, or by
typing dism.exe at a command prompt. This command also enables features in images.
Application Compatibility Toolkit (ACT). ACT is a suite of tools that Microsoft provides that simplify
the installation and execution of older applications on newer versions of Windows. One use for ACT is
to generate an inventory of installed applications, and then evaluate whether those applications
experience issues when running on Windows 7. You typically would use ACT during migration to a
new operating system.
Windows Installer is the service in Windows 7 that performs application installations. During application
installation, you may receive error messages, such as:
One source of Windows Installer issues is applications that do not complete installing or uninstalling. In
some cases, restarting the computer may force the operation to proceed. However, you may need to
reinstall or repair the application before you are able to remove it. In a worst-case scenario, you may need
to remove an application manually, including its registry entries.
2. Verify that the Windows Installer service is configured to start manually, and that it starts without
errors.
3. Update to the latest version of Windows Installer.
Msiexec /unregister
Msiexec /register
MCT USE ONLY. STUDENT USE PROHIBITED
9-10 Troubleshooting and Supporting Windows 7 in the Enterprise
In rare cases, it is possible that another application that is running is preventing the softwares installation
or removal. You can disable services and applications that start automatically to attempt to identify a
problem application.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-11
AppLocker is one way to control application installation. By using AppLocker you can control the
installation of applications based on file path, publisher, or file hash.
Allow members of the Everyone group to install all digitally signed Windows Installer files.
Allow members of the Everyone group to install All Windows installer files in
%systemroot%\Windows\Installer.
Allow members of the Administrators group to install all Windows Installer files.
In this practice, you will use Group Policy to deploy an application and configure AppLocker rules for
Windows Installer.
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice,
you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Detailed Steps
2. At the command prompt, type net share software=D:\Labfiles\Mod09\Software and press Enter.
4. Click Start, point to Administrative Tools, and then click Group Policy Management.
6. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here.
7. In the New GPO window, in the Name box, type Software, and then click OK.
9. In the Group Policy Management Editor window, under User Configuration, expand Policies, and
then expand Software Settings.
10. Right-click Software installation, point to New, and then click Package.
11. In the Open window, browse to \\NYC-DC1\Software, click XmlNotepad.msi, and then click Open.
12. In the Deploy Software window, click Assigned, and then click OK.
Note You have assigned the application to all of the organizations users. You can trigger
installation by linking it to the opening of a file with a specific extension, or users can trigger
it manually.
3. In the Application Identity Properties window, select the Define this policy setting check box, click
Automatic, and then click OK.
Note The Application Identity Service is required to evaluate AppLocker rules. If this service
is not running, then AppLocker rules have no effect.
3. In the Overview area, click Windows Installer Rules. Notice that no rules are configured
automatically.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-13
4. Right-click Windows Installer Rules, and then click Create Default Rules.
2. At the command prompt, type gpupdate /force, and then press Enter.
5. Click Start, type Programs, and then click Programs and Features.
6. In the Programs and Features window, click Install a program from the network.
7. Right-click XML Notepad 2007, and then click Install. Notice that the installation process begins.
8. In the XML Notepad 2007 Setup window, click Cancel, and then click Yes.
Lesson 2
Troubleshooting Application Operations Issues
An application operation issue is any instance in which an application is not operating as a user expects.
Desktop-support personnel should identify the source of an application operation issue, and then resolve
it.
Objectives
After completing this lesson, you will be able to:
An application operation issue is any situation in which an application does not perform properly from the
users perspective. Some of the issues that you or your users may encounter include:
Missing features. You can use many applications to select which features to install. An applications
default installation options may not include the features that all users require.
Poor performance. Applications may run slower than users expect. This can happen either when users
perform a specific task or during regular application use.
Errors. Any error that the application displays on-screen is an application operation issue.
Incorrect database connection settings. Some applications use a backend database as a data store. If
you do not configure the connection to the database correctly, the application cannot function
correctly.
Application blocking by AppLocker. You can configure AppLocker to allow or block applications on
Windows 7 computers. If AppLocker is blocking a legitimate application, then you must try to resolve
the issue.
MCT USE ONLY. STUDENT USE PROHIBITED
9-16 Troubleshooting and Supporting Windows 7 in the Enterprise
Issues with application operations impact users ability to perform their jobs. You must identify and
troubleshoot these issues as quickly and as accurately as possible.
Before you deploy an application widely, you should put it through a testing process that includes
common user activities. Desktop-support staff often performs this testing. During testing, the application
may not function as you expect, which triggers the need for further troubleshooting.
After you deploy an application, users are the most common source for information about issues with
application operations, because they report their computer-related issues to the help desk.
When you investigate issues with application operations, you can use both on-screen error messages and
event logs. In some cases, these provide enough information to resolve the issue. In other cases, you may
need to perform more research.
Additional research may include:
Your success in resolving an issue with application operations depends on your accuracy in defining the
issue, and then determining how to resolve it. Some ways to resolve issues with application operations
include:
Install a needed feature. If an application feature that a user requires is missing, then you can install it.
Ultimately, you must determine if other users require that feature, and determine the best way to
accommodate them. You might need to update the applications installation process or update an
operating-system image that contains the application.
Reconfigure an application. If you configure an application incorrectly, you can reconfigure it so that
it meets the defined specifications. If multiple users require the reconfiguration, you need to
determine the best way to update multiple computers. You may decide to update Group Policy,
update the application deployment process, or update an operating-system image that contains the
application.
Apply application updates. Application updates resolve application operation issues that the
applications vendor identifies. Installing application updates in a timely way may prevent some issues
with application operations from occurring in your environment, and may also resolve performance
issues.
MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Troubleshooting and Supporting Windows 7 in the Enterprise
Upgrade the application to a newer version. Some issues with application operations require you to
upgrade to a newer version of the application. For example, to increase performance and access more
memory, you may need to upgrade an application to a 64-bit version. New features also are available
in newer versions. Depending on how you license the application, there often is a fee associated with
obtaining a newer version of an application.
Identify performance issues and bottlenecks. Performance issues that users report reported typically
are very vague. You need to define the source of a performance issue accurately by using tools such
as Performance Monitor. Improving performance may require hardware upgrades or by
recommending that users run few applications simultaneously on the computer. You also may need
to adjust users performance expectations.
Reconfigure AppLocker rules. If AppLocker rules are preventing a legitimate application from running,
you must reconfigure those rules to allow the application to run, by allowing the application path, the
publisher, or the hash value.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-19
The ACT is a set of tools that you can use to inventory applications, analyze compatibility of applications,
and mitigate compatibility issues. Organizations typically use ACT when planning a new operating-system
deployment, to ensure that all application function properly.
