6293A-ENU TrainerHandbook

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
6293A
Troubleshooting and Supporting
Windows 7 in the Enterprise
ii Troubleshooting and Supporting Windows 7 in the Enterprise
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2011 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are
property of their respective owners.
Product Number: 6293A
Part Number X17-55452
Released: 05/2011
Troubleshooting and Supporting Windows 7 in the Enterprise iii
iv Troubleshooting and Supporting Windows 7 in the Enterprise
Troubleshooting and Supporting Windows 7 in the Enterprise v
vi Troubleshooting and Supporting Windows 7 in the Enterprise
Troubleshooting and Supporting Windows 7 in the Enterprise vii
viii Troubleshooting and Supporting Windows 7 in the Enterprise
Troubleshooting and Supporting Windows 7 in the Enterprise ix
x Troubleshooting and Supporting Windows 7 in the Enterprise
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Andrew J. Warren Author

Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many of
which have been spent in writing and teaching. He has been involved as the subject matter expert (SME)
for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. He
also has been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in the United
Kingdom, he runs his own IT training and education consultancy.
Byron Wright Author

Byron Wright is a partner in a consulting firm, where he performs network consulting, computer systems
implementation, and technical training. Byron is also a sessional instructor for the Asper School of
Business at the University of Manitoba, teaching management information systems and networking. Byron
has authored and co-authored a number of books on Windows servers, Windows Vista, and Exchange
Server, including the Windows Server 2008 Active Directory Resource Kit.
Tony Northrup Technical Reviewer

Tony Northrup, an MCSE, MCTS, and CISSP, is a longtime Windows consultant and author. Tony began
programming before the release of Windows 1.0 in 1985. For the last 15 years, he has focused on
Windows administration and development. Tony is the coauthor of more than 20 books, including the
Windows 7 Resource Kit and the MCITP Self-Paced Training Kit (Exam 70-685): Windows 7 Enterprise
Desktop Support Technician.
Troubleshooting and Supporting Windows 7 in the Enterprise xi
Contents
Module 1: Implementing a Troubleshooting Methodology
Lesson 1: Introduction to the EDST Job Role 1-3
Lesson 2: Overview of Troubleshooting Steps 1-14
Module 2: Troubleshooting Startup Issues

Lesson 1: Overview of the Windows 7 Recovery Environment 2-3
Lesson 2: Configuring and Troubleshooting Startup Settings 2-17
Lesson 3: Troubleshooting Operating System Services Issues 2-33
Lab: Troubleshooting Startup Issues 2-39
Module 3: Using Group Policy to Centralize Configuration

Lesson 1: Overview of Group Policy Application 3-3
Lesson 2: Resolving Client Configuration Failures and GPO
Application Issues 3-16
Lab: Using Group Policy to Centralize Configuration 3-27
Module 4: Troubleshooting Hardware Device, Device Driver, and

Performance Issues
Lesson 1: Overview of Hardware Troubleshooting 4-3
Lesson 2: Troubleshooting Physical Failures 4-19
Lesson 3: Monitoring Reliability and Performance 4-27
Lesson 4: Configuring Performance Options in Windows 7 4-34
Lesson 5: Troubleshooting Device Driver Failures 4-43
Lab A: Resolving Hardware Device and Device Driver Issues 4-61
Lab B: Troubleshooting Performance-Related Issues 4-68
Module 5: Troubleshooting Network Connectivity Issues

Lesson 1: Determining Network Settings 5-3
Lesson 2: Troubleshooting Network Connectivity Issues 5-9
Lab: Troubleshooting Network Connectivity Issues 5-35
Module 6: Troubleshooting Remote Connectivity Issues

Lesson 1: Troubleshooting VPN Connectivity Issues 6-3
Lesson 2: Using Remote Desktop 6-25
Lesson 3: Troubleshooting User Issues by Using Remote Assistance 6-34
Lesson 4: Troubleshooting NAP Issues 6-40
Lesson 5: Troubleshooting DirectAccess Issues 6-52
Lab: Resolving Remote Connectivity Issues 6-61
xii Troubleshooting and Supporting Windows 7 in the Enterprise
Module 7: Troubleshooting Logon and Resource Access Issues

Lesson 1: Troubleshooting User Logon Issues 7-3
Lesson 2: Troubleshooting User Profile Issues 7-13
Lesson 3: Troubleshooting File Access Issues 7-19
Lesson 4: Troubleshooting File Permissions Issues 7-28
Lesson 5: Troubleshooting Printer Access Issues 7-36
Lab: Troubleshooting Logon and Resource Access Issues 7-44
Module 8: Troubleshooting Security Issues

Lesson 1: Recovering Files Encrypted by EFS 8-3
Lesson 2: Recovering BitLocker-Protected Drives 8-15
Lesson 3: Troubleshooting Internet Explorer and Content Access Issues 8-23
Lab: Troubleshooting Security Issues 8-32
Module 9: Troubleshooting Operating System and Application Issues

Lesson 1: Troubleshooting Application Installation Issues 9-3
Lesson 2: Troubleshooting Application Operations Issues 9-14
Lesson 3: Applying Application and Windows Updates 9-23
Lab: Troubleshooting Operating System and Application Issues 9-32
Lab Answer Keys

Module 2 Lab: Troubleshooting Startup Issues L2-1
Module 3 Lab: Using Group Policy to Centralize Configuration L3-5
Module 4 Lab: Resolving Hardware Device and Device Driver Issues L4-9
Module 5 Lab: Troubleshooting Network Connectivity Issues L5-19
Module 6 Lab: Resolving Remote Connectivity Issues L6-25
Module 7 Lab: Troubleshooting Logon and Resource Access Issues L7-29
Module 8 Lab: Troubleshooting Security Issues L8-39
Module 9 Lab: Troubleshooting Operating System and Application Issues L9-45
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xiii
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and
course objectives.
Course Description
This course is designed for Information Technology (IT) professionals who have experience with
Windows XP and Windows Vista who work as Windows 7 Enterprise Desktop Support Technicians
(EDSTs) in Tier 2 support environments. The goal of this training is to enable these individuals to support
the Windows 7 operating system and solve technical troubleshooting problems in a Windows 7 and
Windows Server 2008 R2 networking environment.
The course builds on skills attained in Course 6292A: Installing and Configuring Windows 7 Client and
Course 6420B: Fundamentals of Windows Server 2008.
This course will not cover deployment scenarios and Tier 3 escalations, including comprehensive Group
Policy configuration, and domain administration and deployment. Course 6294A covers deployment
scenarios and support.
By the courses end, students will have been exposed to the process of establishing and using a
troubleshooting methodology, and the EDST job role and responsibilities. Additionally, students will be
exposed to various troubleshooting tools and techniques that enable them to address the following
Windows 7 issues in an enterprise network environment:
Startup
Group Policy
Hardware and device drivers
Performance
Network connectivity
Remote connectivity
User profile and logon
Security
Applications
Audience
Primary audience: DST in an Enterprise IT organization
Secondary audience: DST in an upper MORG (medium organization) with approximately 475 personal
computers
EDSTs are experienced IT professionals who focus on a broad range of issues that relate to desktop
operating systems, desktop applications, mobile devices, networking, and hardware support. EDSTs must
combine technical expertise with problem-solving and decision-making skills, and possess a deep
understanding of their business and technical environments, so that they can resolve support issues
quickly. They consider all variables, justify resolutions with a logical troubleshooting approach, and relate
tradeoffs to business and technical requirements and constraints. EDSTs are responsible primarily for the
maintenance and support of PC desktops, installing and testing line-of-business applications on end users
computers, and making changes to user desktops or reimages, as necessary.
xiv About This Course
EDSTs have used previous versions of Windows desktop operating systems and may have experience
with Windows Server operating systems. Their job requires them to stay knowledgeable and skilled with
using new versions and updates of technology, as their business environment dictates. They conduct most
server management tasks remotely by using Terminal Server or other administration tools installed on
their local workstation.
Student Prerequisites
In addition to their professional experience, students who attend this training should have the following
technical knowledge:
Networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and Domain Name
System (DNS)
Active Directory Domain Services (AD DS) principles and management
Windows Server 2008 fundamentals
Windows client fundamentals

Fundamentals of using the Microsoft Office 2010 or Microsoft Office 2007 systems
Students who attend this training can meet the prerequisites by attending the following courses, or by
obtaining equivalent knowledge and skills:
Course 6292A: Installing and Configuring Windows 7 Client
Course 6420B: Fundamentals of Windows Server 2008
Course Objectives
After completing this course, students will be able to:
Describe the processes of establishing and using a troubleshooting methodology, and define the
EDST job role and responsibilities.
Troubleshoot startup issues on a Windows 7 computer.
Troubleshoot client-configuration failures and Group Policy object (GPO) application issues.
Troubleshoot hardware device and device driver issues.
Troubleshoot network connectivity issues.
Troubleshoot remote connectivity issues.
Troubleshoot logon and resource access issues.
Troubleshoot security system issues, such as Encrypting File Systems (EFS), BitLocker Drive
Encryption, and file permissions.
Troubleshoot operating system and applications issues.
Troubleshoot performance issues.

About This Course xv
Course Outline
This section provides an outline of the course:
Module 1, Implementing a Troubleshooting Methodology describes the steps involved in establishing

and using a typical troubleshooting methodology. It also covers the job role and responsibilities of the
EDST.
Module 2, Troubleshooting Startup Issues describes how to use Windows 7 recovery tools to
troubleshoot startup problems. Additionally, it provides the information to configure and troubleshoot
startup settings, and to troubleshoot operating system services.
Module 3, Using Group Policy to Centralize Configuration describes Group Policy application. It also
covers steps to troubleshoot both client configuration failures and GPO application issues.
Module 4, Troubleshooting Hardware Device, Device Driver, and Performance Issues helps students
troubleshoot issues related to hardware devices and device drivers by identifying basic hardware-related
issues. Additionally, the module helps students determine hardware failure issues, and the problems that
device drivers can cause. Finally, this module provides guidance on how to configure performance options
in Windows 7, as well as monitor reliability and performance of Windows 7 computers.
Module 5, Troubleshooting Network Connectivity Issues describes how to troubleshoot issues related to
network connectivity by providing the steps to determine the network configuration of client computers,
and then to troubleshoot network connections.
Module 6, Troubleshooting Remote Connectivity Issues describes how to troubleshoot remote

connectivity issues. This module instructs students on how to configure and troubleshoot virtual private
network (VPN) connections, as well as how to use Remote Desktop and Remote Assistance to assist users.
This module also covers the troubleshooting steps for Network Access Protection (NAP) and DirectAccess
issues.
Module 7, Troubleshooting Logon and Resource Access Issues describes how to use troubleshooting
tools and methods to troubleshoot user profile and logon scripts issues, and issues with file and printer
access.
Module 8, Troubleshooting Security Issues describes how to troubleshoot issues related to security
systems such as EFS, BitLocker, and file permissions. The module instructs students how to troubleshoot
and recover files encrypted with EFS and BitLocker-protected drives. In this module, students also
troubleshoot file permissions, content access issues, and Windows Internet Explorer issues.
Module 9, Troubleshooting Operating System and Application Issues describes how to troubleshoot
issues related to operating system features and applications, including application installation and
operation issues. This module also addresses applying application and Windows updates.
xvi About This Course
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:

Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to
supplement the Course Handbook.
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press.
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the

Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to
mcphelp@microsoft.com.
About This Course xvii
Virtual Machine Environment

This section provides the information for setting up the virtual machine environment.
Virtual Machine Configuration

In this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs.
The following table shows the role of each virtual machine used in this course:
Virtual machine Role

6293A-NYC-DC1 Windows Server 2008 DC in Contoso domain
6293A-NYC-CL1 Windows 7 Client in Contoso domain
6293A-NYC-SVR1 Windows Server 2008 domain member
6293A-NYC-SVR2 Windows Server 2008 domain member
Software Configuration
The following software is installed on each VM:
Windows Server 2008 R2 Enterprise
Windows 7 Enterprise
Classroom Setup
Each classroom computer will have the same set of virtual machines configured in the same way. All of the
virtual machines are deployed on each student computer.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
4 GB random access memory (RAM) or better
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped
1-1
Module 1
Implementing a Troubleshooting Methodology
Contents:
Lesson 1: Introduction to the EDST Job Role 1-3
Lesson 2: Overview of Troubleshooting Steps 1-14

1-2 Troubleshooting and Supporting Windows 7 in the Enterprise
Module Overview
It is important that you understand the responsibilities of an Enterprise Desktop Support Technician
(EDST), the benefits of developing a troubleshooting methodology, and the benefits of following the
procedures that your methodology defines.
Objectives
After completing this module, you will be able to:
Describe the job role of the EDST.

Describe the steps of a typical troubleshooting methodology.
Implementing a Troubleshooting Methodology 1-3
Lesson 1
Introduction to the EDST Job Role
As an EDST, your job is to act as an escalation point for problems that help-desk personnel cannot resolve;
to support end users directly; and to troubleshoot various problems. However, an EDSTs responsibilities
involve much more than simply fixing problems.
An EDST must be able to:

Listen, either to an end user or to the help-desk staff.
Gather and interpret information.
Diagnose and resolve problems, or escalate problems.
Properly document a problems resolution in the manner that company policy dictates.
The goal of this lesson is to introduce you to the EDST role and describe how an EDST best supports end
users, both directly and indirectly, in a Windows 7 environment.
Objectives
After completing this lesson, you will be able to:
Describe the EDST job role.

Describe the desktop support environment.
Describe how to interact with end users.
Explain the benefits of a troubleshooting methodology.

What Is the EDSTs Role?
As an EDST, your job is to increase end-user productivity by troubleshooting and trying to solve the
computer and system issues that end users experience. This requires that you understand your role in the
support environment.
An EDST must fulfill a number of roles in the support environment. A good EDST possesses technical
expertise in addition to nontechnical aptitude, such as excellent interpersonal skills, that enable the EDST
to build rapport with both end users and other members and users of the support environment.
As an EDST, someone may describe you as:
A good troubleshooter, who is able to isolate an issue quickly by performing specific diagnostic tasks.
A knowledgeable resource, who is familiar with relevant products, and is able to perform hardware
and software installation tasks, system monitoring, and maintenance.
An effective communicator, because help-desk staff and end users typically are not calling you for
social reasons. Rather, they may be distressed or upset, and you will need to manage these
interpersonal and technical interactions simultaneously and effectively.
An information source, because even if you do not know the answer, you need to know where to get
the answer and when to escalate a problem.
The Position of EDSTs within the Technical Support Structure

Organizations typically structure their technical support into several different tiers in which the lowest tier
handles end-user issues and the highest tier handles the most complex issues. Typically, new requests are
assigned to tier 1 (often referred to as the help desk), where personnel categorize the problems and
attempt to resolve them. If the help desk cannot resolve the request, staff within the help desk follow
prescribed guidance within the organizations troubleshooting methodology and escalates it to tier 2
personnel.
As an EDST, your position is located in tier 2. The following table provides an overview of a typical
technical support structure.
Tier Role Description

Tier 1, help desk Support Supports day-to-day client operating systems, applications, and
hardware troubleshooting. Follows prescriptive guidelines, and
provides end-user phone support.
Tier 2, Operational Provides day-to-day server and software troubleshooting.

administrator Manages and supports the organizations operating systems.
Responds to help desk requests when problems are escalated.
Tier 3, engineer Tactical Analyzes and designs within a single technology and then
implements the technology. Handles complex troubleshooting,
including escalations from administrators.
Tier 4, architect Strategic Analyzes and designs enterprises.
The Scope of the EDST Role

As an EDST, your first step is to identify the scope of the problem. Because the end user reports the
problem to the help desk, you can use the valuable information in the help-desk incident report to
determine whether the issue is within the scope of your job role.
Note Most organizations implement some form of help-desk incident management

system; this database is often referred to as a help-desk ticketing system. The purpose of the
help-desk ticketing system is to provide a single point for recording, tracking, and updating
reported problems as support staff attempts to resolve them.
If the issue is outside that scope, you should escalate it to a higher tier levelsystems engineers or
architects, as appropriate.
You must troubleshoot and provide information about many aspects of the Windows 7 operating system
that is beyond the responsibility of the help desk, such as:
Resolving more complex installation and connectivity issues.
Configuring and troubleshooting desktop environments for end users.

Troubleshooting multiple boot or multiuser computers.
Installing, configuring, and troubleshooting more complex hardware.
As an EDST, you should use proper procedures to document the incident. You also must operate within
the organizations Service Level Agreements (SLAs), such as resolving a problem within a certain
timeframe or within a specific budget. In contrast, an EDST does not have to perform tasks that engineers
typically perform, such as complex analysis or design.
Typical EDST Responsibilities

As a tier 2 technical support employee, your job is to provide support for the help desk. At a high level,
you should be prepared to perform the following tasks:
Perform general troubleshooting of the operating system and installed applications.
Provide customer service, including listening to the end user or help desk, refining the definition of
the problem and solving the problem, and, where possible, educating the end user on how to avoid
the problem in the future.
Install, configure, and upgrade software, including applications and operating systems.
Monitor and maintain systems.
Update the documentation associated with an end users call, and then close or escalate a call, per
company policy and time limits set forth by SLAs.
Examining the Desktop Support Environment
You will encounter two types of networks in a corporate support environment: workgroups and domains.
In both environments, end users can share common resources, such as files, folders, and printers. These
environments also provide security measures to secure and protect end users personal data, and your
organizations network resources and data, from outside forces. Despite their similarities, there are
important differences between workgroups and domains, which this section details.
Workgroups
Workgroups, which are logical groupings of networked computers that share resources, are often referred
to as peer-to-peer networks. The workgroup is the easiest network to set up and maintain, but it is the
least secure. Each computer maintains its own local security database, which contains the valid user
accounts for logging on to that computer. The user accounts secure the data on each computer, and
protect the computer from unwanted access, but because no single computer provides centralized
security of user accounts for all of the networks computers, the network is decentralized.
Note Workgroups typically are configured for home networks, small home offices, and
small businesses in which the computers are in close proximity to one another and are
sometimes connected by using a hub, switch, or router. Because workgroups are not the
most secure option for a network, larger corporations typically do not use them.
Domains
Domains are logical groupings of networked computers that share a common database of users and
centrally managed security on a single server, known as a domain controller, or a group of servers (domain
controllers). A single domain must have one or more domain controllers, and these computers provide
Active Directory Domain Services (AD DS), such as access to resources, security, and a single point of
administration.
Domains are logical groupings, which you configure independent of the networks actual physical
structure. Domains can span a building, city, state, country, or even the globe. You also can configure
them for a small office, and you can connect a domains computers by virtual private network (VPN),
Ethernet, broadband, satellite, or wireless connections.
Note Larger companies and corporations typically configure domains because they are the
most secure option for a network, they offer centralized security and management, and they
are extensible. Smaller companies generally do not use domains because domains are more
expensive, and require more attention than workgroups.
Interacting with End Users
The ability to interact effectively with both end users and the staff of the help desk is vital to an EDSTs
success. You also must know how to talk to people with various levels of experience. For example, you
need to know how to ask questions, how to interpret what end users say, and how to suggest changes.
You must know where to search for answers to problems, and how to apply and document the solutions
to those problems. End users must be satisfied with your solutions and believe that you treated them fairly
and with respect.
There are many types of end users. Each end user has expertise in different areas, and each end user has
varying degrees of expertise. It is important that you can identify an end users expertise level when you
are working in an EDST role to avoid alienating the end user.
For example, reminding a technologically experienced end user to turn on the printer may cause the end
user frustration. It is still necessary to ensure that the basics have been checked, however, because even
technically experienced end users sometimes forget to turn on their printers.
Obtain Information from the End User

End users often are unable to provide a detailed description of their issue, or they may be reluctant to
explain the circumstances that caused the problem. When necessary, you must ask questions that help
you determine why the problem occurred.
Note Many organizations provide a script for help desk staff to use when performing initial
problem classification. This will help you and the help desk progress through all the
fundamental questions that can help to classify the problem. Ensure you check the incident
record in the ticketing system before you question the end user yourself otherwise you might
be repeating questions asked by the help desk.
Determine the Answer to These Who Questions

If the incident record does not provide the following information, ask the end user:
Who was operating the computer when the problem first occurred?
Who else is operating the computer, and have they experienced similar problems?
Also, check the ticketing system to determine:
Who has worked on this problem, or one like it, previously?
Who has the same problem on another computer?
Determine the Answer to These When Questions

The following when questions help you determine when a problem occurred and establish a timeline of
activities that might relate to the problem. Check the open incident record to determine:
When did this problem first occur, and has it occurred since?
When was an application last installed, updated, or removed on the computer?
When was new hardware last installed on the computer?
When were disk maintenance tasks last performed?
Determine the Answer to These What Questions

The following what questions help you gather information about what the help desk thinks may be the
cause of the problem, and also learn the solutions, if any, the help desk has already attempted. Check the
open incident record to determine:
What does the help desk suspect might be the problem?
What steps have the help desk already taken to attempt resolution, if any?
What suggestions have the help desk received regarding a possible resolution?
Note Bear in mind that the help-desk staff may know the problems cause, but may lack
the administrative permissions to fix it.
Determine the Answer to These How and Why Questions

The following questions can often identify a solution quickly. Check the open incident record to
determine:
How does the help desk think that the problem occurred?
Why does the help desk think that the problem occurred?
Note The help-desk staff may have experienced similar or identical problems, and
therefore may know the cause.
As you work through these questions with the help desk, and where necessary, the end users, document
the answers carefully in the incident record in the ticketing system, listen to everything said, be polite and
professional, and make notes of possible solutions as they occur.
If necessary, leave the situation for a few minutes to digest the information, and then check company
documentation, online support, or other resources for answers.
It is likely that the end user with whom you work has spoken to the help desk before. If the end users
expectations were not met, the end user may have lost trust in the desktop support process. As an EDST,
you are in a unique position to determine if there is a value gap between what the end user expects and
what the end user receives, and to ensure that each end users needs are met.
In general, however, end users expect the EDST to:
Diagnose the problem. End users expect you to grasp the nature of their problems quickly based on
the information that they provide to the help desk and directly to you, regardless of the end users
experience levels.
Explain the plan of action. After you have diagnosed the problem, end users expect you to have a
plan of action that entails a logical sequence of steps that either you or the end users can implement
quickly.
Keep end users informed about the troubleshooting process. End users want to know what you are
doing to troubleshoot their problems, if the plan of action is working, and how close you are to
solving their problems.
Teach end users how to solve the problems and how to avoid them in the future. End users want to
understand how their problems occur, and how they can solve the problem without desktop support
in the future.
Note It may not be necessary to ask all these questions. In addition, the answers to
preceding questions may determine the order of the subsequent questions.
What Is a Troubleshooting Methodology?
The particulars of various troubleshooting methodologies can vary, and the processes involved in
troubleshooting computer-related problems are not precise. Most methodologies share some common
processes and procedures, which this topic aims to identify.
Classify
When an end user first discovers and reports a computer problem, a series of classification processes
begins. During these processes, you gather information from the end user in an attempt to establish the
problems nature and scope. The initial discussion might reveal information that results in an immediate
resolution to the problem, but with more complex or serious problems, you must continue to
troubleshoot the issue to arrive at a resolution.
Problems that affect many end users, rather than a few, are more serious in terms of their impact on
organizational productivity, and you must resolve them more quickly. Classification allows you time to
determine the scope and impact of problems so that you can prioritize them.
Even if you are immediately able to resolve the problem, you must log the problem by using the
methodology that your organization has in place. Appropriate logging procedures ensure that you do not
lose any incident reports. Access to detailed incident reports allows organizations to monitor their
information technology (IT) systems more effectively and make informed decisions about those systems.
Test
When you have prioritized and logged a reported incident, the testing phase starts. During the testing
phase, you use a number of processes to determine the probable cause of a reported problem. You might
start by listing the possible causes. Typically, you might try to divide and isolate these possible causes.
In computer systems, dividing and isolating possible causes might mean making a distinction between:
Server and workstation-related issues.
Hardware and software.
Operating system and applications.