The Compatibility Administrator, which provides compatibility fixes (previously known as shims) that
enable older applications to run on newer Windows versions.
The Setup Analysis Tool, which monitors an applications installation process and identifies issues that
relate to installation.
The Internet Explorer Compatibility Test, which monitors web-based applications, and then identifies
issues that newer versions of Windows Internet Explorer experience.
The Standard User Analyzer (SUA) identifies any issues that relate to running an application as a
standard user.
The Update Compatibility Evaluator identifies any issues that relate to implementing new Windows
updates.
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Troubleshooting and Supporting Windows 7 in the Enterprise
ACT includes the Standard User Analyzer Wizard that you can use to determine whether applications run
correctly for a standard Windows 7 user. The Standard User Analyzer Wizard monitors an application
when you run it. If the application experiences errors, then the Standard User Analyzer Wizard creates
mitigations that allow the application to run properly. You then can distribute the mitigations to all
computers that will use that application.
In this practice, you will capture and test mitigations for the Stock Viewer application.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Detailed Steps
Note Stock Viewer is a demonstration application that ACT includes. However, this
demonstration uses the same process that you would use to resolve issues with any
application.
2. Click Start, point to All Programs, click Microsoft Application Compatibility Toolkit, click Demo
Application, and then click Stock Viewer.
2. In the Standard User Analyzer Wizard window, click Browse for Application, browse to
C:\Program Files\Microsoft Application Compatibility Toolkit
\Compatibility Administrator (32-bit)\Demo Application\StockViewer, click StockViewer, and
then click Open.
3. Click Launch.
4. In the User Account Control window, provide the credentials NYC-CL1\WSAdmin with a password of
Pa$$w0rd. Click Yes.
6. Click the Trends button, and then click OK to clear the error message.
2. In the Save Mitigations As msi package window, in the left pane, click Desktop and then click Save.
5. Review the files on the desktop. StockViewer.exe.msi is on the desktop. This file contains the
mitigations that allow StockViewer.exe to run.
MCT USE ONLY. STUDENT USE PROHIBITED
9-22 Troubleshooting and Supporting Windows 7 in the Enterprise
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Lesson 3
Applying Application and Windows Updates
Objectives
After completing this lesson, you will be able to:
Discuss why application updates are important.
All organizations have a wide variety of applications. You must be aware of how your organization
provides software updates to both applications and operating systems.
By using Automatic Updates. Automatic Updates downloads updates for Windows 7 and some
common Windows applications such as Microsoft Office 2010. Using Automatic Updates enables you
to ensure that updates are downloaded and applied automatically, on a specific schedule. The
drawback of Automatic Updates is that there is no approval process to ensure that an update does
not negatively impact applications in your organization.
By using WSUS. WSUS is an automated solution that downloads updates from Microsoft Update, but
does not deliver them to computers until an administrator approves the updates. This gives you the
opportunity to test updates before they are applied.
By using Configuration Manager 2007 or other third-party tools. Configuration Manager 2007 and
other third-party tools provide an automated way to deploy updates that are available from
Microsoft Update and other vendors.
By using application specific update tools. Many vendors include update functionality in their
applications. These tools help the update process by prompting users to install updates. However, in
many cases, standard users do not have the necessary permissions to install updates. Also, users may
decline updates if they do not understand the prompts.
MCT USE ONLY. STUDENT USE PROHIBITED
9-26 Troubleshooting and Supporting Windows 7 in the Enterprise
WSUS is a scalable solution for distributing Windows Updates and application updates. Depending on
your organizations needs, you can install WSUS on a single server, or you can configure it in a hierarchy
of WSUS servers.
3. The pilot group of computers downloads and applies updates from WSUS.
4. Updates are approved for all computers.
The approval requirement for updates provides administrators with an opportunity to test updates, and to
ensure that a new update does not have a negative impact on existing applications. Microsoft rigorously
tests the updates available on Microsoft Update, but is not able to replicate and test all environments. You
should pay special attention to negative impacts from updates on any custom software and unique
software that your organization develops internally.
Another method that you can use to control the update process is to organize computers into multiple
computer groups, which is useful for controlling the distribution of updates to specific workgroups or
computer types. For example, you could create a computer group for servers, and then create another
group for Windows client computers. You then could approve the update either separately for each
computer group, or for all computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-27
Windows 7 includes Automatic Updates, which is a built-in tool that allows computers to download and
apply software updates automatically. In the default configuration, Automatic Updates obtains the
updates from Microsoft Update, which provides Windows and application updates from Microsofts
website.
After you implement WSUS, clients do not automatically begin using the WSUS server for updates. You
must configure clients to use the WSUS server as a source for updates, rather than Microsoft Update. To
configure clients to use the WSUS server, use a GPO in Computer Configuration\Policies
\Administrative Templates\Windows Components\Windows Update. You can use a GPO to configure:
WSUS Administration
You use the Update Services administrative tool to administer WSUS. This tool is installed on the WSUS
server as part of the WSUS installation process.
The nodes in Update Services let you configure various aspects of WSUS, including:
Updates. This node allows you to view and manage the updates that WSUS identifies. You can control
whether WSUS downloads updates, identify where WSUS applies updates, and approve updates for
installation.
Computers. Computers that contact the WSUS server appear in this node. After a computer is visible
in this node, you can place the computer into a computer group.
Downstream Servers. This node is useful for larger organizations that want to configure
synchronization of updates between WSUS servers. This enables you to have a central point to which
WSUS downloads all updates and then distributes them to other WSUS servers.
Synchronizations. This node provides status information about synchronization attempts with
Microsoft Update. You should check this node if new updates are not appearing in the updates node.
Reports. This node provides a variety of reports containing installation location for updates.
Options. This node enables you to configure various WSUS settings, including for which products you
want to download updates, and how often synchronization occurs.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-29
You can use Windows Update in Control Panel to manage the updates that are applied to a computer
running Windows 7. In most organizations, the configuration of Windows Update is managed by using
Group Policy. However, there may be some cases where mobile computers or computers in remote sites
are configured manually.
Windows Update includes the following options:
Check for updates. In most cases, updates are downloaded daily on a schedule, but you can force
Windows Update to check for updates if you believe a new update is available and you want to
download it immediately.
Change settings. The settings for Windows Update define the download and install schedule. In most
cases the updates install after-hours when no users are working on the computers.
View update history. This option allows you to view all of the updates that successfully installed on
the computer, and those that failed to install properly. For each update listed, you can view details
about it and a brief description of the installed update. The details contain a link to a more detailed
description on Microsofts website that you can use during troubleshooting.
Restore hidden updates. You can choose not to install an update, as long as the update is available
and is not set to automatically install. After you do this, the update becomes hidden and no longer
appears in the list of available updates. If you decide later that the update should be installed, you
can use the restore hidden updates option to make it visible and available for installation.
Installed Updates. You can use this option to display a list of all updates that you installed on the
computer, including the installation date for each update. Installed Updates also gives you the option
to uninstall each update installation. Typically, you should only uninstall updates when you believe a
recently installed update is causing issues with Windows 7 or an application.
You typically use the options in Windows Update during troubleshooting, or use them for computers that
are not using WSUS for updates. Updates that are installed by WSUS can also be uninstalled by WSUS.
MCT USE ONLY. STUDENT USE PROHIBITED
9-30 Troubleshooting and Supporting Windows 7 in the Enterprise
When Windows Update is not working properly new updates are not applied to computers running
Windows 7. This can result in security issues and prevent stability issues from being resolved.
1. Verify that Windows Update is enabled. Windows Update must be enabled for updates to be
downloaded and applied. If your organization is using a GPO to configure Windows Update and it is
not enabled, then you must determine why the GPO is not being applied properly.
2. Verify that updates are being installed automatically. To ensure that users do not need to manually
choose when to install updates, they should be configured to install automatically.
3. Verify that recommended updates are being installed. If recommended updates are not configured to
be installed then only critical updates are installed. This means that many updates are missed.
If you are using WSUS to distribute updates, you should also perform the following steps:
1. Verify that the client is registered on the WSUS server. A WSUS server can only distribute updates to
registered clients. Clients are registered the first time they communicate with the WSUS server. If the
client is not registered, then it is likely not configured correctly for communication with the WSUS
server.
2. Verify that the client is configured in the appropriate computer group. WSUS updates are approved
for specific computer groups. If a client computer is in the wrong computer group, then it will not
obtain the appropriate updates.
3. Verify that an update has been approved for the appropriate computer group. If the update has not
been approved for the correct computer group then it will not be installed on client computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-31
4. Verify that the WSUS server is reachable over the network. If the WSUS configuration appears to be
correct, there may be a network problem that is preventing Windows 7 from communicating with the
WSUS server.
To verify connectivity to Windows Update or a WSUS server, you can use the command wuauclt.exe
/detectnow which forces the immediate detection of available updates. Also, you can use
wuauclt.exe /resetauthorization to force a client to detect group-membership changes
immediately on the WSUS server rather than waiting for WSUS to detect the changes, which can take
up to one hour.
MCT USE ONLY. STUDENT USE PROHIBITED
9-32 Troubleshooting and Supporting Windows 7 in the Enterprise
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Repeat steps 2 and 3 for 6293A-NYC-CL1 and 6293A-NYC-CL2.
Lab Scenario
The help desk has received a number of trouble tickets that relate to applications. Because you are the
desktop-support technician that has the most experience with application issues, the tickets have been
assigned to you.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-33
Note Some of the tasks that you perform to complete this exercise may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the completed scenario.
Supporting Documentation
Incident Record
Incident Reference Number: 603193
Incident Details
Client computers and servers are not obtaining Windows updates from the new WSUS server.
Additional Information
The new WSUS server is implemented, and it is successfully downloading updates from Microsoft
update. However, the updates are not being delivered to client computers.
We recently blocked access to Microsoft update for client computers to ensure that they were using
the WSUS server for updates.
You can force connectivity to the WSUS server by running wuauclt.exe /detectnow on the client
computer.
You can verify that the client connected to the WSUS server by checking the WindowsUpdateClient
event log for Event ID 26. You also can verify that the computer is listed in the Windows Automatic
Updates Services administrative tool on NYC-DC1.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have resolved the issue with Windows updates.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-35
Note Some of the tasks that you perform to complete this exercise may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the completed scenario.
Supporting Documentation
Incident Record
Incident Reference Number: 603210
Incident Details
Unauthorized applications are being used on computers.
Additional Information
We have recently implemented AppLocker policies to control the use of applications. In testing, the
default rules were configured, which prevented most unauthorized applications from running.
A manager has reported that several of his staff are playing games that are not authorized. It appears
that the users have brought in the games on USB flash drives.
I browsed Adam Carters profile on NYC-CL1, and he has a game stored in the Downloads folder.
Please identify why these are not being blocked in production like they were in testing.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
2. Run the D:\Labfiles\Mod09\Scenario3.vbs script. NYC-CL1 will reboot when you run this script.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have prevented unauthorized applications from starting.
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-37
Note Some of the tasks that you perform to complete this exercise may not typically be
the responsibility of Tier 2 support staff. However, it is useful to see the completed scenario.
Supporting Documentation
Incident Record
Incident Reference Number: 603220
Incident Details
An authorized application is not able to run.
Additional Information
After resolving incident 603220, it appears that a legitimate application is being blocked. The
Marketing Manager is reporting that Adam is no longer able to run his game on NYC-CL1, but now
also cannot run an XML editing application. The executable for this application is located in
C:\XMLNotepad.
Please identify why the application is not running, and then resolve the issue.
Plan of Action
Resolution
2. Update the Plan of Action section of the Incident Record with your recommendations.
MCT USE ONLY. STUDENT USE PROHIBITED
9-38 Troubleshooting and Supporting Windows 7 in the Enterprise
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have resolved the problem with application startup.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Review Questions
1. Your manager has provided you with a new application that you need to install for users in the
Production department. To ensure that you can install it on all the computers, you need a list of
installation prerequisites. Where can you find the prerequisites?
2. A colleague is concerned that because standard users cannot install applications, you then cannot
automate installation. Why is this not a concern?
3. A new application has been deployed for Marketing department users. For several users, the
application is not starting, and then it closes silently. What sources will you use to determine the
problems source?
4. Before deploying Windows 7 computers to the Marketing department, you find during testing that an
older application experiences errors. What can you use to help identify the problems source and
mitigate it?
5. Your organization implements many non-Microsoft applications. A colleague has proposed using
WSUS to deploy application and operating-system updates. Are there any potential issues that may
arise if you use WSUS?
MCT USE ONLY. STUDENT USE PROHIBITED
9-40 Troubleshooting and Supporting Windows 7 in the Enterprise
Tools
Application Identifying and mitigating older You must install additional software
Compatibility Toolkit applications that do not run
properly on Windows 7
Windows Server Deploying updates to computers Role installed on Windows Server 2008
Update Services
MCT USE ONLY. STUDENT USE PROHIBITED
Troubleshooting Operating System and Application Issues 9-41
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L2-1
Incident Details
Adam Carter has reported that his computer will not start properly.