In this way, you can eliminate possible causes, which eventually enables you to determine probable
causes.
When you reduce the list of possible causes to a manageable number, you can start a testing process. The
aim of the testing process is to determine the probable cause from your list of potential causes.
One method you can use is to reproduce the problem in a test environment. If you can reproduce a
problem easily, you likely can determine the probable cause. If a problem is more difficult to reproduce,
you must study your results, and then you may need to modify your initial thoughts about the problems
probable cause.
Escalate
In the event that you cannot find a resolution during the initial testing phase, you must either consult
additional documentation or escalate the problem. If you suspect that the issue stems from a component,
you can escalate the problem to the components manufacturer. For other issues, if have more internal
resources to call upon, you can escalate the problem in your organization. Your organization should have
an established process for handing off reported incidents to your organizations second-tier support staff.
The second-tier support staff then asks questions to classify the problems scope and assign it a priority
level.
Report
When you resolve an incident, you must document the resolution. It is important to record any changes
to your IT systems configuration. Additionally, problems have a habit of occurring more than once, and
when you document them properly, you can save time resolving subsequent occurrences of the same
problem.
Lesson 2
Overview of Troubleshooting Steps
Any sort of troubleshooting methodologyregardless of whether you are troubleshooting computers,

plumbing systems, or automobile engineshas a common set of processes and procedures, including the
following:
Incidents pass through a series of processes that are designed to resolve problems as quickly and
efficiently as possible.
Classification, testing, escalation, and reporting provide the backbone of any troubleshooting
methodology.
The methodology evolves over time, as technologies change and new tools become available.
This lesson details the stages of a troubleshooting methodology, and how you can develop best practices
for problem reporting, initial data collection, implementing a plan of action, and recording incident
resolution.
Objectives
Identify the stages in a common troubleshooting methodology.
Discuss elements of common troubleshooting methodologies.
Describe the process of problem reporting.
Describe the process of initial data collection.
Determine and use best practices for developing an action plan.

Describe the process of implementing an action plan.
Describe the process of recording the problem resolution.
Discuss the benefits of using a methodology.

Examining the Stages in a Troubleshooting Methodology
When you begin to troubleshoot a problem, you should define the steps clearly that you need to take
resolve the problem.
Report the Problem

The reporting process begins when an end user first calls the help desk. When the end user reports a
problem, the help desk staff must record the details of the problem and ask the end user pertinent
questions to help determine the scope of the problem. The answers to these questions can help them to
prioritize the problem.
It is important that support staff keeps the end user informed of progress throughout the entire
troubleshooting process, starting with this first reporting stage, when the help-desk explains to the end
user what the next step is in the process.
Gather Information
It is possible that the support staff might resolve the reported problem during the initial reporting stage;
this often happens with relatively simple problems. If it is not possible to resolve the issue immediately,
support staff must gather more information about the problem in an effort to identify possible causes.
You can use monitoring tools, examine event logs, or simply ask the end user additional questions in an
effort to gather additional information.
Develop an Action Plan

When there is sufficient information, you can attempt to determine the cause of the problem. There are
two possible approaches.
The linear approach is a methodology that reveals the root cause of a problem quickly by taking you
through a logical series of steps. Start with the problem statement, and then proceed in a methodical
manner until you uncover the problems source.
The subtractive approach is a methodology in which you form a mental picture of the computers
system components. Separate the components in two halves along a testable line. For example, is it a
hardware component or a network component that is causing the problem? Then, test to see on
which side of the line the problem falls, and then continue in the same manner until you isolate the
problem component.
Whichever approach you take, the aim of this stage is to isolate the cause of the problem. When you feel
you have determined the cause, you must test your assumptions. If the tests prove inconclusive, you must
continue until you determine the real cause.
After your tests prove the cause of a problem, you must plan your course of action.
For instance, if the problem requires that you replace a disk in a server, you must order the new disk,
determine a suitable time to perform the replacement, back up existing data on the old disk, shut down
the server, physically install the new disk, and perform a restore of the data to the new disk.
Implement the Action Plan

After planning your course of action, you must implement the plan. When implementing a plan of action
to resolve serious problems, you must consider the impact on service availability of any changes that you
want to make. Larger organizations implement change management procedures, and you must adhere to
these procedures.
Before you make any configuration changes, consider how much of your reconfiguration work you can
undertake using remote management tools and utilities. You can resolve many problems with remote
management techniques, and thereby avoid the need to work on the end users computer physically.
However, you cannot resolve all problems by using remote management tools, so sometimes, a visit to
the end users computer is necessary.
Document the Correction

When you resolve a problem successfully, you must document the resolution. This documentation
involves a number of processes, depending upon your technical support infrastructure. At the very least,
you must inform the end user that you resolved the problem, and if a logging system is in use, you must
close the incident.
Many organizations use documentation to provide information about their IT systems configuration. In
the event that you reconfigured something to resolve a problem, you must update the supporting
documentation to reflect the changes that you made.
Additionally, during the information-gathering stage, it often is useful to examine incident logs to
determine whether anyone else has reported a problem similar to the one on which you are working.
Finding whether another technician has documented a similar problem is possible only if, at incident
closure, you document what you did to resolve a problem.
Discussion: Common Components of Troubleshooting Methodologies
Your instructor will assign you a role in your organization, and during this discussion, you will consider the
benefits of a troubleshooting methodology for your role. The roles are:
End users.
Help-desk support staff.
Desktop support staff.
Managers and planners.
During your discussion, create a list of benefits for your organizational role. To help facilitate a useful
discussion, you might consider how a troubleshooting methodology results in the following outcomes:
Faster problem resolution
Improved productivity
Better accountability
Improved communications
Better update management
When you complete your discussion, share your conclusions with the class.
The Process of Problem Reporting
It is important to ensure that a well-understood process exists in your organization for the proper
reporting of support problems.
Problem Detected
The process of reporting a support problem starts with an end user detecting a problem with the
computer hardware, operating system, or an application. If the problem is intermittent, the end user may
take no immediate action. If the problem occurs again, the end user may take further action. End users
may attempt to resolve the problem themselves or contact the help desk for assistance.
Self-Help
Whenever possible, encourage end users to help themselves. You can help end users resolve some
problems quickly if the end user stops and thinks about the event that just occurred.
Always provide adequate training for your end users. Not only does this allow them to get the most from
their applications, but it also means that they are less likely to encounter problems and are more likely to
resolve many problems themselves, without contacting the help desk.
Contact the Help Desk

No matter how much training or encouragement end users receive, there are always problems that they
cannot resolve themselves. It is important to provide a proper procedure for contacting the help desk and
to ensure that your end users understand this procedure. During this phase, record the details of the
problem. You should consider using a database in which to record details of the reported problem, and
you then can update the help-desk ticketing system incident record that pertains to the problem as you
work toward a resolution.
If you lack the skills necessary to resolve the reported problem, assign the problem to other individuals in
your organization. For complex problems, you might assemble a specialist team to resolve the problem.
Update the incident record in the ticketing database to help track information about activity that you, or
others, have performed in relation to the reported problem.
Classification and Initial Support

After an end user has contacted the help desk, attempt to classify the problem, and then determine the
scope and urgency of the problem. You can do this by asking the end user very specific questions about
the problem. Questions might include the following:
Who else has the same problem? If the problem is widespread, this points to a more general problem
and is less likely to be the end users particular computer. Additionally, problems affecting many end
users are more urgent than those affecting only one end user.
When did you first notice the problem? For example, it might be that the computer never worked
properly. It is very useful to know if the computer never worked properly, because this might indicate
a problem with deployment rather than usage.
What changed around the same time you noticed the problem? If the end user has recently installed
new applications or updated drivers, and the problem arose after these changes, it is possible that the
changes contributed to the problem that the end user is reporting.
During this phase, you might determine a probable cause of the reported problem, but be careful not to
jump to a conclusion because you might waste a lot of time and resources. Your goal during this phase is
to define the problem accurately.
Escalation
When a problem requires escalation between support tiers or to external vendors, ensure that you record
an appropriate level of detail to pass to the next support level.
It is very helpful to have an escalation procedure that is clearly defined to ensure that you can do this
efficiently. The procedure may contain the following information:
A precise description of the reported problem.
A record of any error messages associated with the problem.
A record of the resolution attempts that support staff make, and the results of each attempted fix.
A record relating to any diagnostics tools that support staff use.

The length of time that can elapse before you must escalate the problem.
You might consider escalation to external vendors when:
You cannot resolve the problem.

You have insufficient internal resources to resolve the problem.
Your organization does not have the required skills to resolve the problem.
You have identified the probable cause of the problem, and it lies with a specific third-party
component.
Whenever you escalate a problem, always retain ownership of the problem, and use the database record
to track progress toward a resolution. Also ensure that you provide any necessary assistance to other
support tiers and external vendors.
Resolution
After you determine a probable cause and develop an action plan, you should perform an assessment of
this plan. The assessment should include:
Liaison with any specialist support staff involved in the plans implementation.
Completion of any required requests according to change-management procedures.
Analysis of the possible impact of the proposed changes on the IT infrastructure.
Details of any testing of the proposed plan.
Details of plans to roll back the changes in the event that they do not achieve the desired result.
After you assess the proposed action plan, you can execute it. In the event that the action plan does not
resolve the problem, consider whether to roll back the changes you have made according to the action
plan assessment. You also must revisit the classification phase, because it is possible that the initial
diagnosis and classification were incorrect.
Close the Problem

After you resolve the problem successfully, you must close it. To close a problem, update any database
records that relate to it, and indicate that you implemented a permanent resolution for the problem, and
then close the database record.
The Process of Initial Data Collection
Collecting information about a reported problem is vitally important. By following a precise, logical series
of steps, you can define the nature of the problem clearly, and then work toward establishing a precise
cause.
Question
The process starts when an end user follows a defined procedure to contact the help desk, typically by
sending an e-mail or making a phone call. Members of the help desk team must question the end user
clearly and precisely about the problems symptoms so that they can begin defining the cause of the
problem.
Listen
When an end user reports a problem to you, listen carefully to what the user has to say. Often, as the user
responds to your questions, and repeats the history of a problem, he or she might unwittingly reveal its
cause. By asking users to start from the beginning and explain exactly what they were doing immediately
prior to noticing the problem, and what they were doing when they noticed the problem, you may
determine the problems cause.
Note It is important to record the problem, and any pertinent information that the user
communicates to you, in a database. You will use the database record that you create
throughout the problem life cycle to record progress toward a resolution.
Consult
When you record all of the pertinent information from the user, your next task is to determine the cause
of the reported problem. Start by consulting existing documentation about known problems. It is quite
possible that the problem has occurred before. If this is the case, you can move quickly toward a
resolution, and then close the incident.
Research
If existing documentation does not reveal any probable causes, you must perform some research. You can
perform this research using a variety of sources. For example, you might search the Microsoft Support
Knowledge Base for information about the problem. You also may search online forums for related
material to aid in problem resolution.
If you are unable to determine probable causes from this initial research, you can also perform
information gathering using the tools provided in the Windows 7 operating system, including those in the
following table.
Tool Use
Remote Assistance With Remote Assistance, users can request and receive help by using
just one mechanism. The administrator that is providing remote
assistance uses Remote Assistance to take control of a problem
computer remotely, while the user remains logged on while watching
what the administrator is doing on the screen.
Remote Desktop You can use Remote Desktop to take remote control of a problem
computer. The logged-on user is disconnected, and the console is
locked.
Event Viewer You can use Event Viewer as a single interface for viewing log files on
the problem computer. These logs provide information about
applications, system events, and security-related matters.
Device Manager With Device Manager, you can examine and change the configuration
of hardware devices and device drivers.
Network Diagnostics With Network Diagnostics, you can troubleshoot and diagnose
network-related problems.
Windows System Information With Windows System Information, you can examine a computers
configuration with a single tool. You can also use the Microsoft
Windows System Information tool to produce configuration reports.
Command-Line Tools Provide access to a variety of command-line tools that you can use to
assist with the research process, including ipconfig, netstat, winrm,
and winrs.
Develop
After you determine a probable cause, you must develop an action plan, which the next topic describes.
Best Practices for Developing an Action Plan
Simple problems are easy to resolve quickly, and they might not require much consideration in terms of
an action plan. For example, an end user reports that he has forgotten his password. Your action plan
includes opening Active Directory Users and Computers, and resetting the password. However, more
complex or serious problems require careful consideration.
Analyze the Available Data

Before you start making configuration changes, analyze the available data to ensure that you have
determined the problems probable cause.
Review the Documentation

Review any documentation related to the fix that you propose. For example, if the fix that you propose
requires the installation of a service pack, review the documentation related to the service pack.
Escalate to Build a Test Environment

If the proposed fix or workaround involves significant reconfiguration work, or if problems arise during
the fix, this could affect the users productivity.
You may need to escalate the problem so that a test environment can be built that closely resembles the
production system, and so that appropriate support personnel use this test environment for testing your
plan of action.
Note Virtualization technologies (such as Windows Virtual PC) provide a convenient way to
build test environments without having to invest significantly in additional hardware or
software.
Consider the Impact of Changes

If you need to perform significant reconfiguration work to resolve problems that are more complex, the
changes that you plan to make can have an impact on many areas of your organization. However, it is
likely that problems of this nature are escalated to Tier 3 support staff.
Plan for Rollback

If you implement a fix or workaround, and it does not resolve the problem as expected, you might
consider rolling back the fix. Performing a rollback is not necessary, but it may be desirable in certain
circumstances.
For example, if the fix involves applying an update, removal of the update might be acceptable. If,
however, the fix involves upgrading applications to include new features that might be useful to other
end users, it might be desirable to leave the new applications installed rather than revert to the older
application. You can use the test environment to practice implementing a rollback of your proposed fix or
workaround.
Note Although the steps for the action plan in the slide are numbered, you might not
complete the steps in this order.
Implementing an Action Plan
Keep in mind that the specific stages of your plan of action may vary because of the complexities or
circumstances of a specific problem.
Implement in a Test Environment

Before you attempt a fix on the production system, implement your plan of action in your test
environment. Bear in mind that the process of changing some aspect of a computers configuration might
result in a fix for a specific problem, but might also introduce other problems.
For example, if you apply a security update to the operating system to resolve a security problem, the
update may make applications behave differently.
When you are satisfied that you can introduce the fix or workaround without causing additional problems
and that it fixes the reported problem, proceed to the next stage.
Note Simple problems might not require this testing stage.
Consult Change Management

Large organizations implement change-management procedures to ensure that every member of the
support staff performs all changes to the IT infrastructure in a similar and appropriate manner, according
to guidelines, and with adequate documentation following any changes.
If your organization uses a change-management procedure, you must determine what is required of you
when implementing your fix or workaround. Consult the relevant documentation, and when necessary,
discuss the proposed changes with the appropriate staff.
Resolve the Problem

Help-desk staff often can resolve common problems quickly, without having to involve product specialists.
Less common or more complicated problems often require the escalation to either desktop-support
specialists or external vendors, and occasionally require the creation of a specialist team that includes
people possessing the range of skills necessary to resolve a particular issue.
When possible, consider the use of remote management tools and utilities because these often result in
quicker problem resolutions.
Monitor and Evaluate

If a fix or workaround takes time to complete, and involves a number of stages, you are required to
monitor progress toward the problems resolution. It is important that you evaluate the data that you
collect during this monitoring process to determine whether you are any nearer to a solution. If data
indicates that a solution is not available, you might want to reconsider your plan of action.
Report and Document

Whether you resolve the problem successfully, you must document all the steps that you took in an
attempt to resolve it, and then document the results.
If you log the incident in a database to track the status of a reported problem, you must update the
record to reflect whether you resolve the problem and whether you close the incident.
The next topic looks more closely at the process of recording a problems resolution.
Recording the Problem Resolution
In most support organizations, a process exists to properly record and document a problem that a user
reports. Typically, the help-desk staff records the reported incident into a database. When a problem is
resolved, you must close the reported incident, and then communicate the resolution to the user who
reported the problem.
Update the Current Documentation

If the problem has exposed flaws in the current IT infrastructure, working practices, or other areas, you
must update the current documentation with information about these flaws and the relevant fixes or
workarounds.
For example, if you install a service pack for an operating system throughout the organization to fix an
application-compatibility issue, you must record information in the current infrastructure-related
documentation about both the compatibility issue and the installation process for the service pack.
Create New Documentation

Complex and serious problems quite often require significant changes in the infrastructure, so you must
create the necessary documentation to support these changes.
For example, if you install a new version of an application to resolve a problem, updating the existing
documentation is insufficient, because the new application may have new features, and therefore may
work differently than the old version. You must provide both users and administrators with the new
information that they require to work with the new application.
Log the Resolution

You must update any database records associated with an incident. The update should include the
resolution and other relevant information about the fix or workaround required to resolve the problem.
Also, you should not consider a problem resolved until the resolution is documented in a manner that
aids future incident resolution.
Finally, you must update the incident record as closed.
Communicate with the End user

You must let the end user who reported the problem originally know that you resolved the problem. If the
user must take any special measures or steps to bypass the problem, you must communicate these steps
or procedures. If you made significant changes to the infrastructure, users might require additional
training.
Log Preventative Measures

Problems have a habit of recurring. It is very important that you document the problem, the problems
cause, and the steps required to resolve it. Proper documentation ensures that, in the future, other
support engineers faced with similar incidents can discover a probable cause and a recommended
solution early in the troubleshooting process.
Note Microsoft provides guidance in incident management within the Microsoft

Operations Framework (MOF).
Discussion: The Benefits of Applying Troubleshooting Stages by Using

a Methodology
Your instructor will initiate a classroom discussion in the form of a brainstorming session. Please consider
the stages of a troubleshooting methodology, and share your own experiences with the class.
During the discussion, feel free to make practical recommendations on the following topics:
How does your organization apply the troubleshooting stages?
How much do self-help telephone and Web portals help users?
Who does the data collecting, and how do they do it?

How does your organization handle communications between the first- and second-tier support staff
and the end user?
How much can you achieve remotely?
How do you typically communicate problem resolutions to other support staff to help resolve future
problems?
2-1
Module 2
Troubleshooting Startup Issues
Contents:
Lesson 1: Overview of the Windows 7 Recovery Environment 2-3
Lesson 2: Configuring and Troubleshooting Startup Settings 2-17
Lesson 3: Troubleshooting Operating System Services Issues 2-33

Lab: Troubleshooting Startup Issues 2-39
Module Overview
Corruptions in the system registry, or issues with device drivers or system services, often cause startup-
related problems. Therefore, systematic troubleshooting is essential so that you can determine the
underlying cause of the problem quickly and efficiently.
This module describes how to identify and troubleshoot issues that affect the operating systems ability to
start, and how to identify problematic services that are running on the operating system. It also describes
how to use the Microsoft Windows 7 operating system advanced troubleshooting tools, collectively
known as the Microsoft Windows Recovery Environment (Windows RE).
Objectives
Use Windows 7 recovery tools to troubleshoot startup problems.
Configure and troubleshoot startup settings.
Troubleshoot operating system services.

Troubleshooting Startup Issues 2-3
Lesson 1
Overview of the Windows 7 Recovery Environment
To recover computers that are running Windows 7 and that will not start, or which are starting with errors,
you must recognize what the operating system looks like when it is starting properly. Additionally, a good
working knowledge of the recovery tools that Windows 7 provides should enable you to identify and
resolve problems that relate to startup issues.
Objectives
Describe the Windows 7 startup architecture.

Explain the repair and recovery options available in Windows 7.
Describe the recovery tools available at the command prompt in Windows RE.
Describe how to use Windows RE to check and fix the startup environment.
Describe the System Restore process in Windows.
Access System Restore to fix the startup environment.

Windows 7 Startup Architecture
The Windows 7 boot loader architecture provides a quick and secure mechanism for starting the Windows
operating system.
The boot loader architecture has three main components:
The Windows Boot Manager (Bootmgr.exe)
The Windows operating system loader (Winload.exe)
The Windows resume loader (Winresume.exe)
Windows Boot Manager

As the computer starts, Bootmgr.exe loads first, and then reads the Boot Configuration Data (BCD), which
is a database of startup configuration information that the hard disk stores in a format similar to the
registry.
Note The BCD provides a firmware-independent mechanism for manipulating boot

environment data for any type of Windows system. Windows Vista and later versions of
Windows use the BCD to load the operating system or to run boot applications such as
memory diagnostics. Its structure is very like a registry key, although it should not be
managed with the registry editor.
Bootmgr.exe replaces much of the functionality of the NTLDR bootstrap loader that Windows XP and
earlier versions of the Windows operating system use. Bootmgr.exe is a separate entity, and it is unaware
of other startup operations of the operating system; it switches the processor into 32-bit or 64-bit
protected mode, prompts the user for which operating system to load (if multiple operating systems are
installed), and it can start NTLDR if you have Windows XP or earlier installed.
Windows Operating System Loader

Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (ntoskrnl.exe) and (boot-class) device drivers, which, combined with
Bootmgr.exe, makes it functionally equivalent to NTLDR. Winload.exe initializes memory and loads drivers
that should start, and then transfers control to the kernel.
Note Boot-class device drivers have a start value of zero in the registry.
Windows Resume Loader

If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information
to Winresume.exe, and then Bootmgr.exe exits, and Winresume.exe takes over.
Winresume.exe reads the hibernation image file, and uses it to return the operating system to its pre-
hibernation running state.
Windows 7 Startup Process

When you switch on a computer, the startup process loads the basic input/output system (BIOS). When it
loads the BIOS, the system accesses the boot disks Master Boot Record (MBR), followed by the drives
boot sector.
The Windows 7 startup process has seven steps:
1. The BIOS performs a Power On Self-Test (PoST). From a startup perspective, the BIOS enables the
computer to access peripherals, such as hard disks, keyboards, and the computer display, prior to
loading the operating system.
2. The computer uses information in the BIOS to locate an installed hard disk, which should contain a
master boot record. The computer calls and loads Bootmgr.exe, which then locates an active drive
partition on sector 0 of the discovered hard disk.
3. Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines
installed operating systems, and then displays a boot menu, if necessary.
4. Bootmgr.exe transfers control to winload.exe, or it calls winresume.exe for a resume operation. If

winload.exe selects a down-level operating system, such as Windows XP Professional, Bootmgr.exe
transfers control to NTLDR.
5. Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers are for fundamental hardware components, such as disk controllers and peripheral bus drivers.
Winload.exe then transfers control to the kernel of the operating system, ntoskrnl.exe.
6. The kernel initializes, and then higher-level drivers and services are loaded. During this phase, you will
see the screen switch to graphical mode as the Windows subsystem is initialized.
7. The operating system displays the logon splash screen, and a user logs on to the computer.
Note Until a user has logged on, startup is not considered successful.
Windows Startup Recovery Options
If your computer fails to start correctly, you can use a number of tools to help resolve the problem.
Windows Recovery Environment

Windows RE is a recovery platform that is based on the Windows Preinstallation Environment
(Windows PE). Windows RE was new for Windows Vista, and replaced the Recovery Console in
Windows XP.
Windows RE provides two main functions:
Diagnoses and repairs startup problems automatically by using the Startup Repair tool.
Provides a centralized platform for additional advanced recovery tools.
Accessing Windows RE
To access Windows RE:
1. Insert the Windows 7 DVD, and then start the computer.