Additional Information
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partly through
the process. Since then, his computer displays the following error message when it starts:
Plan of Action
1. Visit with the user, and view the error on his computer.
2. Insert product DVD, and restart the computer.
3. Use Microsoft Windows Recovery Environment (RE) to recover the startup environment
automatically.
Password: Pa$$w0rd
2. On your host computer, in the 6293A-NYC-CL1 on localhost Virtual Machine Connection dialog
box, on the Media menu, point to DVD Drive, and then click Insert Disk.
3. In the Open dialog box, in the File name box, type C:\Program Files\Microsoft Learning
\6293\Drives\Windows7.iso, and then click Open.
4. On the Action menu, click Turn Off. In the dialog box, click Turn Off.
6. When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads.
9. In the System Recovery Options dialog box, click Repair and restart.
10. Log on by using the following credentials:
Password: Pa$$w0rd
Resolution
1. Corrupted BCD resulted in failure to start correctly.
Results: At the end of this exercise, you will have resolved the startup problem and documented your
solution.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Startup Issues L2-3
Incident Details
Martin contacted the help desk after attempting to install a new hard disk driver.
Since the attempt, his computer does not start correctly.
Additional Information
Help-desk staff recorded the following message:
A problem has been detected, and Windows has been shut down to prevent damage to your
computer.
Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers.
Technical information:
*** STOP: 0x0000007B (0x8078BB58,0xC0000034,0x0000000,0x00000000)
Plan of Action
1. Visit the user, and attempt to recreate the problem on his computer.
2. Based on the error, use one of the following tools to recover the system: Safe Mode, Windows RE,
Last Known Good, and similar tools.
Note If the Advanced Boot Options menu does not display, ask your instructor for
assistance.
5. Select Last Known Good Configuration (advanced), and then press Enter.
Resolution
1. Used Last Known Good Configuration to recover.
Results: At the end of this exercise, you will have resolved the startup problem and documented your
solution.
Incident Details
User reports that research lab configuration is not being applied properly to a new computer named
NYC-CL1.
Additional Information
User reports that a new computer being used in the research computer lab is not configured properly.
All other computers in the lab, such as NYC-LAB1, have the standardize settings applied properly.
I have verified that the computer is properly joined to the domain.
Looking at NYC-LAB1, I can see that there is a desktop shortcut for the Analysis application. If this icon
appears on the desktop, then we know that the settings are being applied properly. This setting should
apply regardless of the user that logs on.
Plan of Action
1. Verify configuration for NYC-LAB1, and ensure that NYC-CL1 has the same configuration.
2. Resultant Set of Policy (RSoP) from Group Policy Modeling will provide configuration information
for NYC-LAB1.
3. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
4. In Active Directory Users and Computers, expand Contoso.com, and then click Computers.
6. In the Move window, expand Research, click Lab, and then click OK.
8. Restart NYC-CL1.
10. Verify that the desktop shortcut for the Analysis application exists.
Resolution
1. RSoP from Group Policy Modeling indicates that NYC-LAB1 has a Group Policy object (GPO) named
ResearchLab applied. ResearchLab GPO is linked to Contoso.com/Research/Lab.
2. NYC-CL1 is located in the Computers container, and will not apply the ResearchLab GPO.
3. Moved NYC-CL1 computer account to the Contoso.com/Research/Lab, and then rebooted the
computer.
Results: At the end of this exercise, you will have resolved the GPO application problem.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Using Group Policy to Centralize Configuration L3-7
Incident Details
User reports that his drive mapping has not been updated with the new file share for his department.
Additional Information
The user (Alan) is not receiving the drive mapping (R:) for the new research department share on his
computer NYC-CL2.
Other people in his department are not experiencing any issues. I have checked with the Active
Directory administrators, and his computer account is in the correct OU. So the location of the
computer account is not an issue.
I also verified that he can manually access the files by using the UNC path at \\NYC-DC1\Research.
We rebooted the computer with no improvement.
Plan of Action
1. Visit the users computer and attempt to determine why the new policy is not being applied.
2. First, run gpupdate.exe to see the error.
4. In the System window, in the Computer name, domain, and workgroup settings area, click Change
settings.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-8 Module 3: Using Group Policy to Centralize Configuration
5. In the System Properties window, on the Computer Name tab, click Change.
11. In the System Properties window, on the Computer Name tab, click Change.
14. In the Windows Security window, log on as Administrator with a password of Pa$$w0rd.
21. Verify that the drive letter R: is mapped to the research share.
Resolution
1. Ran GPUpdate, and saw error related to processing for computer account.
2. Group Policy event log indicated that account information could not be retrieved.
3. The System event log had a NETLOGON error indicating that the computer password may a problem.
4. Rejoined the domain and problem is resolved, the user was logging on with cached credentials.
Results: At the end of this exercise, you will have resolved the GPO application problem.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Incident Details
User reports that his computer mouse is nonfunctional.
Additional Information
User reports that he attempted to install a new mouse, but abandoned the installation midway through
the process.
I visited the users computer and was unable to resolve the problem, as the mouse was totally
nonfunctional.
System Restore unavailable as currently disabled.
Plan of Action
Visit users computer, and attempt to resolve the problem by trying driver rollback, if necessary, with
Safe Mode.
3. Press the Windows key, and in the Search box, type Device Manager, and then press Enter.
4. Press Tab.
5. Use the cursor keys to navigate to Microsoft PS/2 Mouse.
6. Press Alt+Enter.
7. In the Microsoft PS/2 Mouse Properties dialog box, press Tab until the General tab is highlighted.
9. Press Alt+U.
12. Press the Windows key, and in the Search box, type shutdown /r, and then press Enter. Wait while
the NYC-CL1 computer restarts
Resolution
1. Last Known Good, Safe Mode unsuccessful.
2. Driver roll back and System Restore both unavailable.
4. Suggest we enable System Restore on all computers, and control driver installation for users.
Results: At the end of this exercise, you will have resolved the hardware problem.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab A: Resolving Hardware Device and Device Driver Issues L4-11
3. Answer the questions in the Group Policy object (GPO) Planning Document.
Date March 5
Details
Update GPO settings to:
Restrict all users to be able to install only printer drivers.
Enable Research Department users to install printers, mice, and keyboard device drivers.
Do not restrict administrators from installing any drivers.
Additional Information
Use as few GPOs as possible
Plan of Action
1. How many GPOs do you envision using?
Answers will vary, but two could be used. The Default Domain Policy could support the all users
restriction and the administrator nonrestriction. A new GPO could be used to support the Research
Department requirements.
2. To which containers will you link these GPOs?
The Default Domain Policy is linked to the Contoso.com domain. The new GPO could be linked to
the Research Department organization unit (OU).
3. How do you plan to configure the restriction for all users?
Configure the Default Domain Policy to enable installation of printers by using the Allow non-
administrators to install drivers for the setting for device setup classes.
4. How will you accommodate the requirement to support the Research Departments needs?
Either install the drivers into the driver store on each Research department computer, or configure
the Research GPO with permissions to install drivers of the globally unique identifier (GUID) of the
specified setup class for mouse, printer, and keyboard. Use this setting: Allow installation of devices
using drivers that match these device setup classes.
5. How will you accommodate the administrator requirement?
Configure the Allow administrators to override Device Installation Restrictions policies setting in the
Default Domain Policy.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-12 Module 4: Troubleshooting Hardware Device, Device Driver, and Performance Issues
Note Some of the tasks you perform to complete this exercise may not be part of a Tier 2
support persons responsibilities; however, it is useful to see the completed scenario.
1. Switch to NYC-DC1.
2. Click Start, point to Administrative Tools, and then click Group Policy Management.
3. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click Default Domain
Policy, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies,
Administrative Templates, System, Device Installation, and then click Device Installation
Restrictions.
2. In the Allow installation of devices using drivers that match these device setup classes dialog
box, click Enabled, and then click Show.
4. Click Start, and in the Search box, type \\NYC-CL1\d$\Labfiles\Mod04\fax, and then press Enter.
7. Select the GUID including the {} brackets, and then copy it.
8. Close Notepad.
10. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID.
3. Right-click Research, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, in the Name box, type Research Department device settings, and
then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab A: Resolving Hardware Device and Device Driver Issues L4-13
5. Expand Research, right-click Research Department device settings, and then click Edit.
7. In the right-pane, double-click Allow installation of devices using drivers that match these
device setup classes.
8. In the Allow installation of devices using drivers that match these device setup classes dialog
box, click Enabled, and then click Show.
10. Switch to Windows Explorer, and in the address bar, click Mod04.
14. Select the GUID including the {} brackets, and then copy it.
15. Close Notepad.
17. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID
into it.
18. Switch to Windows Explorer, and in the address bar, click Mod04.
22. Select the GUID including the {} brackets, and then copy it.
25. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID
into it. Notice that this is the same setup class GUID.
Note Due to restrictions within the virtual machine environment, you cannot properly test
these restrictions.
Results: At the end of this exercise, you will have planned and implemented GPO to support the device
installation requirements.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-14 Module 4: Troubleshooting Hardware Device, Device Driver, and Performance Issues
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
2. Click Start, and in the Search box, type Performance, and then press Enter.
4. Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
5. In the Create new Data Collector Set wizard, on the How would you like to create this new data
collector set? page, in the Name box, type Contoso Baseline.
7. On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
8. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and then click Add.
9. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
10. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
11. In the Available counters list, expand Physical Disk, select % Disk Time, and then click Add.
12. Under Physical Disk, select Avg. Disk Queue Length, and then click Add.
13. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
14. In the Available counters list, expand System, select Processor Queue Length, click Add, and then
click OK.
15. On the Which performance counters would you like to log? page, click Next.
16. On the Where would you like the data to be saved? page, click Next.
17. On the Create the data collector set page, click Finish.
18. In Performance Monitor, in the navigation pane, right-click Contoso Baseline, and then click Start.
19. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word
2007.
20. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Excel
2007.
21. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office
PowerPoint 2007.
22. Close all open Microsoft Office applications, and then switch to Performance Monitor.
23. In the navigation pane, right-click Contoso Baseline, and then click Stop.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-16 Module 4: Troubleshooting Hardware Device, Device Driver, and Performance Issues
2. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
Incident Details
Dylan contacted the help desk to report problems with his computer. It has been running slowly, and
application processes that used to take a few seconds now take much longer.
Additional Information
We must determine which components are affected in Dylans computer, and then make
recommendations about how to solve or mitigate these performance bottlenecks.
Plan of Action
Visit the computer, and run performance-monitoring tools to ascertain which components (memory,
disk, CPU, and network) are bottlenecked. Gathering statistics by using the existing Contoso Baseline
data collector set enables us to compare current data to that collected previously.
Tools to use:
Resource Monitor to gain a quick insight into whats going on.
Performance Monitor data collector sets and reports.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab A: Resolving Hardware Device and Device Driver Issues L4-17
2. Switch to Performance Monitor. In the navigation pane, right click Contoso Baseline, and then click
Start.
3. After a few minutes, close the two instances of C:\Windows\System32\cmd.exe that the script
launched.
5. In the navigation pane, right-click Contoso Baseline, and then click Stop.
6. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Contoso Baseline, and then click on the second report that has a name that begins with NYC-CL1_.
7. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
Answer: The script is affecting the memory, and the disk. However, no resources are
approaching limits, although paging is becoming excessive.
9. Complete the resolution section of the incident record with your recommendations. If asked to do so,
discuss your results with the class.
Resolution
Add processor capacity to the computer, or run the programs on a more powerful computer. Adding
memory would be beneficial.
Results: At the end of this exercise, you will have determined the components affected on the users
computer, and then discussed solutions and mitigations with the class.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-18 Module 4: Troubleshooting Hardware Device, Device Driver, and Performance Issues
2. Right-click 6421B-NYC-DC1 in the Virtual Machines list, and then click Revert.
Incident Details
Scott cannot log on to his computer.
Additional Information
Error message:
There are currently no logon servers available to service the logon request.
Plan of Action
1. Visit the users computer, and reproduce the problem.
2. Logon as administrator, and attempt to resolve the problem.
3. Things to check:
Basic IP configuration of the workstation and other computers.
Verify whether the issue is affecting other computers.
Answer: There are currently no logon servers available to service the logon request.
Note Some of the tasks that you perform to resolve this problem may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the problem resolution.