2. When prompted, run the Windows 7 DVD Setup program.
3. After you configure language and keyboard settings, select the Repair your computer option, which
scans the computer for Windows installations and then presents you with a troubleshooting tools
menu.
Note Windows RE is also accessible from the hard disk. This is a more convenient method
for accessing Windows RE. However, bear in-mind that with certain failed startup conditions,
Windows RE is not available from the hard disk.
Automatic Failover
Windows 7 provides an on-disk Windows RE. A computer that is running Windows 7 can fail over
automatically to the on-disk Windows RE if it detects a startup failure.
During startup, the Windows loader sets a status flag that indicates when the boot process starts. The
Windows loader clears this flag before it displays the Windows logon screen. If the startup fails, the loader
does not clear the flag. Consequently, the next time the computer starts, Windows loader detects the flag,
assumes that a startup failure has occurred, and then launches Windows RE instead of Windows 7.
The advantage of automatic failover to Windows RE Startup Repair is that you may not need to check the
problematic computer when a startup problem occurs.
Note that the computer must start successfully for the Windows loader to remove the flag. If the
computers power is interrupted during the startup sequence, the flag is not removed, and automatic
Startup Repair is initiated.
Bear in-mind that this automatic failover requires the presence of both the Windows boot manager and
the Windows loader. If either of these elements of the startup environment is missing or corrupt,
automatic failover cannot function, and you must initiate a manual diagnosis and repair of the computers
startup environment.
Advanced Boot Options

Windows 7 provides advanced boot options that you can use to start the operating system in advanced
troubleshooting modes, including:
Repair your computer

Safe mode
Safe mode with networking
Safe mode with command prompt
Enable log booting
Enable low resolution video (640 X 480)
Last Known Good Configuration (advanced)

Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature Enforcement
Start Windows normally
Note The next lesson covers Advanced Boot Options in detail.

Recovery Tools Available in Windows RE
Windows RE provides access to five tools that you can use to help recover your computers startup
environment.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. The following sections describe Startup Repair tool functions.
Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Startup Repair automatically checks and, if necessary, repairs the disk metadata.
Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple
operating systems on a single computer. Another possible cause of metadata corruption is a virus
infection.
Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions
stored the boot configuration information in Boot.ini, a simple text file. However, Windows 7 uses a
configuration store that is in the C:\Boot.
If the boot configuration data is damaged or deleted, the operating system fails to start.
The Startup Repair tool checks and, if necessary, rebuilds the BCD, by scanning for Windows
installations on the local hard disks, and then storing the necessary BCD.
Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver
often causes Windows to start incorrectly.
The Startup Repair tool performs device driver checks as part of its analysis of your computer. If
Startup Repair detects a driver problem, it uses System Restore points to attempt a resolution, by
rolling back configuration to a known working state.
Note Even if you do not manually create restore points in Windows 7, installing a new
device driver automatically causes Windows 7 to create a restore point prior to the
installation.
System Restore
Windows 7 provides System Restore capabilities that you can access from the System Tools folder. If you
have a system failure or another significant problem with your computer, you can use System Restore to
return your computer to an earlier state.
The primary benefit of System Restore is that it restores your system to a workable state without
reinstalling the operating system or causing data loss. Additionally, if the computer does not start
successfully, you can use System Restore by booting in Windows RE from the product DVD.
System Image Restore

System Image Restore replaces your computers current operating system with a complete computer
backup that you created previously and that you stored as a system image. You can use this tool only if
you have made a recent complete backup of your computer. You should use this tool only if other
methods of recovery are unsuccessful; this is because it is a very intrusive recovery method that overwrites
everything on the computer.
Windows Memory Diagnostics

You can use this tool if you suspect that your computer has a physical memory problem. The Windows
Memory Diagnostics Tool produces a report if it detects that your computer has memory-related
problems.
Command Prompt
Windows 7 uses a Command Prompt tool from the Windows RE tool set as its command-line interface.
The Command Prompt tool is more powerful than the Recovery Console, and its features are similar to the
command prompt that is available when Windows 7 is running normally.
Resolve Problems with a Service or Device Driver. If a computer that is running Windows 7
experiences problems with a device driver or Windows service, use the Command Prompt tool to
attempt a resolution. For example, if a device driver fails to start, use the command prompt to install a
replacement driver, or disable the existing driver from the registry. If the Netlogon service fails to
start, type Net Start Netlogon at the command prompt. You also can use the SC tool (SC.exe)
command-line tool to start and stop services.
Recover Missing Files. The Command Prompt tool also enables you to copy missing files to your
computers hard disk from original source media, such as the Windows 7 product DVD or USB
memory stick.
Access and Configure the BCD. Windows 7 uses a BCD store to retain information about the
operating systems that you install on the local computer. You can access this information by using the
BCDEdit.exe tool at the command prompt. You also can reconfigure the store, if necessary. For
example, you can reconfigure the default operating system on a dual-boot computer with the
BCDEdit.exe /default id command.
Repair the Boot Sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 7 will fail to start successfully. You can launch the
Bootrec.exe program at the command prompt to resolve problems with the disk metadata.
Run Diagnostic and Troubleshooting Tools. The Command Prompt tool provides access to many
programs that you can access from Windows 7 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can
use to determine which programs and services are running currently.
Note Windows PE is not a complete operating system. Therefore, when you use the
Command Prompt tool in Windows RE, remember that not all programs that work in
Windows will work at the command prompt. Additionally, because there are no logon
requirements for Windows PE and Windows RE, Windows restricts the use of some programs
for security reasons, including many that administrators typically run.
Demonstration: Examine the Startup Environment with Windows RE
In this demonstration, you will see how to examine the Windows 7 startup environment. To perform this
procedure, the instructor must start the computer from the product DVD, and then select the Repair your
computer option. The instructor will demonstrate how to use the command prompt and startup repair
tools.
Demonstration Steps
1. Use the Hyper-V Manager console to mount the product DVD.
2. Restart the virtual machine.
3. Boot into the setup program, and then select Repair your computer.
4. Open the recovery Command Prompt.
5. Determine where the C drive files are stored.
6. Test some typical command-line tools, such as net start.
7. Use Regedit.exe, sc.exe, and bootrec.exe.
8. Close the command prompt, and then restart the computer.

Windows System Restore
Windows 7 enables System Restore features automatically. System Restore takes snapshots of your
computer system, and then saves them as restore points. These restore points represent a point in time for
the computers configuration when it was running successfully.
Once you enable System Restore points, Windows 7 creates them automatically when the following
actions occur:
You install a new application or driver
You uninstall or install certain programs
You install updates
Windows 7 also creates them:
Once daily.
Manually, whenever you choose to create them.
Automatically, if you choose to use System Restore to restore to a previous restore point.
In this instance, System Restore creates a new restore point before it restores the system to a previous
state. This provides you with a recovery option should the restore operation fail or result in issues.
Windows RE does not create a restore point for the current state if you are in Safe mode and you
restore to a previous state.
Note To create a restore point manually, go to the System Protection tab on the
Computer property sheet, and then click the Create button.
Perform Driver Rollbacks

You may use System Restore when you install a device driver that results in a computer that is unstable or
that fails to operate entirely. Earlier Windows versions had a mechanism for driver rollback, but it required
the computer to start successfully from Safe mode.
With Windows 7 computers, you can use System Restore to perform driver rollback by accessing the
restore points, even when the computer does not start successfully.
Protect Against Accidental Deletion of Programs

System Restore also provides protection against accidental deletion of programs. System Restore creates
restore points when you add or remove programs, and it keeps copies of application programs (file names
with an .exe or .dll extension). If you accidentally delete an .exe file, you can use System Restore to recover
the file by selecting a recent restore point prior to when you deleted the program.
Note If you disable System Restore, Windows deletes all existing restore points.
Practice: Fixing the Startup Environment by Accessing System Restore
In this practice, you will create a system restore point. You then will use both Windows 7 and Windows RE
to apply the restore point.
Instructions
For this practice, you will use the available virtual machine environment. Both 6293A-NYC-DC1 and
6293A-NYC-CL1 should be running.
Before you begin the practice, you must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Log on by using the following credentials:
User name: Administrator

Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 and 3 for 6293A-NYC-CL1.

Detailed Steps
X Task 1: Verify that System Restore is enabled

1. Switch to NYC-CL1.
User name: NYC-CL1\WSAdmin
Password: Pa$$w0rd
3. Click Start, right-click Computer, and then click Properties.
4. In System, click System protection.
5. In the System Properties dialog box, click Local Disk (C:) (System), and then click Configure.
6. In the System Protection for Local Disk (C:) dialog box, click Restore system settings and
previous versions of files, and then click OK.
X Task 2: Create a system restore point

1. In the System Properties dialog box, click Create.
2. In the System Protection dialog box, type Initial restore point, and then click Create.
3. In the System Protection dialog box, click Close.
4. In the System Properties dialog box, click OK.
X Task 3: Access System Restore from Windows 7

1. Click Start, and then in the Search box, type System Restore.
2. In the Programs (1) list, click System Restore.
3. In the System Restore dialog box, click Next. The restore point you created should be listed.
4. Click Cancel.
X Task 4: Access System Restore from Windows RE

1. Click Start, and in the Search box, type shutdown /r, and then press Enter. Windows restarts.
2. When the virtual machine is restarting, when the Press any key to boot from CD or DVD message
appears, press Spacebar. Setup loads.
3. When prompted, in the Install Windows dialog box, click Next.
4. On the Install now page, click Repair your computer.
5. In the System Recovery Options dialog box, click Next.
6. In the System Recovery Options dialog box, click System Restore.
7. In the System Restore dialog box, click Next. The restore point you created should be listed.
X Task 5: Apply a restore point

1. In the System Restore dialog box, select Initial restore point, and then click Next.
2. On the Confirm your restore point page, click Finish.
3. In the Warning dialog box, click Yes.
4. In the System Restore message dialog box, click Restart.
Password: Pa$$w0rd
6. In the System Restore dialog box, click Close.
X To prepare for the next practice

When you finish, leave the virtual machines running.
Lesson 2
Configuring and Troubleshooting Startup Settings
To troubleshoot a Windows 7 computer that fails to start properly, you must understand the boot process,
and the role of the BCD store in troubleshooting. This lesson describes the BCD store and how it controls
the boot process flow, and it also describes the tools and utilities that you can use to configure the
Windows 7 boot process.
Objectives
Describe the role of the BCD Store.

Describe the BCD settings.
Repair the BCD Store by using the BCDEdit tool.
Describe the MSConfig tool.

Configure startup settings by using the MSConfig tool.
Explain the advanced boot options available in Windows 7.

What Is the Role of the Windows 7 BCD Store?
The BCD store is an extensible database of objects and elements that can include information about a
current hibernation image, and special configuration options for booting Windows 7 or an alternate
operating system. The BCD provides an improved mechanism for describing boot configuration data for
new firmware models.
The boot sector loads Bootmgr.exe, which in turn accesses the BCD, and then uses that information to
display a boot menu to the user (if multiple boot options exist) and to load the operating system.
These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the
nonvolatile RAM (NVRAM) entries in operating systems based on an Extensible Firmware Interface (EFI)).
However, Windows 7 replaces the boot.ini file and NVRAM entries with the BCD. This file is more versatile
than boot.ini, and it can apply to computer platforms that do not use the BIOS to start the computer. You
also can apply it to firmware models, such as computers that are based on EFI.
Windows 7 stores the BCD as a registry hive. For BIOS-based systems, the BCD registry file is in the active
partition \Boot directory. For EFI-based systems, the BCD registry file is on the EFI system partition.
Understanding the BCD Configuration Settings
Depending on what you want to change, you can use the following tools to modify the BCD:
Startup and recovery. The Startup and recovery dialog box enables you to select the default
operating system if you have multiple operating systems installed on your computer. You also can
change the time-out value. These settings are on the Advanced tab in the System Properties dialog
box.
System Configuration Utility (MSConfig.exe). MSConfig.exe is an advanced tool that enables you to
select the following startup options:
Debug. Enables kernel-mode debugging for device driver development.

Safe boot. Enables you to select:
Safe boot: Minimal. On startup, opens the Windows graphical user interface (Windows
Explorer) in safe mode running only critical system services. Networking is disabled.
Safe boot: Alternate shell. On startup, opens the Windows command prompt in safe mode
running only critical system services. Networking and the graphical user interface are
disabled.
Safe boot: Active Directory Domain Services (AD DS) repair. On startup, opens the Windows
graphical user interface in safe mode running critical system services and AD DS.
Safe boot: Network. On startup, opens the Windows graphical user interface in safe mode
running only critical system services. Networking is enabled.
Boot log. Records startup information into a log file.
No GUI boot. Does not display the Windows Welcome screen when starting.
Base video. Uses a generic video display adapter driver.
Number of processors. Limits the number of processors used on a multiprocessor system.
BCDEdit.exe. You can use BCDEdit, a command-line tool, to change the BCD, such as removing
entries from the list that displays operating systems. This advanced tool is for administrators and IT
professionals. BCDEdit.exe is a command-line tool that replaces Bootcfg.exe in Windows 7.
BCDEdit.exe currently enables you to:
Add entries to an existing BCD store.
Modify existing entries in a BCD store.

Delete entries from a BCD store.
Export entries to a BCD store.
Import entries from a BCD store.
List currently active settings.
Query a particular type of entries.
Apply a global change (to all the entries).

Change the default time-out value.
Typical reasons to manipulate the BCD with BCDEdit.exe include:
Adding a new hard disk to your Windows 7 computer, changing the logical drive numbering.
Installing additional operating systems on your Windows 7 computer, creating a multiboot
configuration.
Deploying Windows 7 to a new computer with a blank hard disk, requiring you to configure the
appropriate boot store.
Performing a backup of the BCD.
Restoring a corrupted BCD.

The following table provides additional information about the command-line syntax for BCDEdit.exe.
Command Description
Commands that operate on a store
/createstore Creates a new empty BCD store
/export Exports the contents of the system BCD store to a specified file
/import Restores the state of the system BCD store from a specified file
Commands that operate on boot entries in a store
/copy Makes copies of boot entries
/create Creates new boot entries
/delete Deletes boot entries

(continued)
Command Description
Commands that operate on element
/deletevalue Deletes elements from a boot entry
/set Creates or modifies a boot entrys elements
Commands that control output
/enum Lists the boot entries in a store
Commands that control Boot Manager
/bootsequence Specifies a one-time boot sequence
/default Specifies the default boot entry
/displayorder Specifies the order in which Boot Manager displays its menu
/timeout Specifies the Boot Manager Timeout value
/toolsdisplayorder Specifies the order in which Boot Manager displays the tools menu
Commands that control Emergency Management Services
/bootems Enables or disables Emergency Management Services (EMS) for a

specified boot application
/ems Enables or disables EMS for an operating system boot entry
/emssettings Specifies global EMS parameters
Commands that control debugging
/bootdebug Enables or disables boot debugging for a boot application
/dbgsettings Specifies global debugger parameters
/debug Enables or disables kernel debugging for an operating system boot entry
Commands that modify other commands
/store Specifies the BCD store upon which a command acts
/v Displays boot entry identifiers in full, rather than using well-known

identifiers
BootRec.exe. Use the bootrec.exe tool with the /rebuildbcd option in Windows RE to rebuild the
BCD. You must run bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup
issue, you can export and delete the BCD, and then run this option again. By doing this, you ensure
that the BCD rebuilds completely.
Note You can also use the BCD WMI provider to make changes to the BCD by using
scripts. The MCD WMI provider is a management interface and is the only programmatic
interface available for BCD.
Practice: Using BCDEdit to Configure the BCD Store
In this practice, you will modify the startup environment of the NYC-CL1 computer. By using BCDEdit.exe,
you will modify the boot environment before you use Windows RE to launch the command prompt repair
tool. You then will use BCDEdit.exe and Bootrec.exe to repair the startup environment.
Instructions
Detailed Steps
X Task 1: Examine the boot environment

3. In System, click Advanced system settings.
4. In the System Properties dialog box, under Startup and Recovery, click Settings. The default
operating system is displayed with the startup options.
5. Click OK, and then in the System Properties dialog box, click OK.
X Task 2: Use BCDEdit to manipulate the boot environment

1. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click
Run as Administrator.
2. In the User Account Control window, click Yes.

3. At the command prompt, type the following command, and then press Enter:
Bcdedit /enum
4. Note the locations of Bootmgr.exe, Winload.exe, and the osdevice.
Bcdedit /export C:\bcdback
The boot configuration data is exported to a file named Bcdback.
Bcdedit /delete {bootmgr} /f
Shutdown /r
The computer restarts. Do not boot from CD or DVD. The boot fails with a BCD error.
X Task 3: Repair the BCD

1. Press ESC to restart the computer. While the virtual machine is restarting, and the Press any key to
boot from CD or DVD message appears, press Spacebar. Setup loads.

4. In the System Recovery Options dialog box, click No. You will repair the BCD manually.
5. In the System Recovery Options dialog box, click Use recovery tools that can help fix problems
starting Windows, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
E:
Cd\windows\system32
Bcdedit /enum
Bootrec /rebuildBcd
11. When prompted, press A at the command prompt, and then press Enter.
12. Switch to the System Recovery Options dialog box, and then click Restart.
Password: Pa$$w0rd

Configuring Environments with the System Configuration Tool
The System Configuration Tool (MSConfig.exe) automates the troubleshooting steps that assist you in
diagnosing issues with your systems configuration. When you use this tool, you can change the way
Windows 7 boots, and you can select options to prevent services and programs from loading during the
Windows startup process.
You can reset or change the Windows 7 configuration settings easily to include preferences for the
following:
Startup options
Services that you want to start during the startup process

Programs that you want to load during the startup process
Changes you make are undone if later you select the Normal startup option, unless you select the check
box titled Make All Boot Settings Permanent.
The System Configuration utility dialog box has five tabs:
General. Enables you to select the startup environment. You can choose between Normal,
Diagnostic, or Selective startup.
Boot. Enables you to select boot options, such as Safe boot, No GUI boot, and Base video, and to
select Advanced options, such as selecting the number of processors that you want to use, setting
the maximum memory available, or locking PCI (Peripheral Component Interconnect) devices to
resources.
Services. Provides a list of all services that start when the computer boots, and their current status,
which is Running or Stopped. You can enable or disable individual services at boot time to
troubleshoot services that might be contributing to startup problems. You can select the option to
Hide all Microsoft services, which enables you to identify nonstandard services that might be
causing a startup problem.
Startup. Enables you to view and select which applications to run at startup. Two features on the
Startup tab include the Manufacturer heading, which can help you identify an application, and the
Date Disabled heading, which can help you keep track of the date on which you disabled a startup
application.
Tools. Provides an easy method to launch various system tools. For example, you can change the
settings for User Account Control, launch the Action CTab, and access Computer Management and
other system tools.
Practice: Manage the Startup Environment with System Configuration
In this practice, you determine which operating system services are running. Using MSConfig.exe, you will
disable the Windows Firewall service, and then select Safe Mode. After restarting NYC-CL1, you will
permanently disable Windows Defender. Finally, you will start Windows 7 normally, and then verify that
these services are running correctly.
Instructions
Detailed Steps
X Task 1: Determine which services are running

1. Switch to the NYC-CL1 computer.
2. Click Start, point to All Programs, click Accessories, and then click Command Prompt.
Net start
4. Verify that Windows Firewall is listed.
X Task 2: Disable a service, and perform a clean restart of the computer

msconfig
2. In the System Configuration dialog box, click the Services tab, and then locate the Windows
Firewall service.
3. Clear the Windows Firewall check box, and then click Apply.
4. Click the Boot tab.
5. Under Boot options, select the Safe boot check box, and then click OK.
6. In the System Configuration dialog box, click Restart.
Password: Pa$$w0rd
X Task 3: Verify that the service is disabled

1. Click Start, right-click Computer, and then click Manage.
2. Expand Services and Applications, and then click Services.
3. In the list of services, click Windows Firewall, and verify that it is disabled.
X Task 4: Permanently disable a service from Safe mode

1. In the list of services, double-click Windows Defender.
2. In the Startup type list, click Disabled, and then click OK.
3. Close Computer Management.
X Task 5: Configure Windows 7 to start normally

1. Click Start, and in the Search box, type msconfig, and then press Enter.
2. In the System Configuration dialog box, select the General tab, click Normal startup, and then
click OK.
3. In the System Configuration dialog box, click Restart.

Password: Pa$$w0rd
X Task 6: Verify service status

1. Click Start, right-click Computer, and then click Manage.
2. Expand Services and Applications, and then click Services.
3. In the list of services, click Windows Firewall, and then verify that it is running.
4. In the list of services, click Windows Defender, and then verify that it is disabled.
5. Close Computer Management.

X To prepare for the lab

When you finish, revert the virtual machines to their initial state by completing the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6293A-NYC-CL1.

Advanced Boot Options in Windows 7
Windows 7 provides advanced boot options that you can use to start the operating system in an
advanced troubleshooting mode.
To access the Advanced Boot Options menu, you must press F8 during the startup process. This
troubleshooting boot mode enables you to start a computer that is experiencing problems, or is unable to
perform a normal boot.
The following options are available from the boot menu:
Repair your computer. Displays a collection of system recovery tools addressing startup problems.
You also can run diagnostics, and restore the system.
Safe mode. Starts Windows with a minimal set of drivers and services. This is one of the most useful
boot options, because it allows access to the operating system when a high-level service or
application prevents a normal boot. This enables you to perform diagnostics and fix the problem.
Safe mode with networking. Starts Windows in Safe mode, and includes the network drivers and
services that you need to access the Internet or other network computers.
Safe mode with command prompt. Starts Windows in Safe mode with a command prompt window
rather than the usual Windows interface. You typically use this when other startup options do not
work.
Enable log booting. Creates the ntbtlog.txt file, which can be useful for advanced troubleshooting.
This file lists all drivers that Windows installs during startup.
Enable low resolution video (640 X 480). Starts Windows using your current video driver, and low
resolution and refresh rate settings. Use this mode to reset your display settings.
Last Known Good Configuration (advanced). Starts Windows with the last successful registry and
driver configuration. This is useful if a driver issue is preventing the computer from properly starting.
This does not repair corrupt or missing files.
Debugging Mode. Starts Windows in an advanced troubleshooting mode intended for IT

professionals and system administrators. Debugging enables you to examine the behavior of the
operating systems device drivers. This is especially useful when Windows stops unexpectedly, as it
may provide additional information for driver developers.
Disable automatic restart on system failure. Prevents Windows from restarting automatically if an
error causes Windows to fail. Choose this option only if the computer loops through the startup
process repeatedly by failing to start correctly, and then attempting another restart.
Disable Driver Signature Enforcement. Allows you to install drivers that contain improper signatures.
Start Windows normally. Starts Windows in normal mode.