3. At the command prompt, type the following command, and then press Enter:
Ipconfig.exe /all
Answer: 10.10.14.2
6. What is your subnet mask?
Answer: 255.255.255.0
7. Switch to NYC-DC1.
8. Click Start, and in the Search box, type cmd.exe, and then press Enter.
9. At the command prompt, type the following command, and then press Enter:
Ipconfig.exe /all
Answer: 10.10.0.0/16
12. Click Start, and in the Search box, type cmd.exe, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Network Connectivity Issues L5-21
13. At the command prompt, type the following command, and then press Enter:
Ipconfig.exe /all
Answer: 10.10.14.1
15. Is this server providing Dynamic Host Configuration Protocol (DHCP) services?
16. At the command prompt, type the following command, and then press Enter:
18. At the command prompt, type the following command, and then press Enter:
20. At the command prompt, type the following command, and then press Enter:
Ipconfig /release
21. Restart the computer. Wait for the NYC-CL1 computer to restart.
22. Log on using the following credentials:
Resolution
1. NYC-SVR1 had been started and is running a DHCP server in the head office.
2. This conflicted with the head office DHCP server.
3. NYC-CL1 obtained an address from the new server. However, this configuration is appropriate only
for the branch office, not the head office.
4. The problem was resolved by stopping the DHCP server on NYC-SVR1, restarting the DHCP service on
NYC-DC1, and restarting NYC-CL1 so that it could obtain a valid IPv4 configuration.
Other possible solutions include manually configuring NYC-CL1 with a similar configuration to NYC-CL2.
Results: At the end of this exercise, you will have logged on successfully by using the user account.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-22 Module 5: Troubleshooting Network Connectivity Issues
Incident Details
Scott is unable to access the intranet server.
URL required: http://intranet.
IP configuration seems appropriate for subnet location.
Additional Information
Error message:
Internet Explorer cannot display the webpage.
Plan of Action
1. Visit the users workstation.
2. Verify the IP version 4 (IPv4) configuration.
3. Determine connectivity from another workstation.
4. If this issue is affecting only Scotts workstation, then investigate his computers settings.
5. If this issue is affecting multiple workstations, then investigate the intranet server settings.
2. On the Taskbar, click Internet Explorer. On the Set Up Windows Internet Explorer 8 prompt, click
Ask me later.
3. In the Address bar, type http://intranet, and then press Enter.
2. On the Taskbar, click Internet Explorer. On the Set Up Windows Internet Explorer 8 prompt, click
Ask me later.
4. Click Start, and in the Search box, type cmd.exe, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Network Connectivity Issues L5-23
5. At the command prompt, type the following command, and then press Enter:
Ping intranet
6. At the command prompt, type the following command, and then press Enter:
7. At the command prompt, type the following command, and then press Enter:
Notepad file.txt
Answer: Ncy-dc1.Contoso.com
9. At the command prompt, type the following command, and then press ENTER:
Ping ncy-dc1.Contoso.com
Answer: The Domain Name System (DNS) record on the server is wrong.
12. Click Start, point to Administrative Tools, and then click DNS.
13. In DNS Manager, expand Forward Lookup Zones, expand Contoso.com, and then in the right-pane,
double-click intranet.
14. In the intranet Properties dialog box, in the Full qualified domain name (FQDN) for target host:
box, type nyc-dc1.contoso.com, and then click OK.
Resolution
An incorrect Alias record was created in the DNS zone for Contoso. Clients could not connect to the
Intranet on NYC-DC1.
Results: At the end of this exercise, you will have resolved the connectivity problem.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-24 Module 5: Troubleshooting Network Connectivity Issues
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Incident Details
Max reports that he cannot connect to the corporate intranet site from home. He uses a preconfigured
virtual private network (VPN).
The intranet site is accessible when Max connects his computer locally in the Contoso domain.
Additional Information
The intranet site is accessible when Max connects his computer locally in the Contoso domain.
VPN settings for Contoso home users:
Users connecting using VPN must use Extensible Authorization Protocol (EAP) authentication.
The preferred Remote Access Service (RAS) server is NYC-SVR2.
Network Access Protection (NAP) has been implemented in Contoso in recent weeks using VPN
enforcement. IP version 4 (IPv4) filters restrict connectivity to remediation servers.
Plan of Action
1. Visit the users workstation, and attempt to reproduce the problem.
2. Verify that the VPN settings match those of the server.
3. Determine whether the companys NAP policy is affecting the computers ability to connect.
5. Click Start, in the Search box, type Network and Sharing, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-26 Module 6: Troubleshooting Remote Connectivity Issues
Answer: Error 812. The connection was prevented because of a policy configured on your
RAS/VPN server.
Note Some of the tasks that you perform to resolve this problem may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the problem resolution.
1. Click Start, in the Search box, type services.msc, and then press Enter.
6. In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click
Automatic.
7. Click Apply, click Start, and then click OK.
9. In the Security Center Properties (Local Computer) dialog box, in the Startup type list, click
Automatic.
13. In Network Connections, right-click Contoso VPN, and then click Connect.
16. In the Address bar, type http://nyc-dc1, and then press Enter.
Answer: Yes
Resolution
1. The client settings did not match those that NAP requires.
Results: At the end of this exercise, you will have resolved the remote connectivity problem.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Incident Details
A user with a laptop computer reports that offline files are not synchronizing properly when he
disconnects from the network.
Additional Information
User reports that when he roams in the office and reconnects to the wired network, his updated files
are not synchronizing properly. This is a problem, because other users also have access to these files,
and if the files are not synchronized, users have to look through the files and merge changes manually,
which is time-consuming.
Steps to recreate the problem:
1. On NYC-CL1, create and open a file on the research share at \\NYC-DC1\Research.
2. Modify the contents of the file, and then save it.
3. Keep the file open, and then disconnect from the network.
4. Modify the contents of the file, and then save it.
5. Reconnect the computer to the network and close the file.
6. On NYC-CL2, open the file on the research share, and then verify that the latest changes are not
synchronized.
Plan of Action
1. Recreate the problem to verify the steps.
2. Open Sync Center to view any potential synchronization issues.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-30 Module 7: Troubleshooting Logon and Resource Access Issues
4. In Windows Explorer, right-click an open area, point to New, and then click Microsoft Office Word
Document.
10. Click Start, type adapter, and then click View network connections.
11. In the Network Connections window, right-click Local Area Connection 3, and then click Disable.
12. When prompted, provide the credentials of Administrator with a password of Pa$$w0rd.
13. In TestDocument, on a new line, type Offline changes, and then click Save.
14. In the Network Connections window, right-click Local Area Connection 3, and then click Enable.
15. When prompted, provide the credentials of Administrator with a password of Pa$$w0rd.
22. Click OK to close the Microsoft Office Word window with an error.
23. In the User Name window, click OK. Notice that only the online changes are here, and that the file did
not synchronize.