Lesson 3
Troubleshooting Operating System Services Issues
Failures of an operating system service often result in problems that are not severe enough to prevent the
computer from starting, but that restrict functionality. Therefore, it is important that you understand how
to identify and rectify service-related startup problems.
Objectives
Describe operating system services.
Identify failed services by using Windows 7 tools.
Explain how to use tools and utilities to disable services.

Operating System Services
It is important to understand the differences between software applications, operating system services,
and hardware devices and their associated device drivers.
Applications operate at a high level by integrating with the computer user, and at a lower level by
integrating with the operating system. You install applications after you install the operating system, and
you must start applications manually to use them.
Operating system services are part of the operating system rather than something that you install after
the operating system deploys. Additionally, operating system services function with no user action. In fact,
they start before a user logs on to the computer.
The difference between operating system services and device drivers is that device drivers interact directly
with hardware devices or components. Generally, a system service interacts with other software
components in the operating system. From a management perspective, the difference between device
drivers and services is more obvious: you use Device Manager to manage device drivers, and you use the
services Microsoft Management Console (MMC) snap-in to manage system services.
Identifying Failed Services
When troubleshooting a computer that has problems with its operating system services, the operating
system may return an error after you log on to the computer. This error message may indicate that a
service failed to start.
Windows 7 provides several tools that can help you determine which operating system service failed to
start correctly. Because some services are dependent on other services or drivers to start successfully, you
always should consider that the failure of one service might be related to, or caused by, the failure of
another service.
Event Viewer
Windows 7 includes a tool called Event Viewer that allows you to examine certain log files that provide
information about applications, system events, and security-related matters. Event Viewer provides access
to the Windows logs, and also to applications and services logs.
The following information summarizes the information that you can access from the Windows logs.
Application. The application log contains events that applications generate. For example, a database
program records a file error in the application log, and the program developer decides which events
to record.
Security. The security log records security events, such as valid and invalid logon attempts, and events
related to resource use, such as creating, opening, or deleting files. An administrator specifies which
events Windows 7 records in the security log by creating a domain-wide audit policy.
System. The system log contains events that the system components in Windows 7 generate. For
example, if a driver or other system component fails to load during startup, Windows 7 records this
failure in the system log. Windows 7 predetermines the event types that the system components log.
For example, event ID 7036 identifies a service startup or shutdown.
If you encounter problems with service startup, examine the system and application logs for related
events.
Windows 7 logs the following three events:
Information events
Warning events
Error events
When you troubleshoot startup problems with services, pay special attention to error events that the
system log records. All users can access the application and system logs, but only members of the local
Administrators group can use the security log.
Log Files
In addition to the logs accessible from Event Viewer, Windows 7 records other events in other log files. For
example, use MSConfig.exe to configure Windows 7 to record a boot log file when it starts. The boot log
file, Ntbtlog.txt, is stored in the Windows folder. It contains a list of all drivers and some services that start
during the boot process. In a problem occurs with a service, activate boot logging, and then examine the
log.
Note You also can activate boot logging from the Advanced Startup Options menu, which
is accessible by pressing F8 during the start sequence.
Stop Codes
If the Windows 7 operating system experiences a system failure, it may display a stop code on a blue
screen. The stop code may contain the name of the device driver or service that is causing the system
failure, as well as information to help you diagnose the reason for the failure.
Windows 7 records information related to the system failure in a system log file called a memory dump
file, which is located in Windows\System32. Examine the contents of this memory dump file to help
determine the reason for the system failure.
Action Center
Action Center provides a consolidated tool that enables you to track and repair reported problems. You
also can configure Action Center to determine how your computer reports problems. Additionally, you
can use Action Center to examine problems that Windows reports.
Online Reporting
Action Center contains a link that you can use to check online for solutions to problems. The link submits
information regarding the problem to Microsoft. Online reporting of problems is a valuable way to help
Microsoft identify issues with Windows 7 and create targeted product updates.
Disabling Services
After you determine which service is causing the startup problem, you can disable it. Depending on the
circumstances, you can disable a service in several ways:
Safe Mode
If the Windows 7 computer does not start normally, try to start the computer in Safe Mode. Safe Mode is
accessible from the Advanced Boot Options menu, but you also can activate Safe Mode from
MSConfig.exe. In Safe Mode, a minimal set of services load during the startup process. However, these
services are sufficient to load the operating system. You then can use standard operating system tools,
such as Control Panel, Computer Management, Registry Editor, the services MMC snap-in, and Event
Viewer, to troubleshoot the service startup problem.
Last Known Good Configuration

If you add or reconfigure a new service, Windows 7 updates the System hive in the computers
configuration database or registry. If the reconfiguration or addition of a new service results in an
unstable or unusable system, you should roll back the change. One way to do this is to use Last Known
Good Configuration, which is accessible from the Advanced Boot Options menu.
Use Last Known Good Configuration to roll back the computer registry System hive to an earlier working
version. Because the System hive contains information related to the starting of services, rolling back the
change to the System hive might help you resolve the problem without requiring you to disable the
newly-installed service manually.
Note Once you logon to your computer, the Last Known Good configuration is overwritten
with the Current configuration and the ability to use Last Known Good as a recovery option
is no longer available.
Command Prompt Recovery Tool

If you can start the operating system either normally or in Safe Mode, you can access the command
prompt. If you cannot start the operating system, you can access the Command Prompt recovery tool
from Windows RE.
At the command prompt, use either the Net command or SC.exe to manually start, stop, activate, and
disable services.
System Configuration Utility

Use MSConfig.exe to specify which services you want to run on startup. MSConfig.exe displays a list of
services that start automatically, and you can selectively disable services. You also can use this tool to start
the computer in Safe mode, and to configure additional startup characteristics while you troubleshoot the
computer.
Remote Tools
If you can start Windows 7, but installed services do not start correctly, you might be able to troubleshoot
the services remotely. You can use most of the built-in management consoles to connect to a remote
machine and configure settings. The following list summarizes several remote tools that are available in
Windows 7:
Remote Assistance. Use Remote Assistance to offer help to a user with a computer experiencing
service-related problems. You can connect to the users computer, and then use troubleshooting tools
to diagnose and fix the problem.
Remote Desktop. Use Remote Desktop to connect to a computer with a service-related problem. You
can use Remote Desktop to connect to, and take control of, the users computer, and then use
troubleshooting tools to diagnose and fix the problem.
Windows Remote Shell (WinRS). Use this shell tool to manage another computer remotely. WinRS
operates in the context of Windows Remote Management (WinRM) which is the Microsoft
implementation of the WS-Management protocol.
Custom Management Consoles. You can add most administrative snap-ins to custom management
consoles, to connect to specific remote computers, and to configure settings on those computers.
Lab: Troubleshooting Startup Issues
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
2. In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso

Lab Scenario
The help desk has received a number of trouble tickets that they cannot resolve, and they have passed
those tickets to you. You need to determine how to resolve each problem, and then document your
solution.
For this project, you must complete the following tasks:
Read the help-desk tickets.
Plan a course of action.
Attempt to resolve the problems.

Document successful resolutions.
Exercise 1: Resolving a Startup Problem (1)

Scenario
In this exercise, you will attempt to fix a computer that is running Windows 7. The computer does not
start successfully. You have an open help-desk ticket to help you determine the likely cause of the
problem.
The main tasks for this exercise are:
1. Read the help-desk Incident Record for Incident 601237.
2. Update the Plan of Action section of the Incident Record.
3. Simulate the problem.
4. Attempt to resolve the problem.
Supporting Documentation
Incident Record
Incident Reference Number: 601237
Date of Call February 21

Time of Call 10:45
User Adam Carter (Production Department)
Status OPEN
Incident Details
Adam Carter has reported that his computer will not start properly.
Additional Information
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partly through
the process. Since then, his computer displays the following error message when it starts:
Windows Boot Manager.

File: \Boot\BCD
Status: 0xc0000034
Info: The Windows Boot Configuration Data file is missing required information.
Plan of Action
Resolution
X Task 1: Read the help-desk Incident Record for Incident 601237

Read the help-desk Incident Record for Incident 601237.
X Task 2: Update the Plan of Action section of the Incident Record

1. Read the Additional Information section of the Incident Record.
2. Update the Plan of Action section of the Incident Record with your recommendations.
X Task 3: Simulate the problem

User name: Contoso\Administrator
Password: Pa$$w0rd
3. Run the D:\Labfiles\Mod02\Scenario1.vbs script.

4. Wait while NYC-CL1 restarts.
X Task 4: Attempt to resolve the problem

1. Attempt to resolve the problem by using your knowledge of the startup architecture and the tools
available for troubleshooting the startup environment.
2. Update the Resolution section of the Incident Record.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Note It is not necessary to revert the virtual machines before proceeding to the next
exercise.
4. If necessary, revert your virtual machines by using the following procedure:
On the host computer, start Hyper-V Manager.

Right-click 6293A-NYC-DC1 in the Virtual Machines list, and then click Revert.
In the Revert Virtual Machine dialog box, click Revert.
Repeat these steps for 6293A-NYC-CL1.
In Hyper-V Manager, click 6293A-NYC-DC1.
In the Actions pane, click Start.
In the Actions pane, click Connect. Wait until the virtual machine starts.
On NYC-CL1, log on by using the following credentials:
Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the first startup problem and documented your
solution.

Scenario
In this exercise, you will attempt to fix a computer that is running Windows 7. The computer does not
start successfully. You have an open help-desk ticket to help you determine the likely cause of the
problem.
Incident Record

Time of Call 13:30
User Martin Berka (Marketing Department)
Status OPEN
Incident Details
Martin contacted the help desk after attempting to install a new hard disk driver.
Since the attempt, his computer does not start correctly.
Help desk staff recorded the following message:
A problem has been detected, and Windows has been shut down to prevent damage to your
computer.
Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers.
Technical information:
*** STOP: 0x0000007B (0x8078BB58,0xC0000034,0x0000000,0x00000000)
Plan of Action
Resolution
X Task 1: Read the help-desk Incident Record 601338

Read the help-desk Incident Record for incident 601338.



1. Using your knowledge of the startup architecture, and tools available for troubleshooting the startup
environment, attempt to resolve the problem.
Note It is not necessary to revert the virtual machines at this point.

On NYC-CL1, log on by using the following credentials:
Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the startup problem and documented your
solution.
X To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state by completing the following steps:

Module Review and Takeaways
Review Questions
1. After installing a new video driver, your users computer becomes unstable and will not start correctly.
What would you try first to resolve this problem?
2. The boot environment of a users computer is corrupt, and you suspect a virus. Before you can run
virus removal tools, you must recover the boot environment. What command-line tool(s) could you
use?
3. Your user adds a new hard disk to the computer, which changes the computers partition numbering.
To enable the computer to start, the user needs you to change the BCD. What tool would you use?
4. A user has reported a problem to the help desk. They are experiencing problems with starting their
computer after a new device driver was added. You decide to start the computer by using a minimal
boot, but want to configure that from Windows before restarting. What tool could you use?
5. A system service is causing startup problems, and your help-desk user has started the problematic
computer into Windows RE. What command-line tools, accessible from Windows RE, enable you to
control the startup of services?
6. The help desk recently installed a new device driver on a computer. A stop code is generated along
with a blue screen during startup. What recovery mechanism would you try first?
Tools
Tool Use for Where to find it
BCDEdit.exe Viewing and configuring Command-line
the BCD store
sc.exe Managing services Command-line
MSConfig.exe Managing services and the Windows

startup environment
Windows RE Troubleshooting Windows 7 Elements available on hard disk (automatic

computers failover) and the product DVD
Safe Mode Troubleshooting startup Accessible from the Advanced Boot Options
menu
Bootrec.exe Managing the boot Command-line

environment
Sysinternals Suite Advanced configuration Download from the Microsoft TechNet website
and troubleshooting
3-1
Module 3
Using Group Policy to Centralize Configuration
Contents:
Lesson 1: Overview of Group Policy Application 3-3
Lesson 2: Resolving Client Configuration Failures and GPO

Application Issues 3-16
Lab: Using Group Policy to Centralize Configuration 3-27

Module Overview
Group Policy is an essential tool that you can use to configure the computer systems in an enterprise
environment. With Group Policy, you can quickly and easily apply configuration settings centrally. This is
faster and more practical than configuring hundreds or thousands of computers manually.
In most cases, a server administrator administers an organizations Group Policy, rather than desktop
support staff. However, it is important for desktop support staff to understand how Group Policy works
and how to identify when an organization is not applying Group Policy objects (GPOs) properly.
Objectives
Describe Group Policy application.

Troubleshoot client configuration failures and GPO application issues.
Using Group Policy to Centralize Configuration 3-3
Lesson 1
Overview of Group Policy Application
You can manage GPOs centrally, and store them on domain controllers. Client computers download GPOs
and apply them in specific ways, so it is important for you to understand how Windows 7 processes them
so that you can identify when Windows 7 is not processing correctly.
Objectives
Describe Group Policy options for deploying configuration settings.

Describe how Windows 7 processes GPOs.
Describe Group Policy inheritance.
Describe the application of Group Policy.
Describe synchronous and asynchronous processing of GPOs.
Describe loopback processing.
Configure Group Policy in Active Directory Domain Services (AD DS).

Group Policy Options for Deploying Configuration Settings
Group Policy contains thousands of settings for configuring Windows 7. Each Windows 7 computer has a
local Group Policy that you can edit to configure these settings. However, when you are managing client
computers in an enterprise environment, it is not practical to modify the local Group Policy manually on
each computer. Instead, you use AD DS to distribute GPOs. By default, Windows 7 computers download
GPOs at startup and every 90 minutes thereafter.
Note A local GPO applies to all local and domain users. The user settings in a GPO that
AD DS distributes do not apply to local users.
Inside a GPO, there are User Configuration settings and Computer Configuration settings. The User
Configuration settings apply to user accounts, and the Computer Configuration settings apply to
computer accounts. If the user account and computer account are in different organizational units (OUs),
a single GPO may apply to the user who logs on, but not to the computer itself, and vice versa.
Within the User Configuration and Computer Configuration, there are policies and preferences. Polices are
Microsoft Windows configuration setting that are enforced on the client; preferences are settings that
are applied to the client, but the user has the option to change them. Preferences include items such as
drive mappings and printers.
Processing GPOs
Windows 7 applies Group Policy for computers when users start the computers, and applies Group Policy
for users when the user logs on to the computer. Computer and user settings are refreshed at regular,
configurable intervals, and the default refresh interval is every 90 minutes. You also can force an update
by running GPUpdate.exe at a command prompt.
Group Policy Objects are processed in the following order:
1. Local GPOs
2. Site-level GPOs
3. Domain-level GPOs
4. Organizational Unit (OU) GPOs, including any nested OUs, starting with the OU further from the user
or computer object
GPOs that are applied to higher-level containers pass through to all sub-containers in that part of the
Active Directory tree. For example, a policy setting that is applied to an OU also applies to any child OUs
below it. The local GPO is processed first, and the organizational unit to which the computer or user
belongs is processed last. The last GPO processed is the effective setting.
Other factors that can influence the processing of GPOs include:
Security filtering. An individual GPO can have security filtering applied which controls which users and
computers are able to apply the GPO. By using security filtering, you limit a GPO to a specific group
of users or computers. By default, Windows 7 applies a GPO to Authenticated Users, which allows all
users and computers to apply it.
Windows Management Instrumentation (WMI) filtering. You can link a WMI filter to an individual
GPO, which restricts to which computers the GPO applies. You can base a WMI filters parameters on
a wide variety of characteristics such as installed software or hardware. An error in creating a WMI
query in a WMI filter may result in a GPO not applying to any computers.
Slow link processing. By default, some GPO settings are not applied over slow links500 kilobits per
second (Kbps) or lessbecause it may take too long to download them. Administrative templates and
security settings are processed regardless of link speed. This may result in roaming users with portable
computers having a slightly different experience when they are not in the office and connected to the
corporate network.
Group Policy Inheritance
You can create and link GPOs to users and computers at a site, domain, or OU. When you apply multiple
GPOs to users and computers, this aggregates the settings in the GPOs. For most policy settings, the GPO
with the highest precedence and that contains the specific setting determines the settings final value. For
a few settings, the final value is actually the combination of values across GPOs.
GPOs that Windows 7 processes last have the highest precedence. GPOs follow the Local, Site, Domain, or
OU rule for processing: first the local GPO, then site, the domain, and lastly the OU, including nested OUs,
which are OUs that have another OU as their parent. In the case of nested OUs, GPOs associated with the
parent OUs are processed prior to GPOs associated with the child OUs. In this processing order, Windows
7 applies local GPOs first but they have the least precedence. Windows 7 processes OUs last, and they
have the highest precedence.
Several Group Policy options can alter this default inheritance behavior. These options include:
Link Order: The precedence order for GPOs linked to a given container. The GPO link with a Link
Order of one has the highest precedence on that container. Changing the Link Order has no effect
unless GPOs that link to the same location have conflicting settings.
Enforced: The ability to specify that a GPO takes precedence over any GPOs that link to child
containers. Additionally, a GPO that Windows 7 enforces at the domain level overrides a GPO that it
enforces at an OU. You typically enforce a GPO to ensure that computers use company-wide settings,
and that departmental administrators do not override these settings by creating a GPO.
Block Inheritance: The ability to prevent an OU or domain from inheriting GPOs from any of its parent
containers. Note that Enforced GPO links will always be inherited. You typically use blocking
inheritance to allow a department to manage Group Policy settings separate from the rest of the
organization.
Link Enabled: The ability to specify whether Windows 7 processes a specific GPO link for the container
to which it links. When you do not enable a link, Windows 7 does not process the GPO. This is
typically done during troubleshooting when you want to disable processing of a GPO to eliminate it
as a source of configuration errors.
Discussion: Group Policy Application
Woodgrove Bank has a single domain with OUs that represent three regional offices. In each regional
office, there is a single Computers OU that contains all computer accounts for that region. The
organization stores user accounts for each region in various OUs based on workgroups. Each region has
the following workgroups:
Retail
Commercial
Managers
Discussion Questions
1. How would you use a GPO to distribute an application only to users in a single region?
2. You link the GPO to the computers OU in that region. Which settings are applied?
3. Why might it be a benefit for roaming users to link printer distribution to a site rather than a
specific OU?
4. How can you configure security settings in a GPO and ensure that they applied to all regions?
5. The home page for users is defined in a GPO that is linked to the domain. The home page points at
the company intranet. The managers have a new web-based application that should being defined as
their home page. This should be distributed by GPO. How can you do this?
Synchronous and Asynchronous Processing of GPOs
By default, Group Policy processing on Windows servers is synchronous, which means that Windows
servers complete the Group Policy processing for computers before they present the Ctrl+Alt+Delete
dialog box, and that the Group Policy processing for users completes before the shell is active and
available for the user to interact with it.
By default, Group Policy processing on client computers is asynchronous. Typically, client computers do
not wait for the network to initialize fully at startup and logon. The client computers log on existing users
by using cached credentials, which results in a shorter logon period. Windows 7 applies Group Policy in
the background after the network becomes available.
If a user with a roaming profile, home directory, or user-object logon script logs on to a computer, the
computer always waits for the network to initialize before completing the log on. If a user has never
logged on to the computer before, the computer always waits for the network to initialize, because there
are no cached credentials.
Multiple Logons Sometimes Required

Extensions such as Software Installation and Folder Redirection take two logons to apply changes. To
operate safely, these extensions require that no users are logged on. Windows must process the
extensions in the foreground before users are actively using the computer. Additionally, changes that
users make to the user object, such as adding a roaming profile path, home directory, or user-object
logon script, can require the application of two logons. To guarantee the application of Folder
Redirection, Software Installation, or roaming user profile settings in just one logon, you should enable
the policy setting that ensures Windows waits for the network to become available before applying policy.
Time Limit for Group Policy Processing

Under synchronous processing, there is a time limit of 60 minutes for all Group Policy settings to finish
processing on the client. Any client-side extensions that do not finish within 60 minutes receive a signal to
stop, which means that Windows may not fully apply associated policy settings. There is no setting to
control this time-out period or behavior.
Loopback Processing
Typically, when you apply GPOs to users, the same set of user policy settings applies to those users
regardless of the computers that they use. The Group Policy loopback feature applies user policy settings
in the GPOs that relate to a computer account, which would normally only apply computer policy settings.
By enabling the loopback processing policy setting in a GPO, you can configure user policy settings to
apply on a specific computer, regardless of which user logs on. This means that you can apply different
user settings when a user logs on to a computer that this setting affects. When you use this option, you
must ensure that you enable the computer and user sections of the GPO.
You can set the loopback processing policy setting by using the User Group Policy loopback processing
mode setting, which is located at Computer Settings\Administrative settings\System\Group Policy.
There are two modes available:
Merge mode: In this mode, Windows gathers the list of GPOs for the user during the logon process.
Then, it gathers the list of GPOs for the computer. Next, Windows adds the list of GPOs for the
computer to the end of the users GPOs. As a result, the computers GPOs have a higher precedence
than those of the user.
Replace mode: In this mode, Windows does not gather the list of GPOs for the user. Instead, it uses
only the list of GPOs based on the computer object, and then it applies the User Configuration
settings from this list to the user.
In certain closely managed environment, such as for terminal servers, it is appropriate to enable loopback
processing. You also would use this setting for special-use computers, such as those in public places,
computer labs, and classrooms, where you want the user experience to be specific to the environment.
Practice: Using the Group Policy Management Console
In this practice, you will:
Install the Group Policy Management Console (GPMC) on NYC-CL1.
Use the GPMC to create a new GPO.
Configure a new GPO to create a Desktop shortcut.

Update Group Policy on NYC-DC1.
Note Some of the tasks that you perform to complete this practice may not typically be the
responsibility of Tier 2 support staff. However, it is useful to learn the procedure.
Instructions
For this practice, you will use the available virtual machine environment.
Before you begin the practice, you must complete the following steps:
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6293A-NYC-CL1.
Detailed Steps
X Task 1: Install the Group Policy Management Console on NYC-CL1

1. On NYC-CL1, click Start, type \\NYC-DC1\D$\Labfiles\Mod09\Software, and then press Enter.
2. In Windows Explorer, double-click x86fre_GRMRSAT_MSU.msu. This file is the Remote Server

Administration Tools (RSAT) for Windows 7.
3. In the Windows Update Standalone Installer window, click Yes to install.
4. In the Download and Install Updates window, click I accept.
5. In the Windows 7 Remote Administration Tools window, read the instructions, and then close the
window.
6. In the Download and Install Updates window, click Close.