26. Click Start, type Sync Center, and then press Enter.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Logon and Resource Access Issues L7-31
27. In Sync Center, right-click Offline Files, and then click Sync Offline Files.
29. Double-click TestDocument, and then verify that the offline changes are synchronized.
Resolution
1. Forcing synchronization in Sync Center caused the offline file to update. Logging off and then
logging also causes the file to update because there is no conflict with a changed version on the
server.
2. You should inform the user that he must modify his procedures to ensure that his files synchronize.
Results: After this exercise, you will have resolved a problem with offline files not synchronizing properly.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-32 Module 7: Troubleshooting Logon and Resource Access Issues
Incident Details
User reports that he does not have access to the research share.
Additional Information
User reports that he started his job last week, and does not have access to the research share, which
is at \\NYC-DC1\Research. He is logging on to NYC-CL1.
I walked the user through accessing the share by using the Universal Naming Convention (UNC)
path. This is an acceptable short-term solution. However, this user should map drive letter R to the
research share like other users.
Drive mappings have been converted to Group Policy Preferences. I confirmed that the user account
is in the correct organizational unit (OU).
Other research users, like Alan Brewer, have no problems with the drive mapping.
Plan of Action
1. Determine which Group Policy is applying the Group Policy Preferences.
2. Review the configuration of the Group Policy.
3. Review the configuration of the Max Stevens account, and compare it to Alan Brewers.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Logon and Resource Access Issues L7-33
3. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
4. In Active Directory Users and Computers, expand Contoso.com, and then click Research.
7. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, type Max, and then
click OK.
8. Click OK, and then close Active Directory Users and Computers.
12. Verify that the drive letter R maps to the research share.
Resolution
The mapping for drive R is being targeted to the Research security group. Max was not a member of the
Research security group. Adding Max as a member of the research security group resolved the problem.
Results: At the end of this exercise, you will have resolved the Group Policy object (GPO) application
problem.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-34 Module 7: Troubleshooting Logon and Resource Access Issues
Incident Details
User reports that files are missing from the My Documents folder after he received a new computer
that has the organizations standard operating-system configuration.
Additional Information
The user has a brand new workstation configured with our default image. We have trained users not to
save information into My Documents, and have warned them that file in My Documents are not
backed up.
I logged onto the users old computer, and no files were in his My Documents folder. Eventually, we
found the files in his home folder, which he had mapped to drive H.
I dont know how it was configured before, but this user wants My Documents to include the files in his
home drive instead of accessing them through drive H. Because this user is a department head, we
need to do this.
Plan of Action
1. Verify that the users files are located in drive H.
2. Redirect My Documents to drive H.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Logon and Resource Access Issues L7-35
4. In Windows Explorer, under Libraries, expand Documents, and then click My Documents.
Resolution
The users old computer had the My Documents folder redirected to drive H. When the new computer
was deployed, My Documents was not redirected because it is not part of the standard configuration.
Redirecting My Documents to drive H resolved the issue.
Results: After this exercise, you will have resolved a problem with missing files in the My Documents
folder.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-36 Module 7: Troubleshooting Logon and Resource Access Issues
Incident Details
New peer-based application for research is not working properly.
Additional Information
The research department is semiautonomous for Information Technology (IT). They install and run a lot
of their own applications. They also store data on their local workstations. The workstations are backed
up daily to ensure that no data is lost.
They have a new application that they have installed on all of the workstations that is not functioning
properly. The installation instructions indicate that there must be a file share to which all computers
have read and write permissions.
All computers are configured to use \\NYC-CL1\Modeling as the file share. The file share is created, but
users do not appear to have the proper permissions. The application generates the error Shared data
access error.
I connected to \\NYC-CL1\Modeling, and then verified that I could not create or modify files from my
computer. Only members of the research group should be able to change these files.
Plan of Action
1. Review NTFS permissions, and verify effective permissions.
2. Review share permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Logon and Resource Access Issues L7-37
5. Right-click Modeling, and then click Properties. Click the Sharing tab.
8. In the Permissions for Modeling window, click Remove, and then click Add.
9. In the Select Users, Computers, Service Accounts, or Group window, type Research, and then click
OK.
10. In the Permissions for Modeling window, click Research, select the Allow Full Control permission,
and then click OK.
16. In Windows Explorer, right-click an empty area, point to New, and then click Text Document.
17. Type TestDoc, and then press Enter to rename the document.
MCT USE ONLY. STUDENT USE PROHIBITED
L7-38 Module 7: Troubleshooting Logon and Resource Access Issues
Resolution
Modify the share permissions to remove the Everyone group, and then give the research group full
control.
OR
1. Modify the share permissions to give the Everyone group full control.
2. Prevent NTFS permissions from being inherited to the Modeling folder, and then copy existing
permissions.
4. Add Modify permission for the Research group to the Modeling folder.
Results: At the end of this exercise, you will have successfully configured a share with read and write
permissions for users in the Research group.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
2. Update the Plan of Action section of the Incident Record with your recommendations.
Incident Record
Incident Reference Number: 603012
Incident Details
Executive user is reporting that she has data that is encrypted with BitLocker Drive Encryption that she
needs to recover from a failed laptop.
Additional Information
The user uses her personal laptop to work on company documents. The laptop had a secondary hard
drive on which she stored the documents. She encrypted all drives with BitLocker to secure them.
Internal laptops are configured with a recovery agent to simplify data recovery. Because this is a
personal laptop, using a recovery agent is not an option.
She has given us the encrypted drive and a printout she made after the drive was encrypted.
She has requested that we configure the drive so that she can attach it easily to another computer by
placing the drive in an external Universal Serial Bus (USB) enclosure. Preferably, it should require only a
password to unlock.
Plan of Action
1. Attach the encrypted drive to a Windows 7 computer.
2. Use the recovery key from the printout to decrypt the drive.
3. Configure the use of a password to view drive content.
2. Click Start, point to Administrative Tools, and then click Hyper-V Manager.
3. In Hyper-V Manager, right-click 6293A-NYC-CL1, and then click Settings.
5. In the right-pane, ensure that Hard Drive is selected, and then click Add.
8. Click OK.
9. Start the 6293A-NYC-CL1 virtual machine, and then log on as NYC-CL1\WSAdmin with the
password of Pa$$w0rd. If you are prompted to restart NYC-CL1, click Restart Now.