7. Close Windows Explorer.
8. Click Start, and then click Control Panel.
9. In Control Panel, click Programs, and then click Programs and Features.
10. In Programs and Features, click Turn Windows features on or off.
11. In the Windows Features window, expand Remote Server Administration Tools, expand Feature
Administration Tools, select the Group Policy Management Tools check box, and then click OK.
12. Close the Programs and Features window.
X Task 2: Use the Group Policy Management Console to create a new GPO
1. On NYC-CL1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click
Contoso.com. Notice that the Default Domain Policy links to the root of the Contoso.com domain.
3. Right-click Contoso.com, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO window, in the Name box, type Preferences, and then click OK.
X Task 3: Configure a new GPO to create a desktop shortcut

1. In the left pane, click the Preferences GPO link.
2. Click OK to close the warning dialog box.
3. On the Scope tab, verify that no WMI filters are applied.
4. On the Settings tab, verify that no settings are defined in this GPO.
5. In the left pane, right-click Preferences to display the context menu. Notice that the link is enabled
but not enforced.
6. In the context menu, click Edit.
7. In the Group Policy Management Editor window, review the available information. Notice that there
are two categories of settings, User Configuration and Computer Configuration, which are divided
further into Policies and Preferences.
8. Under User Configuration, expand Preferences, expand Windows Settings, and then click
Shortcuts.
9. Right-click Shortcuts, point to New, and then click Shortcut.
10. In the New Shortcut Properties window, enter the following information, and then click OK:
Name: Notepad
Target type: File System Object
Location: Desktop
Target Path: C:\Windows\System32\notepad.exe
11. Close the Group Policy Management Editor.
12. Close the GPMC.
X Task 4: Update Group Policy on NYC-CL1

1. On NYC-CL1, click Start, point to All Programs, click Accessories, and then click Command
Prompt.
2. At the command prompt, type gpupdate /force, and then press Enter. The /force option makes sure
that all policies are applied rather than just updates.
3. When the Group Policy update is complete, close the command prompt.
4. Notice that the Notepad shortcut appears on the desktop.

Lesson 2
Resolving Client Configuration Failures and GPO
Application Issues
Most issues that relate to the application of GPOs are due to incorrect configurations on the part of an
administrator. Despite the fact that you, as a desktop support person, may not be able to resolve GPO
application issues, it is important that you can identify them. After you identify an issue with the
configuration of Group Policy application, you may need to escalate the issue to a server administrator
who has the necessary permissions to resolve the issue.
Objectives
Discuss reasons for client configuration failures that incorrectly configured GPOs cause.
Explain how to resolve common client configuration issues that result from the application of GPOs.
Describe Group Policy troubleshooting tools.

Demonstrate how to use Group Policy application troubleshooting tools.
Explain how to resolve Group Policy application failures.

Discussion: Reasons for GPO Application Issues
A GPO application issue is any situation where a GPO does not have the effect on users or computers that
you expect. Common symptoms of GPO application issues are:
GPO settings, such as security restrictions or drive mapping, are not being applied to specific users or
computers.
Unexpected GPO settings are being applied to users or computers.
GPO settings are being applied to a user differently based on physical location or computers.
Because a GPO can affect many users and computers, administrators should test the configuration of
GPOs thoroughly before applying them. Even after testing, there may be situations in which settings in a
GPO do not apply to users and computers in the ways that you expect.
Question: What are some of the reasons that GPO settings might not apply as you think
they should?
Ways to Resolve GPO Application Issues
GPO application issues often result from configuration errors. In many cases, it is just a matter of
identifying and resolving the configuration error. One of the most common errors is linking a new GPO to
an incorrect location. To avoid this error, you should verify that a GPO with user settings links to the user
objects location, and verify that a GPO with computer settings links to the computer objects location.
If you want user settings in a GPO to apply only when the user logs on to a particular computer or group
of computers, you must enable loopback processing for those computers. After you enable loopback
processing, the user settings in the GPOs that apply to the computer account are processed.
When a new GPO is applied it may not take effect immediately. By default, GPOs are processed every 90
minutes on client computers. However, you can force it to take effect immediately by running
gpupdate.exe /force at a command prompt.
If you update a GPO and it does not take effect, you may need to restart the computer, because some
settings apply correctly only during the computer startup process.
Finally, if GPOs do not take effect for remote users, you can disable slow link processing. However, if you
disable slow link processing it may result in slow logons because large GPOs download over a slow
connection. This is of particular concern when you use GPOs for software distribution.
Tools for Troubleshooting GPO Application
To troubleshoot GPO application issues, you should understand how Windows applies GPOs so that you
can identify at what point in that process the issue is occurring.
The following table lists some tools that you can use for troubleshooting GPO application issues.
Troubleshooting tool Description

Resultant Set of Policy RSoP is the best tool for determining which GPOs apply to a user and
(RSoP) computer. Group Policy Modeling reports predict the policies that will be
applied at a specific client. Group Policy Results reports collect information
directly from the client to show the policies that are in effect, and include key
policy events that are logged at that client. This tool is part of the GPMC, and
you can add it to a Windows 7 computer as a feature after you download and
install the Remote Server Administration Tools.
You can use RSoP information to verify that the expected GPOs are applying to
a specific user and computer.
GPResult.exe A command-line tool that displays RSoP data. You can specify a specific user
and computer account when you run the tool.
Addiag.exe This tool identifies information that relates to the installation of software by
using a GPO. This tool is part of the Windows XP Service Pack 2 (SP2) support
tools, but works with Windows 7.
You can use this tool to identify whether a GPO that distributes software is
applied to a computer by reviewing the software available for installation.
(continued)
Troubleshooting tool Description

Group Policy You can enable logging and tracing for various types of Group Policy
preferences logging preferences. When you enable this, each type of log saves event data to a log
and tracing file.
You can review these logs to help identify the cause of application issues with
Group Policy preferences, such as a drive mapping or printer not being created.
This logging is much more detailed than Event Viewer.
Event Viewer Windows 7 and Windows Vista include an event log specifically for Group
Policy. This log can help you identify whether the client is using slow link
processing and whether Windows is applying GPOs.
Windows 7 includes rsop.msc, which provides RSoP data similar to what is available in the GPMC.
However, to perform queries for nonlocal computers and users that are not logged on locally, the tool
requires updates to Windows Firewall on the target computer to allow WMI requests. You can use Group
Policy to enable the necessary predefined firewall rules or use the command netsh advfirewall set rule
group=windows management instrumentation (wmi) new enable=yes.
Practice: Using GPO Application Troubleshooting Tools
You can use several tools to perform GPO application troubleshooting. It is important that you have some
hands-on experience enabling and using these tools.
In this practice, you will use GPO application troubleshooting tools to review how the tools work.
Note Some of the tasks that you perform in this practice may not typically be the
responsibility of Tier 2 support staff. However, it is useful to learn the procedure.
Instructions
Detailed Steps
X Task 1: Use GPMC to verify settings are configured in a GPO

1. On NYC-CL1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. If necessary, click the Preferences GPO link, and then click OK to clear the warning message.
3. On the Settings tab, under User Configuration, beside Shortcuts, click show. Notice that the list
includes the shortcut that you created in the previous practice.
X Task 2: Enable Group Policy Preferences logging and tracing

1. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the GPMC, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click
Contoso.com.
3. Right-click Preferences, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, expand Group Policy, and then click Logging and
tracing.
Note These settings are not visible from Group Policy Management on NYC-CL1 because it
is using different administrative templates.
5. In the right pane, double-click Configure shortcuts preference logging and tracing.
6. In the Configure Shortcuts preference logging and tracing window, click Enabled.
7. In Options, in the Event logging box, click Informational, Warnings, and Errors.
8. In the Tracing box, click On, and then click OK.
X Task 3: Perform Group Policy Modeling

1. On NYC-CL1, in the GPMC, click Group Policy Modeling.
2. Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.
3. In the Group Policy Modeling Wizard, click Next.
4. On the Domain Controller Selection page, click Next.
5. On the User and Computer Selection page, in User information, click User, click Browse, type
Adam, and then click OK.
6. In Computer information, click Computer, click Browse, type NYC-CL1, click OK, and then click
Next.
7. On the Advanced Simulation Options page, review the available options, and then click Next.
8. On the Alternative Active Directory Paths page, review the available options, and then click Next.
9. On the User Security Groups page, review the available options, and then click Next.
10. On the Computer Security Groups page, review the available options, and then click Next.
11. On the WMI filters for Users page, review the available options, and then click Next.
12. On the WMI filters for Computers page, review the available options, and then click Next.
13. On the Summary of Selections page, click Next, and then click Finish.
14. In the Adam on NYC-CL1 report, on the Summary tab, under Computer Configuration Summary,
beside Group Policy Objects, click show.
15. Beside Applied GPOs, click show.
16. Under User Configuration Summary, beside Group Policy Objects, click show.
17. Beside Applied GPOs, click show.

18. Beside Denied GPOs, click show.
19. Close the GPMC.
X Task 4: Use RSoP to view current configuration information

1. On NYC-CL1, click Start, type rsop.msc, and then press Enter.
2. After the Resultant Set of Policy Window opens, read the name of the user and the computer to
which the policy applies. By default, it queries the information for the currently logged-on user of the
local computer.
3. Right-click Computer Configuration, and then click Properties. This displays the GPOs from which
this computer obtained its settings.
4. In the Computer Configuration Properties window, select the Display all GPOs and filtering status
check box. This allows you to see GPOs that are not being applied to due security filtering or WMI
filtering.
5. Select the Display scope of management check box. This allows you to see where each GPO is
linked.
6. Click Cancel.
7. Close RSoP. Click No at the Microsoft Management Console prompt.
X Task 5: Use GPResult to view GPOs applied to a computer

1. On NYC-CL1, click Start, type cmd, and then press Enter.
2. At the command prompt, type gpresult /r, and then press Enter.
3. Scroll through and read the RSoP data. Notice that the local computer and locally logged-on user
were used for the analysis.
4. Leave the command prompt open for the next task.

X Task 6: Review events in the Group Policy event log

1. On NYC-CL1, click Start, type event, and then click Event Viewer.
2. In the left pane, expand Applications and Services Logs, expand Microsoft, expand Windows,
expand Group Policy, and then click Operational.
3. Review the recent events in the log. Event ID 4004 indicated that manual processing was started.
Event ID 5311 indicates that no loopback processing is enabled. Event ID 5312 indicates which GPOs
were applicable.

When you finish, revert the virtual machines to their initial state by completing the following steps:

Resolving GPO Application Failures
When you troubleshoot GPO application failures, first verify that the client computer is connected to the
network properly, and that it is authenticated. If a computer is unable to contact the domain, it is unable
to apply GPOs. You can verify the computers authentication by either ensuring that the user can access
network resources, or by looking in the event logs for errors related to network connectivity or computer
account authentication. Alternatively, you can run gpupdate /force to verify that GPOs are downloading.
Verify That the Client Computer is Connected and Authenticated

If the client computer is not connected to the network properly and authenticated, you need to resolve
this first. Possible resolutions may include:
Fix the network cabling.
Ensure it is using a proper IP address.

Verify the Domain Name System (DNS) configuration.
Rejoin the domain to fix the computer account.
Verify That the GPO is Assigned Properly to the Computer or User

You should verify that the GPO is assigned properly to the computer or user by using RSoP or
GPResult.exe. If these tools show that the GPO is being applied to the computer and user, then you know
that the link to the GPO is configured properly.
If RSoP shows that the GPO is not applied to the computer and user, you need to determine if the GPO is
linked to the correct location. You also need to confirm that the user and computer accounts are in the
correct location. You may need to escalate this task to someone with the necessary administrative
permissions.
Verify the Configuration of the GPO with the Proper Settings

If the GPO appears to be linked properly, you should verify the configuration of the GPO to ensure that
the proper settings are configured in the GPO. It is possible that an administrator created the GPO, and
linked it correctly, but did not configure it correctly. One item to verify is whether loopback processing is
enabled in the environments that use it. Depending on your permissions to manage Group Policy, you
may need to escalate this task.
Lab: Using Group Policy to Centralize Configuration
Lab Setup
4. Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6293A-NYC-CL1 and 6293A-NYC-CL2.
Lab Scenario
The help desk has received a number of trouble tickets that relate to GPO application. Because you are
the desktop support technician that is the most experienced with Group Policy, the tickets have been
assigned to you.
Exercise 1: Resolve Group Policy Application (1)

Scenario
In this exercise, you will resolve the reported GPO application problem that Tier 1 help-desk staff could
not resolve.

Incident Record
Date of Call Feb 25

Time of Call 14:45
User Alan Brewer (Research)
Status OPEN
Incident Details
User reports that research lab configuration is not being applied properly to a new computer named
NYC-CL1.
User reports that a new computer being used in the research computer lab is not configured properly.
All other computers in the lab, such as NYC-LAB1, have the standardize settings properly applied.
I have verified that the computer is joined to the domain properly.
Looking at NYC-LAB1, I can see that there is a desktop shortcut for the Analysis application. If this icon
appears on the desktop, then we know that the settings are being applied properly. This setting should
apply regardless of the user that logs on.
Plan of Action
Resolution



1. Attempt to resolve the problem by using your knowledge of GPO application issues and
troubleshooting.
In Hyper-V Manager, click 6293A-NYC-DC1, and then in the Actions pane, click Start.
Log on using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Results: At the end of this exercise, you will have resolved the GPO application problem.

Scenario
In this exercise, you will resolve the reported hardware problem that Tier 1 help-desk staff could not
resolve.

Incident Record
Date of Call Feb 26

Time of Call 9:07
Status OPEN
Incident Details
User reports that his drive mapping has not been updated with the new file share for his department.
The user (Alan) is not receiving the drive mapping (R:) for the new research department share on his
computer NYC-CL2.
Other people in his department are not experiencing any issues. I have checked with the Active
Directory administrators, and his computer account is in the correct OU. So the location of the
computer account is not an issue.
I also verified that he can access the files manually by using the Universal Naming Convention (UNC)
path at \\NYC-DC1\Research.
We rebooted the computer with no improvement.
Plan of action
Resolution
Note The password used for Alan and all other user accounts is Pa$$w0rd.



2. Run the D:\Labfiles\Mod03\Scenario2.vbs script. This script causes NYC-CL2 to restart.

1. On NYC-CL2, attempt to resolve the problem by using your knowledge of GPO application issues and
troubleshooting.

Repeat these steps for 6293A-NYC-CL1 and 6293-NYC-CL2.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps for 6293A-NYC-CL1 and 6293-NYC-CL2.

4. Repeat these steps for 6293A-NYC-CL1 and 6293A-NYC-CL2.

Review Questions
1. You do not have permission to log on to domain controllers in your organization. However, you
would like to perform Group Policy Modeling using the GPMC. How can you use GPMC on a
Windows 7 computer?
2. Your organization has a computer lab that is used for training. When users log on to computers in
this lab, they should have only lab-specific settings. The instructor in the lab this week is indicating
that users are not getting the default home page for the Web application that they are using for
training. You know that a new GPO for the lab was created last Friday. What is the most likely cause
of this problem?
3. A new user in accounting called the help desk to explain that she does not have the departments
standard drive mappings. These drive mappings are configured by using Group Policy Preferences.
What is the most likely cause of this problem?
Tools
Group Policy Managing GPOs Remote Server Administrative Tools for

Management Windows 7
Console
GPUpdate.exe Triggering an update of GPOs Command-line
GPResult.exe View GPOs applied to a Command-line

computer
RSoP.msc View GPOs applied to a Microsoft Management Console (MMC) snap-

computer in
Event Viewer View events in event logs Administrative Tools

related to Group Policy
4-1
Module 4
Troubleshooting Hardware Device, Device Driver,
and Performance Issues
Contents:
Lesson 1: Overview of Hardware Troubleshooting 4-3
Lesson 2: Troubleshooting Physical Failures 4-19
Lesson 3: Monitoring Reliability and Performance 4-27
Lesson 4: Configuring Performance Options in Windows 7 4-34

Lesson 5: Troubleshooting Device Driver Failures 4-43
Lab A: Resolving Hardware Device and Device Driver Issues 4-61
Lab B: Troubleshooting Performance-Related Issues 4-68

Module Overview
Devices have become complex, multifunction peripherals that have evolved from hardware that you install
in your computer to hardware that you connect to your computer via Universal Serial Bus (USB), Bluetooth
wireless technology, and Wi-Fi. To support users with computers running Windows 7, you must
understand how to troubleshoot hardware devices and drivers.
Conducting proactive monitoring of your Windows 7 computers can often help you avoid performance-
related problems. To support your users, it is important that you understand how to optimize Windows 7,
and how to collect and interpret data that pertains to performance characteristics.
Objectives
Identify basic hardware-related issues.
Determine hardware failure issues.
Monitor reliability and performance of Windows 7 computers.
Configure performance options in Windows 7.
Determine problems that device drivers cause.

Troubleshooting Hardware Device, Device Driver, and Performance Issues 4-3
Lesson 1
Overview of Hardware Troubleshooting
This lesson provides an overview of troubleshooting hardware-related problems, and discusses specific
considerations for using USB and cordless devices on computers that are running Windows 7.
Objectives
Describe hardware-related problems.
Describe the considerations for using USB devices.
Describe how you can use the built-in diagnostic tools to gather hardware information.
Explain Event Forwarding and Subscriptions.
Determine how best to approach hardware problems
Apply the guidelines for troubleshooting hardware-related problems.

Hardware-Related Problems
Hardware problems occur when a hardware device fails or there is a failure of a device driver that the
hardware device uses. When you are troubleshooting hardware-related problems, you first must
determine whether the underlying cause of the hardware failure is because of a device or driver failure.
Failure of Physical Hardware

A computer contains several hardware components, such as hard disk drives, a power supply, the
motherboard, the video controller, and so on. If a single component or a combination of components
fails, this can prevent the computer from functioning correctly. However, you can take preventive
measures to minimize the possibility that your hardware will fail.
These preventative measures include ensuring that you operate hardware components in the
environmental conditions that the components vendor recommends. For example, avoid using hardware
components in areas with high volumes of dust or high temperatures, unless the hardware was specifically
designed for such environments.
Some components are more prone to failure than others. Often, the components most susceptible to
failure are those with moving parts, such as hard-disk drives, cooling fans, power supplies, and optical
drives.
Failure of Device Drivers

A device driver can fail for three reasons:
Operating system version incompatibility. Drivers developed for previous Windows operating system
versions might not be completely compatible with Windows 7. To avoid incompatibility issues, always
check for a Windows 7 version of the driver, and use it if available.
Note Windows Vista drivers should work in Windows 7.

Driver bugs. Although hardware vendors use every precaution to ensure that device drivers are free
from error, there occasionally are problems. Ensure that you obtain the latest driver version from the
manufacturer, particular if the manufacturer has one in which it has fixed previous driver issues. Check
that the device driver carries a signature from a trusted certificate-signing authority.
32-bit and 64-bit issues. Windows 7 is available in both 32-bit and 64-bit editions. Drivers that
manufacturers develop for the 32-bit edition do not work with the 64-bit editions, and vice versa.
Make sure that you obtain the appropriate device driver from the hardware vendor. You will be
unable to install the wrong platform driver.
Considerations for USB Devices
Early hardware devices required that you have specialized knowledge and tools to install them on your
computer. However, USB devices are much more convenient, and require no special skills or tools to
install. You simple install your new hardware by plugging the device into a free USB port, and then
following the on-screen instructions to install the driver and related software.
But this convenience poses a number of risks, including to your networks security and reliability of the
drivers manufacturer.
USB devices represent a potential security risk to your network because a malicious user could place
sensitive or confidential network data onto a mobile device, such as an external hard disk, and then
remove it from the workplace.
Because of the relative simplicity of USB device installation, USB devices can increase management
overhead, and so controlling use of these devices has become an important consideration for
administrators. As the number and variety of these devices increases, so do the associated support and
maintenance costs.
Many organizations restrict employee use of USB devices because of security and management reasons.
However, implementing restrictions on USB devices can affect user productivity, and can have a significant
impact on the hardware troubleshooting process if person performing the troubleshooting wrongly
diagnoses these restrictions as hardware faults.
Windows 7 uses two methods to control device installation: device identification strings and device setup
classes.
Device Identification Strings

Hardware manufacturers assign one or more device identification strings to each device. These
identification strings are in the setup information (.inf) file in the driver package. During device
initialization, Windows 7 retrieves these device identification strings, and matches them to corresponding
identification strings in the INF file.
Note You can download and use the DevCon command-line tool to determine the device
identification string for a USB device.
Identification strings are either general or specific. If specific, they identify the devices exact make and
model. There are two types of device identification strings:
Hardware identifiers. Hardware identifiers provide an exact match between a device and a driver
package. The first string in the device identifier list is the individual devices specific identifier.
Additional strings in the list identify the device in more general terms, so Windows 7 can install a
different device revision driver, if the correct one is not available.
Compatible identifiers. Windows 7 uses compatible identifiers to select a device driver only if the
driver store has no available drivers for any of the hardware identifiers that Windows 7 retrieves from
the device. These strings are optional, and they are listed in decreasing order of suitability if the
hardware manufacturer provides them. Typically, the strings are generic, and identify the hardware
device at the component level, such as a Small Computer System Interface (SCSI) hard-disk drive. This
enables Windows 7 to select a generic SCSI driver for the disk drive, but may result in limited device
functionality and slower read/write performance.
Multifunction devices are physical devices that include more than one logical device. Manufacturers
assign hardware identifiers to each logical device. To control installation of multifunction devices, you
specifically must allow or deny all hardware identifiers for each multifunction device.
The following is the relevant portion of an .inf file that Microsoft provides for a keyboard device driver.
[MsMfg]
;========= Microsoft USB Internet Keyboard (IntelliType Pro)

%HID\VID_045E&PID_002D&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_002D&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (IntelliType Pro) - with Wireless
Optical Mouse
%HID\VID_045E&PID_005F&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_005F&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (106/109) (IntelliType Pro) - with
Wireless Optical Mouse
%HID\VID_045E&PID_0061&MI_00.DeviceDesc%=MicrosoftKBD_Dev_109,HID\VID_045E&PID_0061&MI_0
0
;========= Microsoft USB Wireless Natural MultiMedia Keyboard (IntelliType Pro) - with
Wireless Optical Mouse
%HID\VID_045E&PID_0063&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_0063&MI_00
Device Setup Classes

The device setup class groups devices that you install and configure in the same way. A globally unique
identifier (GUID) represents each device setup class. The manufacturer of a device driver package assigns
the device setup class, and then Windows 7 builds a memory-tree structure that contains the GUIDs for all
devices that it detects, including that of any bus that you attach to the device. Group Policy allows you to
specify the device class for which you allow or disallow installation.
The following is the relevant portion of an .inf file that Microsoft provides for a keyboard device driver.
[Version]
CatalogFile.NT= type32.cat ;Digital Signing
Signature="$Windows NT$" ;All Platforms
Class=Keyboard
ClassGUID={4d36e96b-e325-11ce-bfc1-08002be10318}
Provider=Microsoft
LayoutFile=layout.inf
DriverVer=06/29/2010, 8.0.219.0
Controlling USB Device Access

Windows 7 enables you to use Group Policy to control access to your computer by USB devices. It does
this by:
Preventing users from installing any device.
Allowing users to install only devices that are on an approved list.
Preventing users from installing devices that are on a prohibited list.
Deny read or write access to users for removable devices or those that use removable media.
Restricting USB device installations can benefit hardware support in several ways:
Simpler data security. By limiting the devices that users can install, you can reduce the risk of data
theft by implementing easily understood and supported procedures. For example, allowing users to
connect only USB flash drives that are password protected provides additional protection for data
that users transfer from the corporate network.
Reduced support costs. You can ensure that users only install devices that your help desk. This benefit
reduces support costs and user confusion.
However, controlling USB device installation may cause issues, including:

Misdiagnosed faults. Unless policy restrictions are simple, consistent, and easily understood by users
and information technology (IT) staff may diagnose a restriction as a hardware problem.
Policy management. Some manufacturers use a range of identifiers for similar device models. When
you have a batch of such devices, you may have difficulty supporting policy restrictions based on
identifiers, and the success of these policies may be inconsistent. For example, although a batch of
devices from a single vendor may appear identical, you should check each device identifier to verify
that the same identifier is used for the batch. If there is a range of identifiers, you need to modify
your Group Policy settings to include all of these identifiers.
Considerations for Cordless Devices
Users can connect many peripherals and devices to their computers by using cordless connections. Two
prominent cordless technologies exist to facilitate these connections: Bluetooth and Wi-Fi.
Troubleshooting Cordless Devices

When you are troubleshooting cordless devices, keep in mind that any problems that devices encounter
might be due to cordless connectivity rather than with the actual devices. For example, many laptop
computers allow users to disable the Wi-Fi and Bluetooth ports, primarily to conserve battery power. You
must ensure that all ports are enabled and, in the case of Bluetooth, configured to be discoverable during
the process of pairing the device with the users computer.
If you cannot connect a device successfully by using a Wi-Fi or Bluetooth connection, perform the
following steps:
Enable the Wi-Fi and/or Bluetooth receivers in the computers settings for the basic input/output
system (BIOS).
Turn on the Wi-Fi and/or Bluetooth receiver by using the computers switches.
Use Device Manager to verify, and if necessary update, the drivers for the computers Wi-Fi and/or
Bluetooth modules.
For Bluetooth devices, run Bluetooth Settings to configure:
Discovery. Enable discovery to ensure that the computer is visible. Additionally, you might need
to enable discovery (sometimes also known as visibility) on peripheral devices.
Connections. Enable the Allow Bluetooth devices to connect to this computer setting.
Optionally, you can select the Alert me when a new Bluetooth device wants to connect
setting.
Pairing. In addition to the above settings, some peripherals require that you pair them to your
computer. This process requires that the computer and the device exchange a passcode, or key,
to establish the partnership. You may need to establish this process at either the computer or
peripheral end.
Note The device manufacturer often defines a devices passcode. For example, a Bluetooth
headset does not provide you with a mechanism for defining a passcode. However, 0000
often is the default passcode. For more information, refer to the vendor documentation.
For Wi-Fi devices, follow standard wireless troubleshooting techniques:
Ensure that the devices are close enough for the signals to communicate.
Configure the devices to use the same wireless protocol and security settings.
Investigate possible sources of interference.
Note Some Bluetooth peripheral devices, such as mice and keyboards, often come with a
small Bluetooth module that you insert into your computer by using a USB port. This USB
Bluetooth module allows you to use cordless devices without needing a built-in Bluetooth
module.
Gathering Hardware Information
Windows 7 includes a number of tools that you can use to gather information about the hardware
installed on a computer. By becoming familiar with the functionality offered by these tools, you can
identify the most appropriate tool for a particular hardware monitoring or troubleshooting scenario.
Event Viewer
Event Viewer is the starting point for troubleshooting hardware failures. You should check the system log
and the application log for information, warnings, or errors that hardware devices or device drivers
generate. Use Event Viewer to show logs on remote computers and on the local machine.
Event Viewer contains many features that earlier operating systems did not make available, including:
Several new logs. Access logs for many individual components and subsystems.
View multiple logs. You can filter for specific events across multiple logs, which makes it easier to
investigate issues and troubleshoot problems that might appear in several logs.
Customized views. You can use filtering to narrow searches to only events which interest you. You
also can save these filtered views.
Tasks scheduled to run in response to events. Event Viewer integrates with Task Scheduler to allow
automated responses to events.
Create and manage event subscriptions from remote computers, and then stores them locally.
Note To collect events from remote computers, you must create an exception in Windows
Firewall to permit Windows Event Log Management.
Event Viewer tracks information in several different logs, which provide detailed information, including:
A description of the event.
An event identification number.
The component or subsystem that generated the event.
Information, warning, or error status.
The time of the occurrence.
The users name on whose behalf the event occurred.
The computer on which the event occurred.
A link to Microsoft TechNet for more information about the event.
The Event Viewer has many built-in logs, including those in the following table.
Built-in log Description and use

Application log These events are classified as error, warning, or information, depending on the
events severity:
An error is a significant problem, such as data loss.
A warning is an event that is not necessarily significant, but which may
indicate a possible future problem.
An information event describes the successful operation of a program,
driver, or service.
Security log This log reports the results of auditing when it is enabled. Audit events are
described as successful or failed, depending on the event. An example is
whether a user trying access a file was successful.
Setup log This log contains events related to application setup.
System log General events are logged by Windows components and services, which
classifies the events as error, warning, or information. Events logged by system
components are predetermined by Windows.
Forwarded events This log stores events collected from remote computers. To collect events
from remote computers, you must create an event subscription.
Applications and Services logs are a new category of event logs that store events from a single application
or component rather than events that might have system-wide impact. This category of logs includes four
subtypes:
Admin
Operational
Analytic
Debug
Admin logs are of interest to Information Technology (IT) professionals who use the Event Viewer to
troubleshoot problems. These logs provide guidance about how to respond to issues, and primarily target
end users, administrators, and support personnel. The events found in the Admin logs indicate a problem
with a well-defined solution that an administrator can implement.
Events in the Operational log also are useful for IT professionals, but they likely require more
interpretation. You can use operational events for analyzing and diagnosing a problem or occurrence, and
trigger tools or tasks based on the problem or occurrence.
Analytic and Debug logs are not as user-friendly. Analytic logs store events that trace an issue, and they
often log a high volume of events. Developers use debug logs when debugging applications.
Note By default, Windows 7 hides and disables both Analytic and Debug logs.
System Information
The System Information tool displays information about a computer, including complete reports on
installed hardware. You can use the System Information tool to look for hardware resource conflicts, and
to determine the resources that a hardware device is using, including the interrupt request (IRQ) line,
memory address range, and the base input/output (I/O) address range.
Device Manager
Device Manager displays information about the hardware installed on your computer, including hardware
resource settings and driver information.
Reliability and Performance Monitors

The Reliability and Performance Monitor console includes two monitoring tools:
The Reliability Monitor displays Windows 7 reliability over time, and any hardware failures that have
occurred. You can use the Reliability Monitor to identify hardware failure trends, so that you can
replace a device that fails periodically.
The Performance Monitor displays and collects performance information related to hardware devices
installed on the local computer and on remote computers. You can use this information to track
performance deterioration that might be a warning sign of potential hardware failure.
Memory Diagnostics
Windows 7 offers features that help improve system reliability, which improves long-term system
performance. If the Windows 7 Memory Diagnostics tool detects a faulty memory module or parity error,
it displays a message in the system tray that prompts the user to diagnose and fix the problem.
You can use Memory Diagnostics to check the computers memory during the startup process. You can
choose to restart the computer immediately and perform the check, or to schedule the memory check
during the next computer restart. If you select an immediate check, ensure that you save any work in
progress, and close any open windows before restarting the computer.
Note You must have administrative rights to run the Memory Diagnostics tool.
Action Center
Windows 7 includes the Action Center, which provides a single point of reference for reliability issues.
From the Action Center, you can launch diagnostic tools to troubleshoot hardware problems.
Remote Desktop
An administrator can use Remote Desktop to collect hardware information about a remote computer on
the network. For example, you could use Remote Desktop to run tools that cannot connect to a remote
computer, such as System Information or Reliability Monitor.
Centralized Inventory
Using additional products, including those from both Microsoft and third-parties, you can gather
hardware information from devices across your enterprise network and store the analysis centrally.
Event Forwarding
Windows 7 can collect copies of events from multiple remote computers, and then store them locally. To
specify which events to collect, you can create an event subscription.
Subscriptions specify which events Windows 7 collects, and into which logs Windows 7 stores them locally.
The forwarded events log exists for this purpose, but Windows 7 can forward events to any log. Once a
subscription is active and Windows collects events, you can view and manipulate forwarded events just
like other locally stored events.
The subscription functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector (Wecsvc) service. Both of these services must be running on computers that are
participating in the forwarding and collecting process. Before you can create a subscription to collect
events on a computer, you must configure both the collecting computer (collector) and each computer
from which events are collected (source).
Enabling Subscriptions
To enable subscriptions, perform the following tasks:
On each source computer, execute the following command at an elevated command prompt to
enable WinRM:
winrm quickconfig
On the collector computer, type the following command at an elevated command prompt to enable
the Wecsvc:
wecutil qc
Add the computer account of the collector computer to the local Administrators group on each of
the source computers. This configures the computers to forward and collect events.
Note When you click on Subscriptions in Event Viewer, Windows 7 offers to start and
configure wecsvc.
Note You cannot use Event Viewer to create a subscription while it is connected to a
remote computer.
Discussion: Approaches to Troubleshooting Hardware
Consider the following questions that relate to troubleshooting hardware. Discuss with the class how you
approach hardware troubleshooting. Provide any hints and tips you have about your approach and how
you handle the end-to-end process.
Discussion Questions
1. A user is unable to connect their cordless mouse to their portable computer. What would you check
first?
2. You just added a new video display to a users computer. The resolution of the display is very low,
despite being capable of displaying at 1680x1050. What would you check?
3. A users computer has repeatedly frozen. When this occurs, the computer accepts no input from
keyboard or mouse, and all processing stops. What would you suspect as the problem, and what
steps would you try to resolve the issue?
Best Practices for Troubleshooting Hardware Issues
Outside of component failure, hardware-related problems usually occur when you install a new hardware
device or update a device driver. Common symptoms of a hardware-related problem include spontaneous
computer restarts and error messages on a blue screen.
Verify that the computer carries the Compatible with Windows 7 logo, and that the hardware
components are on the Windows Marketplace Tested Products list. If a problematic hardware
component is not on the Windows Marketplace Tested Products list, replace it with a listed
component.
Remove or disable recently installed device drivers. If you have recently installed a third-party driver
or software package, try removing or disabling it to prevent it from loading, and then restart the
computer. If that does not fix the problem, contact the hardware vendor, and ensure that you have
the latest available driver. If you are using the latest version of the driver, contact the hardware
vendor, and log the issue as a support incident.
Use driver rollback to return to a previous driver version. If a failure occurs after installing an updated
device driver, use the driver rollback feature to return to the previous working driver version:
Access driver rollback from within Device Manager.
Start your computer in Safe Mode, if necessary, to access driver rollback.
Use vendor support. Ensure that you have adequate support agreements and escalation procedures
with the hardware vendor, and then take advantage of this support if a hardware failure occurs. Many
hardware vendors offer extended support options, and will replace failed hardware components
within a certain period, which your organizations Service Level Agreements (SLAs) should specify.
Establish an incident recording procedure. It often is difficult for users to determine the exact
sequence of events that lead to failures. Many IT help desks adopt scripts that facilitate logical
interviewing techniques to determine whether users made changes to their computers prior to the
failure. Using a consistent procedure for recording incidents also aids with diagnosing problems.
Lesson 2
Troubleshooting Physical Failures
Hardware failures can be catastrophic unless you plan for device failure and replacement. You should have
procedures in place so that you can replace failed devices efficiently, especially for your most vulnerable
devices.
Objectives
Apply device replacement considerations.
Explain the most vulnerable hardware devices.
Apply the guidelines for replacing hardware.

Considerations for Replacing Devices
Many organizations have SLAs and warranties with hardware vendors in place. Before replacing defective
hardware, consider any procedures that those SLAs detail before you can obtain replacement hardware.
Consideration of these factors may enable you to fix the hardware problem more quickly, and reduce the
impact on your users productivity and the organizations budget.
Service Level Agreements

A SLA can specify what to do when hardware fails, and how to log a failure incident with your
organizations service desk. The SLA also can dictate the expected response and replacement time for
device replacement.
Procedures also must be in place to ensure that sufficient spare hardware devices are available. Some
companies maintain a definitive hardware list, and spares for each device on this list.
Warranties
Most hardware vendors include a warranty with their products. The warranty generally lasts for an initial
period, such as 12 months, and covers the hardware against failure during this period. A basic warranty
usually stipulates a next-business-day response for device replacement. For a fee, most hardware vendors
offer additional warranty services with shorter response and replacement times. A typical option may
specify a four-hour telephone response time, with an engineer scheduled to visit the site within eight
hours to provide an on-site fix. Ensure that SLAs are covered by the warranty agreements or other
contracts with the manufacturer or hardware vendor.
Escalation Procedures
Providing appropriate escalation procedures and resources can be as simple as providing a contact
telephone number for the hardware vendor, but also can include providing a customer account number
for the vendor, a particular contact name, and any pertinent contract details. This makes service-desk staff
aware of agreed-upon response times.
Issues with Data Security

If you need to replace a hard disk due to a hardware problem, you might need to return the broken disk
to the manufacturer. If this is the case, check the security requirements for removing sensitive or
confidential data from the hard disk before you return it.
What Are the Most Vulnerable Devices?
In order to pinpoint why a computer is experiencing a problem, it is important to be able to identify if a

hardware component or device is the source of the problem. Knowing which devices are most susceptible
to failure can help accelerate the diagnosis.
Knowing more the conditions under which vulnerable devices are most likely to fail can help you avoid
those conditions. You can use reliability measures to calculate the probability of failure.
One such measure is mean time between failures (MTBF). MTBF is the average time interval, usually
expressed in thousands or tens of thousands of hours, before a component fails and requires service.
Hard-Disk Drives
There are five main reasons why hard-disk drives fail, leading to potential data loss or corruption:
Logical failure. Examples of logical errors include invalid entries in a file allocation table (FAT) or
master file table (MFT) on the NTFS file system volume. Logical failures are the least severe type of
failure, and you typically can fix them by running the Chkdsk command-line tool with the /f switch.
However, logical errors also can cause corruption and file system loss on a severely fragmented drive.
In such cases, you may need specialized tools to fix the problem.
Mechanical failure. Platters, which are one or more rotating, magnetically-coated disks, store data on
a hard disk. Data is accessed through read/write heads mounted on rotating mechanical arms. One of
the most common mechanical failures occurs when the read/write heads of the hard disk come in
contact, momentarily or continuously, with the hard-disk platters. Additionally, physical shock,
computer movement, static electricity, power surges, or mechanical read/write head failure can cause
head crashes. Hard-disk drives also may fail because of motor problems.
Electronic failure. An electronic failure is a problem with the hard disks controller board. If the
controller fails, the disk may be undetectable by the system BIOS. Additionally, electronic failure can
occur because of electrical surges that damage the controller board or because of defective board
components. However, you often can recover data because the disk platters and other mechanical
components remain undamaged.
Firmware failure. Hard-disk firmware is code that controls the hardware. It is often stored on a flash
memory chip on the hard-disk controller board. If the firmware becomes corrupt or unreadable, the
computer may be unable to communicate with the disk.
Bad sector. Bad sectors can be logical or physical. A lost cluster is an example of a logical bad sector
that you typically can repair with software tools. Shock or vibrations often cause physical bad sectors.
Most hard-disk drives have firmware that marks bad sectors, and as long as the damage is minor, no
data is lost. You can use drive-monitoring tools to determine when the number of physical bad
sectors is critical enough to replace the drive.
Optical Drives
Optical drives such as CD and DVD drives tend to have shorter life spans than other hardware devices, and
the MTBF is lower than that for a hard-disk drive. Most hardware manufacturers provide a one-year
guarantee on optical drives and a three-year guarantee on hard-disk drives.
The media quality in optical drives is a significant factor in than optical drives lifespan:
Higher-quality media can increase the device lifespan.
Unclean media may reduce the lifespan.

Software settings also can affect optical drives. Using a high-maximum write speed can result in a greater
number of irreparable and subsequently unusable discs, compared to using slower write speeds.
Optical drives can fail due to vibration, because they require precise optical alignment in the device to
work properly. You can cause vibration by moving the computer while it is in use, or by operating the
computer in a location that is not stable.
Excessive dust also can damage optical drives.
Cooling Fans
The most common cause of failure of cooling fans is dust building up inside the computer and around the
fan area. This accumulation can lead to failures in the fan bearings, motor, or power supply.
CPUs and GPUs

CPUs and graphics processing units (GPUs) are devices least likely to fail. However, you can overheat and
damage the CPU if you attempt to overclock the CPU. Overheating also can occur because of a failure
with the cooling fan. Additionally, power spikes and static electricity discharge can cause CPU failures.
System Memory
Memory problems can occur as a result of heat, power surges, or static electricity. You can use the
Windows 7 Memory Diagnostics tool to help identify and resolve memory issues.
Power Supplies
The power supply converts regular current into low-DC voltage that the computer can use. A failing
power supply can cause erratic behavior, including computers restarting randomly, memory errors, or
power being supplied to some devices and not others.
Symptoms of power supply problems can include:
No indicator lights, disk action, or screen display.
On/Off indicator lights are visible, but there is no disk action or screen display.
The system produces a continuous beep.

Guidelines for Replacing Hardware
To minimize the risk of a replacement device failing, adhere to the following guidelines:
When you install a device, take care to minimize the risk of damage during the installation process.
Eliminate support issues by choosing replacement devices that are compatible with Windows 7.
Root Cause Analysis

Before replacing failed hardware devices, determine the cause of the root failure so that you can prevent
this issue from damaging the replacement device.
The root cause could be environmental, leading to heat or moisture-related failures. For example, devices
placed in direct sunlight with poor ventilation, or in a damp location where there might be condensation,
may fail after a short time. Alternatively, the root cause could be behavioral, such as users knocking or
kicking the computer.
Static Electricity Issues

Because of the risks that static electricity poses to devices such as system memory, it is important that you
observe static electricity guidelines and train your IT staff accordingly. Initiate compulsory maintenance
procedures, and ensure that you use antistatic kits, which are inexpensive and available from numerous
hardware manufacturers. Hardware vendors operate professional hardware-qualification programs that
include detailed information about antistatic maintenance precautions. Additionally, ensure that IT staff
wears grounding straps when working with sensitive components.
Windows 7 Compatibility
When you buy a new computer, check for the Compatible with Windows 7 logo. The hardware in a
Windows 7 Compatible computer has been tested to run the Windows 7 operating system with no
problems.
When buying hardware devices for a computer that is running Windows 7, check that the hardware has
the approval of the Windows Logo Program for Windows 7. This means that the hardware has been
tested for Windows 7 compatibility, and that it is listed on the Windows Marketplace website. Windows
Marketplace is an online service that replaces the previous Hardware Compatibility List (HCL).
Lesson 3
Monitoring Reliability and Performance
You can use several methods to collect performance data from your organizations computers. You should
use whichever methods suit your organizations requirements.
Real-time monitoring of computers is useful when you want to determine the effect of performing a
specific action, or to troubleshoot specific events. This type of monitoring also can help you to ensure that
you are meeting Service Level Agreements (SLAs).
Analyzing historical data can be useful for tracking trends over time, determining when to relocate
resources, and deciding when to invest in new hardware to meet your organizations changing
requirements. You should use historical performance data to assist you when you plan future workstation
requirements. If you intend to gather data for historical comparison, it is important to establish a
performance baseline.
Windows 7 provides tools that enable you to identify performance problems. It is important that you
know how to use these performance tools to support your users.
Objectives
Identify bottlenecks by using the Resource Monitor Screen, which provides real-time information.
Monitor real-time activity with the Performance Monitor.
Generate reports by using Data Collector Sets.
Describe the Reliability Monitor.

What Is Resource Monitor?
Resource Monitor provides a snapshot of system performance. Since the four key system components are
processor, memory, disk, and network, Resource Monitor provides a summary of these four components
and a detailed tab for each.
If a users computer is running slowly, you can use Resource Monitor to view current activity in each of the
four component areas, and make a determination about which of the key components might be causing a
performance bottleneck.
Using Resource Monitor

When the Resource Monitor first opens, the initial view is of the Overview tab. Displayed on the right
hand side are four graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for
excessive peaks in CPU, Disk, Network, or Memory activity. In the main pane, you can examine details
about each component by expanding each components information list. Each process running in the
computer is listed, as well as information about each process resource consumption. For example, the
number of threads and the percentage of CPU capacity being used displays for each running process.
Having determined that a particular component usage is bottlenecked, use the appropriate component
tab to view more information.
Remember that a snapshot of current activity, which Resource Monitor provides, only tells a partial story.
For instance, you might see a peak in activity, which is not representative of average performance.
What Is Performance Monitor?
Performance Monitor enables you to view current performance statistics, or to view historical data that
you gather by using Data Collector Sets, which several upcoming topics detail.
Windows 7 enables you to monitor operating system performance through performance objects and
counters in the objects. Windows 7 collects data from counters in various ways, including:
A real-time snapshot value.

The total since the last computer startup.
An average over a specific time interval.
An average of last values.
Number per second.
Maximum value.
Minimum value.
Performance Monitor works by providing you with a collection of objects and counters that record data
about computer resource usage.
There are many counters that you can research and monitor to meet your specific requirements.
Primary Processor Counters

CPU counters are a feature of the computers CPU that stores the count of hardware-related events.
Processor>% Processor Time displays the percentage of elapsed time that the specified thread used
the processor to execute instructions, which are the processors basic unit of execution in a processor.
A thread is the object that executes instructions. Code executed to handle some hardware interrupts
and trap conditions is included in this count.
Processor>Interrupts/sec displays the rate, in incidents per second, at which the processor received
and serviced hardware interrupts.
System>Processor Queue Length displays an approximate number of threads each processor is

servicing. The processor queue length, sometimes called processor queue depth, reported by this
counter is an instantaneous value that is representative only of a current snapshot of the processor.
Therefore, you must observe this counter over a long period of time to see trends in data.
Additionally, the System\Processor Queue Length counter is reporting a total queue length for all
processors, not a length per processor.
Primary Memory Counters

The Memory performance object consists of counters that describe the behavior of the computers
physical and virtual memory. Physical memory is the amount of random access memory (RAM) on the
computer, and virtual memory is the space in physical memory and on disk. Many of the memory
counters monitor paging, which is the movement of pages of code and data between disk and physical
memory.
Memory>Pages/sec. displays the number of hard page faults per second. A hard page fault occurs
when the requested memory page cannot be located in RAM because it currently exists in the paging
file. An increase in this counter indicates that more paging is occurring, which suggests a lack of
physical memory.
Primary Disk Counters

The Physical Disk performance object consists of counters that monitor hard or fixed disk drives. Disks
store file, program, and paging data. They are read to retrieve these items, and are written to record
changes to them. The total values of physical disk counters are the total of all values of the logical disks
(or partitions) into which they are divided:
The Physical Disk>%Disk time counter indicates how busy a particular disk is. A counter approaching
100 percent indicates that the disk is busy nearly all of the time, and a performance bottleneck may
be imminent.
The Physical Disk>Average Disk Queue Length counter indicates how many disk requests are waiting
to be serviced by the Windows 7 input/output (I/O) manager at a given moment. The longer the
queue, the less satisfactory the disk throughput, which is the total amount of traffic that passes a
given point on a network connection per a unit of time.
Primary Network Counters

Most workloads, which are the amount of processing that the computer does at a given time, require
access to production networks to ensure communication with other applications and services, and to
communicate with users. Network requirements include elements such as throughput and the presence of
multiple network connections.
Workloads might require access to several different networks that must remain secure. Examples include
connections for:
Public network access.

Networks for performing backups and other maintenance tasks.
Dedicated remote-management connections.