5. On the Unlock this drive using your recovery key page, click Type the recovery key.
8. On the Select options to manage page, click Add a password to unlock the drive.
9. In the Type your password and Retype your password boxes, type Pa$$w0rd, and then click Next.
10. On the Select options to manage page, click Close.
11. On the You now have temporary access to this drive page, click Finish.
Resolution
1. Attached encrypted drive to a Windows 7 computer.
2. Used the recovery key from the printout to decrypt the drive.
Results: At the end of this exercise, you will have recovered a BitLocker-protected drive.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Security Issues L8-41
2. Update the Plan of Action section of the Incident Record with your recommendations.
Incident Record
Incident Reference Number: 603026
Incident Details
User is being prompted for security credentials when accessing the intranet site.
Additional Information
When the user attempts to access the corporate intranet by using http://nyc-dc1.contoso.com, he is
prompted for credentials.
I coached him through the process of entering his credentials as Contoso\Sten and his password. This
authenticates him successfully, and he can use it as a short-term work-around, but he does not want to
be prompted.
I asked him to check if other users in his department were having the same issue, and he told me that
they said No. He is the only user. After he authenticates, everything is fine.
When the issue is resolved, please configure the corporate intranet as his home page.
Plan of Action
1. Visit the user, and view the problem.
2. Review the Windows Internet Explorer configuration.
3. Click the Internet Explorer icon on the taskbar. At the Set Up Windows Internet Explorer 8 prompt,
click Ask me later.
4. In the Internet Explorer window, in the Address bar, type http://nyc-dc1.contoso.com, and then
press Enter.
8. Click the down arrow beside the home page icon, and then click Add or Change Home page.
9. In the Add or Change Home Page window, click Use this webpage as your only home page, and
then click Yes.
Resolution
1. Instruct the user to use a single label URL to access the intranet site. This allows Internet Explorer to
recognize the site as an intranet site to which it can automatically pass the local workstation
credentials.
OR
OR
1. Manually add http://nyc-dc1.contoso.com to trusted sites, and then configure trusted sites to allow
automatic logon with current user name and password.
Results: After this exercise, you will have authenticated successfully to the intranet website, without
requiring the user to enter credentials.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Security Issues L8-43
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
Incident Details
Client computers and servers are not obtaining Windows updates from the new Windows Server
Updates Services (WSUS) server.
Additional Information
The new WSUS server is implemented, and it is successfully downloading updates from Microsoft
update. However, the updates are not being delivered to client computers.
We recently blocked access to Microsoft update for client computers to ensure that they were using
the WSUS server for updates.
You can force connectivity to the WSUS server by running wuauclt.exe /detectnow on the client
computer.
You can verify that the client connected to the WSUS server by checking the WindowsUpdateClient
event log for Event ID 26. You also can verify that the computer is listed in the Windows Automatic
Updates Services administrative tool on NYC-DC1.
Plan of Action
1. Identify if the computer is registered in WSUS.
2. Run wuauclt.exe /detectnow to force contact with the WSUS server.
3. Review the WindowsUpdateClient event log.
4. Verify creation of a GPO to configure Automatic Updates on computers.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-46 Module 9: Troubleshooting Operating System and Application Issues
3. Click Start, point to Administrative Tools, and then click Group Policy Management.
4. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then expand
Contoso.com.
5. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here.
6. In the New GPO window, in the Name box, type WSUS, and then click OK.
8. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
9. In the right-pane, double-click Specify intranet Microsoft update service location.
11. In the Set the intranet update service for detecting updates and Set the intranet statistics
server boxes, type http://NYC-DC1, and then click OK.
13. In the Configure Automatic Updates window, click Enabled, and then click OK.
14. Close all open windows.
18. At the command prompt, type gpupdate / force, and then press Enter.
19. At the command prompt, type wuauclt.exe /detectnow, and then press Enter.
20. On NYC-DC1, click Start, point to Administrative Tools, and then click Windows Server Update
Services.
21. Expand NYC-DC1, expand Computers, and then click All Computers.
22. In the Status box, select Any, and then click Refresh. The computer NYC-CL1 is listed.
Resolution
Set up a GPO to configure Automatic Updates properly so that computers use http://NYC-DC1.
Results: At the end of this exercise, you will have resolved the issue with Windows updates.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-48 Module 9: Troubleshooting Operating System and Application Issues
Incident Details
Unauthorized applications are being used on computers.
Additional Information
We have recently implemented Windows 7 AppLocker policies to control the use of applications. In
testing, the default rules were configured, which prevented most unauthorized applications from
running.
A manager has reported that several of his staff are playing games that are not authorized. It appears
that the users have brought in the games on Universal Serial Bus (USB) flash drives.
I browsed Adam Carters profile on NYC-CL1, and he has a game stored in the Downloads folder.
Please identify why these are not being blocked in production like they were in testing.
Plan of Action
1. Verify that the game in the Downloads folder will run.
2. Verify that the AppLocker rules for executables block the files in the Downloads folder.
3. Check the Application Identity service to verify that it is running.
3. Click Start, point to Administrative Tools, and then click Group Policy Management.
4. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then click
Contoso.com.
MCT USE ONLY. STUDENT USE PROHIBITED
Lab: Troubleshooting Operating System and Application Issues L9-49
6. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, and then click System Services.
8. In the Application Identity Properties window, select the Define this policy setting check box, click
Automatic, and then click OK.
Resolution
Results: At the end of this exercise, you will have prevented unauthorized applications from starting.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-50 Module 9: Troubleshooting Operating System and Application Issues
Incident Details
An authorized application is not able to run.
Additional Information
After resolving incident 603220, it appears that a legitimate application is being blocked. The
Marketing Manager is reporting that Adam is no longer able to run his game on NYC-CL1, but now
also cannot run an XML editing application. The executable for this application is located in
C:\XMLNotepad.
Please identify why this application is not able to run, and then resolve the issue.
Plan of Action
1. Verify that XML notepad in C:\XMLNotepad is blocked.
2. Review the AppLocker event log to verify that AppLocker is the issue.
3. Review the AppLocker rules, and then update them as required.
11. Click Start, point to Administrative Tools, and then click Group Policy Management.
12. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then click
Contoso.com.
13. Right-click Application Control, and then click Edit.
14. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Application Control Policies, expand
AppLocker, and then click Executable Rules.
15. Right-click Executable Rules, and then click Create New Rule.
17. On the Permissions page, click Next to Allow Everyone to run the application.
18. On the Conditions page, click Path, and then click Next.
19. In the Path box, type C:\XMLNotepad\XmlNotepad.exe, and then click Next.
Resolution
Configure an AppLocker rule to allow the application in C:\XMLNotepad to run.
Results: At the end of this exercise, you will have resolved the problem with application startup.
23. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.