Network adapter teaming for performance and failover.
Connections to the physical host computer.
Connections to network-based storage arrays.
By monitoring the network performance counters, you can evaluate your networks performance.
The Network Interface>Current Bandwidth counter indicates the current bandwidth being consumed
on the network interface in bits per second (bps). Most network topologies have maximum potential
bandwidths quoted in megabits per second (Mbps). For example, Ethernet can operate at bandwidths
of 10 Mbps, 100 Mbps, 1 gigabyte (GB) per second, and higher. To interpret this counter, divide the
value given by 1,048,576 which return the number in megabits per second. If the value approaches
the maximum potential bandwidth of the network, consider implementing a switched network or
upgrading to a network that supports higher bandwidths.
The Network Interface >Output Queue Length counter indicates the current length of the output
packet queue on the selected network interface. A growing value, or one which is consistently higher
than two, may indicate a network bottleneck, which you should investigate.
What Are Data Collector Sets?
A Data Collector Set is the foundation of Windows 7 performance monitoring and reporting in
Performance Monitor.
Data Collector Sets enable you to gather system and performance-related statistics for analysis by using
tools within Performance Monitor or third-party tools.
While it is useful to analyze current performance activity on a Windows 7 computer, you might find it
more useful to collect performance data over a period of time, and then analyze and compare it with data
that you gathered previously. This data comparison enables you to make determinations about resource
usage, as well as plan for growth, and identify potential performance problems.
Data Collector Sets can contain the following types of data collectors:
Performance counters. Provide workstation performance data.
Event trace data. Provides information about system activities and events, which often is useful for
troubleshooting.
System configuration information. Enables you to record the current state of registry keys and to
record changes to those keys.
You can create a Data Collector Set from a template, from an existing set of data collectors in a
Performance Monitor view, or by selecting individual data collectors, and then setting each individual
option in the Data Collector Set properties.
What Is Reliability Monitor?
Reliability Monitor provides you with a system-stability overview and trend analysis. Additionally, it
provides detailed information about individual events that may affect the systems overall stability, such as
software installations, operating-system updates, and hardware failures. It begins collecting data when the
system installs.
You can use Reliability Monitor to help answer important question about changes on a users computer,
such as software installations, driver updates, and application failures. Reliability Monitor records these
changes, and it may indicate recent system changes.
The monitor displays a line chart with points on it that represent dates and icons that indicate events such
as errors, warnings, and informational occurrences. Clicking on a point shows you event details for that
day.
Event details are categorized into:
Application failures.
Windows failures.
Miscellaneous failures.
Warnings.
Information.
System Stability Index

Reliability Monitor calculates a System Stability Index that reflects whether unexpected problems reduced
the system reliability. This index is based on a value that is set at 10 at installation. This value decreases as
problems occur, and increases as time passes without problems.
Lesson 4
Configuring Performance Options in Windows 7
It is important to optimize your users Windows 7 computers to enhance performance, rather than waiting
to take action when the computers perform badly.
Objectives
Describe how Windows uses resources, which can affect throughput.
Describe the process of configuring paging to optimize performance.
Describe implementing power management to optimize performance.

Optimize disk performance.
How Windows Uses Key System Components
The four main hardware components that you should monitor in a Windows 7-based computer are:
Processor
Disk
Memory
Network
Understanding how the operating system utilizes these four key hardware components, and how they
interact, can help you understand how to optimize workstation performance.
When monitoring performance, you should consider:

The measurement of all key components in your users workstation.
The workstation role and workload to determine which hardware components are likely to restrict
performance.
The ability to increase workstation performance by adding power or reducing the number of
applications that the user is running.
Processor
One important factor in determining your computers overall processor capacity is processor speed, which
is determined by the number of operations that it performs over a specific time period. Computers with
multiple processors, or processors with multiple cores, generally perform processor-intensive tasks with
greater efficiency, and as a result, are faster, than single processor or single-core processor computers.
Processor architecture is also important. 64-bit processors can access more memory and have a significant
positive effect on performance. This is true especially when applications running on your users
workstations require a large amount of memory.
Disk
Hard disks store programs and data. Consequently, the throughput of a workstations disk affects its
speed, especially when the workstation is performing disk-intensive tasks. Most hard disks have moving
parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
By selecting faster disks, and by using collections of disks to optimize access times, you can alleviate the
potential for the disk subsystem to create a performance bottleneck.
It also is important to remember that Windows 7 moves information on the disk into memory before it
uses it. If there is a surplus of memory, the Windows 7 operating system creates a file cache for items
recently written to, or read from, disks. Installing additional memory in a workstation often improves the
disk subsystem performance, because accessing the cache is faster than moving the information into
memory.
Memory
Programs and data load from disk into memory before the program manipulates the data. In workstations
that run multiple programs, or where datasets are very large, installing more memory can improve
workstation performance.
Windows 7 uses a memory model which does not reject excessive memory requests. Instead, Windows 7
handles them by using a process known as paging. During paging, Windows 7 moves the data and
programs in memory that processes are not currently using to the paging file on the hard disk. This frees
up physical memory to satisfy the excessive memory requests, but because a hard disk is comparatively
slow, it has a negative effect on workstation performance. By adding more memory, and by using a 64-bit
processor architecture that supports larger memory, you can reduce the need for paging.
Network
You easily can underestimate how a network that is performing poorly can affect workstation
performance, because it is not as easy to see or to measure as the other workstation components.
However, the network is a critical component for performance monitoring, because network devices store
so many of the application programs and data being processed.
Understanding Bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package also may cause a bottleneck.
By using performance-monitoring tools on a regular basis, and comparing the results to your baseline and
to historical data, you can identify performance bottlenecks before they impact users.
Once you identify a bottleneck, you must decide how to remove it. Your options for removing a
bottleneck include:
Running fewer applications.
Adding additional resources to the computer.

A computer suffering from a severe resource shortage may stop processing user requests, which requires
immediate attention. However, if your computer experiences a bottleneck but still operates within
acceptable limits, you might decide to defer any changes until you resolve the situation, or until you have
an opportunity to take corrective action.
Question: Which hardware components are most likely to restrict performance for a
Windows 7 computer?
Optimizing Performance by Configuring Windows Paging
For most single-disk-drive computers running Windows 7, it typically is adequate to leave the pagefile
settings at the default values. Under normal circumstances, you gain little benefit by adjusting these
values. However, if your Windows 7 computer has more than one disk, you may gain a performance
benefit by following these guidelines:
Create the paging file on a different physical disk than the operating system disk. Paging is a disk-
intensive task. If you distribute the disk load across all of your computers available disks, you
minimize the likelihood of performance bottlenecks affecting the disk subsystem. By optimizing the
disk subsystem, you can make the paging process as efficient as possible.
Configure a fixed-size paging file. A paging file that can grow on the disk might encompass
fragmented areas of the disk volume. By configuring a fixed-size paging file, you can ensure that the
paging file does not encompass fragmented areas.
Ensure that the disk volume is not fragmented when you create the paging file. If you want to create
a fixed-size paging file on a computer that already has a paging file, ensure that you do not create a
paging file that encompasses fragmented areas of the disk. Additionally, you must configure the
computer to use no paging, and then defragment the volumes, before you create a fixed-size paging
file.
When you configure the paging file, ensure that its size is sufficiently large. Recommendations specify
that an initial paging file should be equivalent to the amount of installed memory, and a maximum
paging file size that is equal to twice the initial value. Consequently, you should create a fixed-size
paging file that is equal or twice the size of the physical memory.
Note For computers with 2 GB of physical memory running 32-bit versions of Windows 7,
there is no particular benefit in configuring a paging file larger than 2 GB.
Optimizing Power Management Settings
Portable computer users want to conserve their computers battery life, while maintaining optimum
system performance. This is not a concern for users of desktop computers. However, by default, Windows
7 uses the same initial power management settings for both portable and desktop computers, even
though the requirements for the two computer types are different.
Power Plans
In Windows 7, you can use power plans to help you maximize computer and battery performance. By
using power plans, you can change a variety of system settings to optimize power or battery usage,
depending on the scenario. There are three default power plans, which the following table outlines.
Power plan Description

Power saver plan This plan saves power on a mobile computer by reducing
system performance, which maximizes battery life.
High performance plan This plan provides the highest level of performance on a mobile
computer by adapting processor speed to your work or activity,
and by maximizing system performance.
Balanced Windows 7 uses the Balanced power plan by default.

This plan balances energy consumption and system
performance by adapting the computers processor speed to
your activity.
Each plan provides alternate settings for AC or DC power. The three plans differ with regards to power
and performance, as follows:
The power saver plan reduces power usage by lowering the performance.
The high performance plan causes your computer to consume more power by increasing system
performance.
The balanced plan provides the best balance between power and performance.
Optimizing Performance
When configuring power options to optimize performance, use the following guidelines:
For desktop computers, you should consider changing the power plan to use the High performance
plan.
To optimize performance, you can create your own power plan by configuring the settings manually
as follows:
a. From Power Options, click Create a power plan.
b. Select High performance as a template.

c. Configure specific options, including:
Turn off hard disk after: Never
Minimum processor state: 100%
Avoid Hibernate and Hybrid Sleep options. These power-saving options work by saving the computer
state, or part of the computer state, to the hard disk in a file called Hiberfil.sys. This can cause
fragmentation on your hard disk, and Windows 7 Defragmenter cannot defragment this file.
Optimizing Disk Performance
Most hard disks have moving parts, and are consequently slower than other storage technologies. To
optimize disk subsystem throughput, consider the general points in the following table.
Optimization task Why you might use it
Ensure that you enable You can use Device Manager to examine the properties of any installed disks
write-caching. and to verify that write-caching is enabled.
Minimize the frequency Adding physical memory to a computer that is paging excessively reduces
of paging. the load on the disk subsystem.
Distribute the memory If your computer has multiple physical disks, consider distributing disk-
load across all available intensive activities across these disks. For example, you can install the
disks. operating system and applications on one disk, the paging file on another,
and your data files on a third disk.
Implement faster disks. Disk speed is measured in revolutions per minute (rpm), and average seek
times are measured in milliseconds. Install disks 7200 rpm disks or faster, and
choose disks with the lowest seek time.
Consider using solid- SSD disks use flash memory technology and have no moving parts. They can
state disks (SSDs). operate faster than more traditional disks, but they are more expensive.
Research the specific vendor and model of disk carefully. Some disks provide
higher write performance, some provide higher read performance, and some
provide neither, providing power-saving benefits instead.
(continued)
Optimization task Why you might use it
Consider implementing You can combine physical disks into a single volume, distributing the disk
a performance- activity across all the disks in the array. Windows 7 provides a capability in
enhancing disk array. Disk Management to combine disks in this manner. However, it often is
better to buy a disk array from a storage vendor, and handle the data striping
by using the hardware in the array.
Defragment volumes You can use either the built-in disk defragmentation tool or third-party tools,
that are used heavily. some of which support the defragmentation of files such as Hiberfil.sys and
Pagefile.sys. Note that the likelihood of disk volume fragmentation increases
as the disk volume becomes filled.
Lesson 5
Troubleshooting Device Driver Failures
A driver is a small software program that allows the computer to communicate with hardware or devices.
A hardware device works only if its device driver is installed correctly and functioning properly. Remember
that drivers are specific to operating systems.
A driver failure can render even the most sophisticated and expensive device useless. Malfunctioning
device drivers also can affect other hardware and may stop the computer from operating properly.
This lesson focuses on troubleshooting problems related to hardware device drivers, which can include:
Disabling and removing device drivers.

Verifying driver signatures.
Installing or reinstalling drivers manually.
Objectives
Describe management of device drivers.
Describe methods for disabling device drivers.
Install and remove device drivers.
Describe the process to remove unsigned drivers.
Describe how to extract drivers.
Extract and install drivers into the driver store.
Manage legacy devices.
Manage driver installation by using Group Policy settings.

Managing Device Drivers
Windows 7 makes it possible for users to install their own device drivers, but this can potentially introduce
security and reliability problems. As an administrator, you can copy driver packages to a protected area of
a users computer, called the driver store. A standard user, without any special user rights, then can install
drivers from the driver store. You also can configure the client computer to search particular local or
network folders automatically when a new device is attached, so that Windows does not prompt the user
to insert media.
The driver store, in conjunction with driver signing, increases computer security by ensuring that standard
users can install only those driver packages that you authorize and trust.
Driver Packages
A driver package is a set of files that make up a driver.
The driver package includes:

The .inf file.
Any files that the .inf file references.
The catalog (.cat) file that contains the digital signature of the device driver.
Installing a driver is a two-stage process:
1. Install the driver package into the driver store. You must use administrator credentials to perform this
step.
2. Attach the device, and install the driver. A standard user can perform this step.
Driver Store
The driver store is the Windows 7 driver repository. Because the driver store is a trusted location, when
compatible hardware is connected, Windows 7 installs the appropriate driver automatically from the
stores cache of device drivers.
Because standard users can install any device driver from the driver store, users can install common
hardware accessories without calling the help desk. An original equipment manufacturer (OEM) or IT
administrator can preload the driver store with the necessary drivers for commonly used peripheral
devices. The driver store is located in systemroot\System32\DriverStore.
During hardware installation, if there is no appropriate driver either in the driver store or available from
Windows Update, and the user does not have a device driver on removable media, then Windows 7
reports an unknown device.
Driver Signing
Because device drivers run with system-level privileges and can access anything on the computer, it is
critical to trust device drivers that are installed. Trust, in this context, includes two main principles:
Authenticity: a guarantee that the package came from its claimed source.
Integrity: an assurance that the package is completely intact and was not modified after its release.
Digital signatures allow administrators and end users who are installing Windows-based software to know
that a legitimate publisher is providing the software package. It is an electronic security mark that
indicates the softwares publisher, and displays a message if someone changes the original contents of the
driver package. If a publisher signs a driver, you can be confident that the driver comes from that
publisher and has not been altered.
A digital signature uses the organizations digital certificate to encrypt specific details about the package.
The encrypted information in a digital signature includes a thumbprint for each file that the package
includes. A special cryptographic algorithm generates the thumbprint. This is known as a hashing
algorithm. The algorithm generates a code that only the files contents can create, and changing a single
bit in the file changes the thumbprint. After the file generates the thumbprints, the publisher combines
them into a catalog and encrypts them.
Microsoft uses digital signatures to indicate that a driver is certified for use with Windows 7. Windows 7
checks for a drivers digital signature during installation, and prompts the user if no signature is available.
As the domain administrator, you should configure Group Policy to block the installation of device drivers
that do not have a digital signature. The signature file is stored as a .cat file with the driver file.
Use the Sigverif.exe tool to scan for unsigned drivers on a computer that runs Windows 7.
Disabling Device Drivers
If you have determined that the probable cause of a reported problem is with a device driver, you might
find it necessary to disable that particular device driver. Windows 7 has several methods that you can use
to disable device drivers.
Disabling Device Drivers Using Device Manager

You can disable a device driver through a graphical user interface (GUI) by using the Device Manager tool
as follows.
1. Open Device Manager.
2. Right-click the device driver that you want to disable, and then click Disable.
The difference between disabling a device and uninstalling it is that when you disable a device, you are
disabling only the drivers. The hardware configuration does not change, and the driver software is not
removed from the computer as it would be if you uninstall the device.
Note If a device appears to have failed, and Device Manager displays a problem with the
device, you can uninstall the device. Windows then detects the device, and installs the driver
again. This may resolve the problem.
Disabling Device Drivers from a Command Prompt

You also can disable a device driver from a command prompt by using the DevCon command-line tool.
For example, to disable all devices that have a hardware identifier that ends in MSLOOP, at a command
prompt, type devcon disable *MSLOOP. You also can use DevCon to list devices with their status and
associated hardware resources.
Disabling Device Drivers Remotely

You can use Remote Desktop to connect to a remote computer running Windows 7, and then use Device
Manager or DevCon to disable a device driver the same way you would on a local computer.
Disabling Device Drivers in Safe Mode

When you start a computer in safe mode, only a minimal number of device drivers start, including:
Drivers for CD-ROM or DVD-ROM
Floppy disk
Hard disk
Keyboard
Mouse
Video Graphics Adapter (VGA) devices
Start the computer in Safe Mode if the failure of a device driver is preventing the operating system from
starting. You then can troubleshoot the device driver, which might involve disabling the problem device
before you attempt to restart the computer in Normal Mode.
Practice: Managing Device Drivers
In this practice, you will install a new driver, which then creates a problem with the computers
configuration. You will attempt to roll back the driver by shutting down the computer and accessing the
Advanced Boot Options menu to select Last Known Good.
Instructions
For this practice, you will use the available virtual machine environment. Before you begin the practice,
you must complete the following steps:
Password: Pa$$w0rd
Domain: Contoso
Password: Pa$$w0rd
Detailed Steps
X Task 1: Install a new device driver

3. In System, click Device Manager.
4. In Device Manager, expand Keyboards, and then click Standard PS/2 Keyboard.
5. Right-click Standard PS/2 Keyboard, and then click Properties.
6. In the Standard PS/2 Keyboard Properties dialog box, click the Resources tab. You can see the IRQ
and I/O Range that the device is using.
7. Click the Driver tab. You can see there is no option to roll back the driver.
8. Click Update Driver.
9. In the Update Driver Software Standard PS/2 Keyboard Wizard, click Browse my computer for
driver software.
10. On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
11. On the Select the device driver you want to install for this hardware page, click Have Disk.
12. In the Install From Disk dialog box, in the Copy manufacturers files from box, type
D:\Labfiles\Mod04\keyboard driver\type32, and then click OK.
13. In the Model list, click Microsoft Keyboard Elite for Bluetooth (106/109) (IntelliType Pro), and
then click Next.
14. In the Update Driver Warning dialog box, click Yes, and when prompted, click Close.
15. In the Microsoft Keyboard Elite for Bluetooth (106/109) (IntelliType Pro) dialog box, click Close.
16. In the System Settings Change dialog box, click Yes.
X Task 2: Roll back the driver

1. After the computer restarts, attempt to log on with the following credentials:
Password: Pa$$w0rd
You are not successful, and you cannot use Ctrl+Alt+Delete keyboard shortcut because the driver is
incompatible.
2. On your host, in the 6293A-NYC-CL1 on Localhost Virtual Machine Connection dialog box, on
the Action menu, click Shut Down.
3. On your host, in the 6293A-NYC-CL1 on Localhost Virtual Machine Connection dialog box, on
the Action menu, click Start.
4. While the computer is starting up, press F8 immediately to access the Advanced Boot Options
menu.
Note You can use Last Known Good to roll back the driver. You also can use Safe Mode,
and roll back the drive manually. Additionally, if you enable System Restore, you can use a
restore point to roll back to a point-in-time prior to the driver update. In this instance, Safe
Mode will be unsuccessful because the keyboard driver will still be used, which prevents you
from logging on.
5. In the Advanced Boot Options menu, select Last Known Good Configuration (advanced), and
then press Enter.
6. After the computer restarts, attempt to log on with the following credentials:
Password: Pa$$w0rd
8. In System, click Device Manager.
9. In Device Manager, expand Keyboards, and then click Standard PS/2 Keyboard.
10. Right-click Standard PS/2 Keyboard, and then click Properties.
11. In the Standard PS/2 Keyboard Properties dialog box, click the Driver tab. You can see there is no
option to roll back the driver. This is because Last Known Good has rolled back the driver.
Note If you log on after restarting when you have installed or updated a driver, Last Known
Good no longer is a viable option. This is because Last Known Good is overwritten with the
CurrentControlSet during the logon process.
12. Click OK, and then close all open windows.

When you finish the practice, leave both virtual machines running.
Managing Unsigned Drivers
Device driver packages can include a digital signature. You should not allow anyone to install unsigned
device drivers on computers that are running Windows 7. By default, only administrators can install
unsigned device drivers. You can use Group Policy to prevent anyone else from installing unsigned drivers.
Driver Signatures
A devices hardware manufacturer typically provides a driver signature, but you also can use a Software
Publishing Certificate (SPC), if your organization has one, to add your own digital signature to drivers that
you have tested and that you trust. Unsigned device drivers could cause stability issues that you
experience on a computer after installing a new hardware device. Identifying and removing unsigned
device drivers is an essential step in the troubleshooting process.
Signature Verification Tool

Use the signature verification command-line tool (Sigverif) to locate unsigned device drivers in the system
area of the Windows 7 computer. Sigverif writes the scan results to a log file that includes the system file,
the signature file, and the publisher of the signature file. The log file shows any unsigned device drivers.
To remove an unsigned device driver, do the following:
1. Run Sigverif to scan for unsigned drivers, and then review the resulting log file.
2. Create a temporary folder for unsigned driver storage.
3. Manually move any unsigned drivers from systemroot\System32\Drivers into the temporary folder.
4. Disable or uninstall the associated hardware device(s).
5. Restart the computer.

If this resolves the problem, then the unsigned driver most likely was causing the problem. You then
should try to obtain a signed driver from the hardware vendor, or replace the hardware with a device that
is compatible with Windows 7.
You also can obtain a basic list of signed and unsigned device drivers from a command prompt by
running the driverquery command with the /si switch.
Extracting Device Drivers
When you install a device driver from an INF-based installation or from a setup application, the driver
package is copied automatically into the package store. However, you also can extract device drivers
manually by using the new Windows 7 Pnputil.exe tool. Pnputil.exe is an important troubleshooting tool
that you can use to add driver packages, remove unnecessary or problem driver packages, and list all the
driver packages that are in the driver store.
Manual Driver Extraction

Manually add a driver to the Windows 7 driver store with the Pnputil.exe tool by using the following
procedure:
1. Obtain a digitally signed driver package.
2. Log on as Administrator, and then opening a command prompt window.
3. Run pnputil.exe -a package_name.
4. Windows 7 checks the drivers integrity and digital signature, and then copies the driver into the
driver store.
Note The Pnputil.exe tool only runs at a command prompt with elevated user rights. The
tool cannot invoke the User Account Control dialog box.
Managing the Driver Store

Use the Pnputil.exe command-line tool to manage the driver store. You can use Pnputil.exe to both add
and remove packages from the driver store, and to list third-party packages already in the store.
Pnputil.exe performs the following tasks:
Adds a driver to the driver store.
Adds a driver to the driver store, and installs the driver in the same operation.
Deletes a driver from the driver store.
Lists all drivers in the driver store.
The following table shows the Pnputil.exe command-line syntax.
Command Line Details

pnputil.exe a d:\usbcam\USBCAM.inf Add a package that USBCAM.inf specifies.
pnputil.exe a c:\drivers\*.inf Add all packages in C:\drivers.
pnputil.exe i a a:\usbcam\USBCAM.inf Add and install a driver package.
pnputil.exe e List all third-party packages.
pnputil.exe d oem0.inf Delete package oem0.inf.
pnputil.exe f d oem0.inf Force deletion of package oem0.inf.

Practice: Installing a Driver into the Driver Store
In this practice, you will install a driver into the driver store. This makes the driver available for standard
users to install, if necessary. First, you will see that a standard user, Adam, lacks the permissions to install
drivers. Next, you add the driver to the store.
Instructions
Detailed Steps
X Task 1: Attempt to install a driver as a standard user

1. Log off NYC-CL1, and then log on with the following credentials:
User name: Adam
Password: Pa$$w0rd
Domain: Contoso
2. Click Start, and then click Computer.
3. In Computer, double-click Allfiles (D:), double-click Labfiles, double-click Mod04, double-click

mouse driver, and then double-click point32.
4. Right-click point32 (the setup information file), and then click Install.
5. You are prompted to provide administrator credentials. Click No.

X Task 2: Extract and install the driver into the driver store
1. Log off, and then log on with the following credentials:
Password: Pa$$w0rd
2. Click Start, and in the Search box, type cmd.exe, and then press Enter.
D:
Cd\labfiles\mod04\mouse driver\
Pnputil a point32\*.inf
Pnputil e
7. You can see the newly installed driver.
Note A standard user now would plug in the hardware device. The driver would be
available automatically. This is not possible within the virtual machine environment.

When you finish the practice session, revert the virtual machines to their initial state by completing the
following steps:
4. Repeat steps for 6293A-NYC-CL1.

Managing Legacy Device Drivers
If you have a hardware device that does not come with a Windows 7 driver, consider different factors
before deciding to use a legacy device driver. Legacy drivers that were developed for previous Windows
versions might not work in Windows 7, or they might cause interoperability problems with other devices.
Compatibility Issues
Obtain a device driver written specifically for Windows 7 to maximize the benefit of the architectural
improvements. Otherwise, check with the hardware vendor to find out if there are known issues when
using a driver designed for earlier Windows versions on a computer that is running Windows 7.
Compatibility issues can include:
Installation. The driver might not install in the same way as in previous Windows versions. For
example, the user access protection feature may complicate the Windows 7 Finish-Install process.
Loading. The driver might not load the same way as in previous Windows versions. For example, the
64-bit Windows 7 editions do not load unsigned drivers.
Run time. The driver might not run the same way as in previous Windows versions. Run-time
compatibility problems include a range of issues that can occur during run time. Some issues are
quite serious, and others are relatively minor.
Functionality. The driver runs, but its behavior might differ significantly from that in earlier Windows
versions. For example, Network Driver Interface Specification (NDIS) 5.x drivers must go through a
translation layer that reduces their performance. Similarly, display drivers for the Windows XP
operating system, which are based on the display driver model of the Microsoft Windows 2000
Server operating system, may function in Windows 7. However, upon use, they may not display
premium content such as HD-DVD video, and cannot support the Microsoft Windows Aero user
experience.
Testing Issues
If you cannot obtain a device driver written for Windows 7, you can try a Windows Vista or Windows XP
driver. Thoroughly test any driver not written specifically for Windows 7 prior to using it with Windows 7.
Many driver-installation errors can occur when you use a device driver that was not developed specifically
for Windows 7, particularly in the following categories:
References and paths for .inf files.
Access control list (ACL) restrictions.
The following table lists common installation error messages that you may encounter during testing.
Error Problem
80070002:ERROR_FILE_NOT_FOUND The driver package .inf file references a file that is missing or
does not exist.
80070003:ERROR_PATH_NOT_FOUND The driver package .inf file specifies a tag file path that is
missing or does not exist.
80070005:ERROR_ACCESS_DENIED The driver package is in a location that has an ACL that is too
restrictive.
800F0233:SPAPI_E_INVALID_TARGET The driver package has one or more incorrect tag file
references in the .inf file.
8028006E:CMIeInfinvalidSourcePath The driver package does not specify the correct path in the .inf
file.
Demonstration: How to Use Group Policy to Manage Driver Installation
You can use Group Policy objects (GPO) to configure a number of settings that control installation of
devices and device drivers. The following table identifies the relevant Group Policy settings.
In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System,
Driver Installation.
Group Policy setting Description

Allow non-administrators to install Enables users to install specified device drivers. You can determine
drivers for these device setup the appropriate driver setup class by examining the .inf file that is
classes provided as part of a device driver.
Turn off Windows Update device Determines whether the administrator is prompted to search
driver search prompt Windows Update for drivers during device installation.
In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System,
Device Installation\Device Installation Restrictions.

Allow administrators to override Enables members of the Administrators group to install or update
Device Installation Restrictions drivers for devices, regardless of policy settings.
policies
Allow installation of devices using Enables the installation of devices that match the specified setup
drivers that match these device class GUIDs.
setup classes
(continued)

Prevent installation of devices Prevents the installation of devices that match the specified setup
using drivers that match these class GUIDs.
device setup classes
Display a custom message when a Allows the administrator to define a customized message that
policy setting prevents installation displays when a policy setting prevents device installation.
Display a custom message title Allows the administrator to define a customized message title that
when a policy setting prevents displays when a policy setting prevents device installation.
device installation
Allow installation of devices that Enables the installation of devices that match the device identifiers
match any of these device that you specify.
identifiers
Prevent installation of devices that Prevents the installation of devices that match the device
match any of these device identifiers that you specify.
identifiers
Time (in seconds) to force reboot Enables you to define the time that the computer waits to restart
when required for policy changes after a device installation.
to take effect
Prevent installation of removable Enables you to prevent users from installing removable devices.
devices
Prevent installation of devices not Enables you to ensure that users cannot install any drivers, even if
described by other policy settings there are no policies restricting installation.
In this demonstration, you will see how to:
Modify Group Policy settings to control device installation.
Demonstration Steps
1. Open Group Policy Management console.
2. Modify the Default Domain Policy with device installation restriction policy settings.
Lab A: Resolving Hardware Device and Device Driver

Issues
Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 through 4 for 6293A-NYC-CL1.
Lab Scenario
The help desk has received a number of trouble tickets that relate to device driver installation. Your
manager has asked you to determine why devices are causing so many issues, and to suggest a possible
solution. You then must implement the solution within the network.
Read the help-desk ticket.
Resolve all hardware-related problems.
Control device installation by using Group Policy.

Charlotte Weiss
From: Ed Meadows [Ed@contoso.com]
Sent: 13 Feb 2011 09:13
To: Charlotte@contoso.com
Subject: Re: Device-related problems
Attachments: Incident Reports
Charlotte,
Here it is. Let me know if you need anything else.
Kind regards,
Ed
----- Original Message -----
From: Charlotte Weiss [Charlotte@contoso.com]
Sent: 12 Feb 2011 17:01
To: Ed@contoso.com
Subject: Device-related problems
Ed,
Have you got that incident report you promised me at the management meeting recently? I want to get
the EDSTs to take a look at it, check out the problem, and then figure out why weve been getting so
many issues.
Charlotte
Exercise 1: Resolving Hardware Issues

Scenario
In this exercise, you will resolve the reported hardware problem that Tier 1 help-desk staff could not
resolve.

Incident Record
Date of Call March 1

Time of Call 10:03
User Bobby Moore (Production Department)
Status OPEN
Incident Details
User reports that his computer mouse is nonfunctional.
User reports that he attempted to install a new mouse, but abandoned the installation midway through
the process.
I attended the users computer and was unable to resolve the problem, as the mouse was totally
nonfunctional.
System Restore unavailable as currently disabled.
Plan of Action
Resolution



3. Wait while the NYC-CL1 computer restarts.
Note It is easier to use the keyboard in a virtual machine if you switch to full-screen mode.
To do this, on your host computer, press Ctrl+Alt+Break. If you are unsure, ask your
instructor for assistance.
1. Using your knowledge of the devices and drivers, and the troubleshooting tools available for devices
and drivers, attempt to resolve the problem.
exercise.


Results: At the end of this exercise, you will have resolved the hardware problem.
Exercise 2: Configuring Group Policy to Control Device Installation

(Optional)
Scenario
Users in the Research department need to be able to install specific device types to complete their
research projects. However, it is important that users in other departments install only printer drivers.
In this exercise, you will configure Group Policy to facilitate these requirements.
1. Read the email from Ed Meadows.
2. Configure the administrators setting.

3. Configure the ability for users to install printer devices.
4. Configure the Research Department device settings.
Charlotte Weiss
From: Ed Meadows [Ed@contoso.com]
Sent: 5 March 2011 10.20
To: Charlotte@contoso.com
Subject: GPO changes
Charlotte,
Can you update the Group Policy to support the following requirements? The Tier 3 guys are overloaded
at the moment, so although I realize this is out of scope for you, it would be a real help.
Research department needs to be able to install devices for setup class Mouse, Keyboard, and Printer.
All other departments must be restricted to install only printers.
I want to be sure that drivers not defined by any other policy are restricted.
Administrators are not to be affected by any restrictions.

Thanks,
Ed
X Task 1: Read the email from Ed Meadows

1. Read the email in the Supporting Documentation section.
2. Determine a Plan of Action.
3. Answer the questions in the GPO planning document.

4. If necessary, discuss your plans with the class.
GPO Planning Document

Reference: CW050511/1
Date March 5
Details
Update GPO settings to:
Restrict all users to be able to install printer drivers only
Enable Research Department users to install Printers, Mice, and Keyboard device drivers
Do not restrict administrators from installing any drivers
Use as few GPOs as possible
Plan of Action
1. How many GPOs do you envision using?
2. To which containers will you link these GPOs?
3. How do you plan to configure the restriction for all users?
4. How will you accommodate the requirement to support the Research Departments needs?
5. How will you accommodate the administrator requirement?
X Task 2: Configure the administrators setting
Note Some of the tasks that you perform to complete this exercise may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the completed scenario.
1. Switch to NYC-DC1.
2. Open Group Policy Management, and then open the Default Domain Policy for editing.
3. Modify the following settings in accordance with your action plan:

Under Computer Configuration, expand Policies, Administrative Templates, System, Device
Installation, and then click Device Installation Restrictions.
Enable: Allow administrators to override Device Installation Restriction policies.

X Task 3: Configure the ability for users to install printer devices

Enable and configure: Allow installation of devices using drivers that match these device setup
classes.
Locate the GUID in the faxca003.INF file in the D:\Labfiles\Mod04\fax folder on NYC-CL1.
Hint Map a network drive from NYC-DC1 to \\NYC-CL1\d$\ so that you can copy and
paste GUIDs into the GPO.
X Task 4: Configure the device settings for the Research Department

1. Create and link a new GPO to the Research organizational unit (OU). Give the new GPO the name
GPO Research Department device settings.
2. Configure the settings for this new GPO:
Open GPO Research Department device settings for editing.

In Group Policy Management Editor, under Computer Configuration, expand Policies,
Administrative Templates, System, Device Installation, and then click Device Installation
Restrictions.
Enable and configure: Allow installation of devices using drivers that match these device
setup classes.
Locate the GUID in the type32.INF and point32.INF files in the relevant subfolders in the
D:\Labfiles\Mod04\ folder on NYC-CL1.
3. Close all open windows.
Note Due to restrictions within the virtual machine environment, you cannot properly test
these restrictions.
Results: At the end of this exercise, you will have planned and implemented GPOs to support the device
installation requirements.


Lab B: Troubleshooting Performance-Related Issues

(Optional)
Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat these steps 2 through 4 for 6293A-NYC-CL1.
Lab Scenario
A user reports performance-related problems with his computer. The help desk is unable to determine the
problem. You must investigate to ascertain which computer component the problem is affecting, and
then make recommendations about a solution or mitigation.

Attempt resolution of the problems.
Document successful resolutions.
Incident Record
Date of Call July 27

Time of Call 10:41
User Dylan Miller (Research Department)
Status OPEN
Incident Details
Dylan contacted the help desk reporting problems with his computer. It has been running slowly, and
activities that used to take a few seconds are taking much longer.
We must determine which components are affected in Dylans computer, and then make
recommendations about how to solve or mitigate these performance bottlenecks.
Plan of Action
Resolution
Exercise: Troubleshooting a Performance Problem

Scenario
In this exercise, you will establish a baseline for performance, and then compare the problematic
computer against the data to help determine what component the performance problem is affecting.
1. Establish a performance baseline.
2. View the baseline report.

5. Create load on the computer.
6. Identify performance bottlenecks in the computer.
X Task 1: Establish a performance baseline

2. Open Performance Monitor.

3. Create a user-defined Data Collector Set with the following properties:
Name: Contoso Baseline
Create manually (Advanced)

Performance counter
Sample interval: 1 second
Counters to include:
Memory > Pages/sec
Network Interface > Packets/sec
Physical Disk > % Disk Time
Physical Disk > Avg. Disk Queue Length
Processor > % Processor Time
System > Processor Queue Length
4. Start the Data Collector Set.
5. Open Microsoft Office Word 2007.
6. Open Microsoft Office Excel 2007 and Microsoft Office PowerPoint 2007.
7. Close all Office applications, and in Performance Monitor, stop the Contoso Baseline data collector
set.
X Task 2: View the baseline report

1. In Performance Monitor, locate Reports > User Defined > Contoso Baseline.
2. Click on the report that has a name that begins with NYC-CL1_.
3. View the data as a report.
4. Record the component details in the following table.
Recorded component usage

Memory Pages per second
Network Interface Packets per second
Physical Disk % Disk Time
Physical Disk Avg. Disk Queue Length
Processor % Processor Time
System Processor Queue Length


Update the Plan of Action section of the Incident Record with your recommendations.
X Task 5: Create load on the computer

2. Switch to Performance Monitor. In the navigation pane, right-click Contoso Baseline, and then click
Start.
X Task 6: Identify performance bottlenecks in the computer

1. Open Resource Monitor.
2. Which components are under strain?
3. After a few minutes, close the two instances of C:\Windows\System32\cmd.exe launched by the
script.
4. Switch to Performance Monitor, and stop the Contoso Baseline data collector set.
5. In Performance Monitor, locate Reports > User Defined > Contoso Baseline.
6. Click on the second report that has a name that begins with NYC-CL1_.
7. View the data as a report.

8. Record the component details in the following table.

9. In your opinion, which components are the most seriously affected?
10. Complete the Resolution section of the incident record with your recommendations. If asked to do so,
discuss your results with the class.
Results: At the end of this exercise, you will determine the components affected on the users computer,
and then discuss solutions and mitigations with the class.
X To revert the virtual machines

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the
following steps:


Review Questions
1. If you do not configure device restrictions in GPOs, what security risks do USB removable storage
devices pose?
2. What two methods can you use to restrict specific device installation through GPO?
3. Users are complaining that when they visit customer sites, they are unable to connect to their
customers printers because of device-installation restrictions. What two possible actions could you
take?
4. Users on the help desk have tried to install a new driver for a user in the marketing department to
enable them to use their new scanner. The driver is not part of the driver store and Group Policy
prohibits installation of additional drivers. What GPO setting would you recommend changing in
order to enable the installation of this driver?
5. You decide to install this driver into the driver store. Assuming the driver is in the D:\scanner folder
and the driver INF file is called Scanner.inf, what command would you use?
6. Your user complains of poor performance. You discover that the disk component is bottlenecked.
Before you rush out and purchase faster disks, what should you check?
7. After you complete your check, what else could you do to improve the disk throughput on your
users computer?
8. You need to view the application log on another computer without visiting that computer. How could
you do this?
Tools
Sigverif.exe Verify device drivers signatures Command-line
Driverquery.exe Managing device drivers from the Command-line

command prompt
Pnputil.exe Extract, install, and manage drivers Command-line

in the driver store
Resource Monitor Viewing current performance data Start menu

and activity
Performance Viewing both current and historical Start menu

Monitor performance-related data
5-1
Module 5
Troubleshooting Network Connectivity Issues
Contents:
Lesson 1: Determining Network Settings 5-3
Lesson 2: Troubleshooting Network Connectivity Issues 5-9

Lab: Troubleshooting Network Connectivity Issues 5-35
Module Overview
Configuring network settings is a common administrative task that, in many organizations, can account
for a significant percentage of the overall administrative effort. The Windows 7 operating system
includes several tools that can help you set up and troubleshoot both wired and wireless network
connections more efficiently. To support your organizations network infrastructure, it is important that
you understand how to configure and troubleshoot network connections.
Objectives
Determine the network configuration of client computers.
Troubleshoot network connections.

Troubleshooting Network Connectivity Issues 5-3
Lesson 1
Determining Network Settings
The network architecture in Windows 7 simplifies network management and the configuration of network
connections. By learning about this architecture, and the tools that Windows 7 provides for
troubleshooting network connections, you will be better prepared to configure network clients and
support your users.
Objectives
Describe the new network components in Windows 7.

Explain how Windows 7 determines network topology.
Networking Components of Windows 7
Windows 7 includes several new tools for creating, managing, and troubleshooting both wired and
wireless network connections.
Network and Sharing Center

The Network and Sharing Center is the main user interface for the management of network connections.
The Network and Sharing Center provides a clear view of the status for any wired or wireless connection.
It includes a network map feature that shows a topological diagram of the local network and any other
connected networks. You also can launch Network Explorer to help you find and browse network
resources easily.
Network Location Categories

A network location category classifies the network connections so you can configure network security
through Microsoft Windows Firewall. The operating system groups and classifies the connections into
Public, Private, or Domain categories.
Windows 7 automatically configures the firewall and file-sharing settings based on the specified network
location categories, which include:
The Public category is the default network location type when the computer is not connected to a
domain. Public category settings are the most restrictive, and help protect the computer when you
connect it to an untrustworthy network. For example, all types of file and printer sharing are turned
off in the Public category. Use the Public category for networks that have direct connections to the
Internet or those that allow unmanaged clients to connect, such as wireless hot spot networks.
Note Windows 7, by default, initially assigns the Public category to all network
connections.
The Private category applies only if a user with local Administrator rights manually assigns it to a
network that you set previously to Public. Use the Private network location category only for a trusted
network. You must assign the Private network location category only for a network connection that
the public cannot directly access. A local administrator must assign this category, and Windows
remembers the assignment the next time you connect to the network.
Windows describes the Private network location category in one of two ways:
Home network. If all computers connected to the network are at your home, then select the
Home Private network location category.
Work network: If all computers connected to the network are at your workplace, then select the
Work Private network location category.
The Domain category applies when a computer that is running Windows 7 connects to a network, and
then authenticates to a domain controller that is in the computers domain.
Windows 7 is capable of assigning a separate network location category to each connected network
interface. For example, if you connect your computer to your corporate network by using a virtual private
network (VPN) that you initiate from a Wi-Fi hot spot, such as a coffee shop, then Windows 7 assigns two
network location categories: private for the corporate VPN and public for the Wi-Fi hot spot.
Note By default, on computers that are not joined to a domain, changing the network
location requires administrative privileges. By default, on domain-joined computers,
changing the network location does not require administrative privileges.
Network Setup Wizard

Windows 7 provides a user-friendly interface called the Network Setup Wizard to help you configure
network settings.
Windows 7 recognizes any unconfigured network devices on the computer, and then automates the
process of adding and configuring them. The Network Setup Wizard also recognizes any wireless
networks in range of the computer, and makes the process of configuring them simple and intuitive.
You can save network settings to a universal serial bus (USB) flash drive for use when configuring
additional computers. Saving network settings to a USB device makes configuring similar new computers
and devices quick and easy.
You also can use the Network Setup Wizard to enable sharing documents, photos, music, and other files
across your network.
NDF
The NDF (Network Diagnostics Framework) provides a single, unified set of technologies to assist in
troubleshooting and diagnosing network problems. By using the NDF, you can diagnose and repair
network problems in the context of the application that experienced the problem.
Additionally, with NDF, users can diagnose and attempt to resolve their own issues automatically before
they call the help desk. The NDF can help reduce the total cost of ownership and the volume of calls to
the help desk.
Network Map
Network Map displays a topological map of the local network and any connected networks. Network Map
makes it easy to see the connections between devices on your network by clearly differentiating between
wired and wireless connections. It helps optimize the network for best performance, and is extremely
useful in troubleshooting network problems, because it displays a real-time view of the connections that
are available to your computer.
Network Explorer
Network Explorer displays a view of all of the computers, devices, and printers on the network. You can
customize the icons for various network devices, if the manufacturer allows customization. Use Network
Explorer to perform limited remote computer management, such as adjusting settings or controlling
music playback.
How Windows 7 Discovers Network Topology
Windows 7 computers use the new Network Discovery feature to generate accurate network topologies
with Network Map. During the troubleshooting process, Network Map enables you to view the real-time
status of any wired or wireless network connections.
Network Discovery
A computer running Windows 7 uses Network Discovery to find other computers and devices on the
network. The first time you connect to a network, use the Set Network Location dialog box to classify
the type of network to which you are connected. After you classify the network location category,
Windows 7 activates the appropriate security settings.
Note You can turn Network Discovery on or off from within the Advanced sharing settings
from the Network and Sharing Center.
Link Layer Topology Discovery

Network Discovery uses Link Layer Topology Discovery (LLTD), which works with both wired and wireless
connections. By using Network Discovery and file sharing, a computer that is running Windows 7 can
discover and access files and shared devices on other networked, LLTD-capable devices. Network
Discovery and file sharing also allow other networked, LLTD-capable devices to discover your computer,
and access files and shared devices.
Windows 7 supports LLTD through the Link-Layer Topology Discovery Mapper service. The Link-Layer
Topology Discovery Mapper service includes two components: the Link-Layer Discovery Responder, which
enables your computer to be located on the network, and the Link-Layer Discovery I/O Driver, which
discovers and locates other computers and devices on the network.
Windows 7 supports automatic discovery of LLTD-capable devices. In combination with Universal Plug
and Play (UPnP) support, Windows 7 classifies the device capabilities, uses a unique embedded icon to
represent the device, and accurately positions it on the network map. UPnP-certified devices automatically
connect to each other over the network without the need for user configuration or centralized servers.
Note Not all hardware devices support LLTD. Check with the vendor for updated firmware
releases that include LLTD support.
Network Map relies on LLTD to build the network topology, and it only displays LLTD-capable devices.
You can access a devices properties by right-clicking its icon in Network Map. The device properties
include additional support information for the device, such as a link to the manufacturers website. You
can also see the media access control (MAC) address, IP address, and device serial number.
Double-click a device icon in Network Map to open the devices presentation URL, or to open the devices
embedded administration webpage.
Lesson 2
Troubleshooting Network Connectivity Issues
To support the users in your organization, it is important that you know what tools Windows 7 provides to
help you troubleshoot network connections. Additionally, understanding the correct procedure with
which to tackle common network problems will help you resolve them more quickly.
Objectives
Explain the role of Windows Network Diagnostics.
Apply best practices for troubleshooting wired network configurations.
Apply best practices for troubleshooting wireless network configurations.
Identify issues related to IP version 4 (IPv4) configurations.
Describe resolving IPv4 network problems by using troubleshooting.
Describe host name resolution.
Describe troubleshooting Domain Name System (DNS).
Apply the considerations for issues related to IP version 6 (IPv6).
Describe how to perform advanced network reporting.
Use the Problem Steps Recorder.

Windows Network Diagnostics
Windows Network Diagnostics is an NDF tool that you activate when you encounter a network error. The
NDF is the common troubleshooting architecture in Windows 7. End users can use Windows Network
Diagnostics to diagnose and troubleshoot an issue before they call their organizations help desk.
The following are some examples of events that Windows Network Diagnostics can detect:
Incorrect TCP/IP address information.

Mismatched workgroup settings.
Incorrect Windows Firewall settings.
Incorrect network hardware configuration.
You can use one or more of the options in Windows Network Diagnostics to diagnose and repair network
connection issues. Additionally, Windows Network Diagnostics supports rich, detailed logging to the event
log, so that you can diagnose network connection issues easily. This reduces support costs and helps
minimize user downtime by decreasing the time necessary to fix a network problem.
Windows Network Diagnostics Process

Windows Network Diagnostics uses the following process when it tries to determine a problems root
cause in Windows 7:
1. An application or system component reports a problem with a TCP/IP connection. The user receives
both an error message and a prompt to start Windows Network Diagnostics.
2. Windows Network Diagnostics passes the problem parameters to the Network Diagnostics engine.
The Network Diagnostics engine activates helper classes to try to determine the problems cause, and
then displays a list of descriptions of possible causes and repair options. If there is only one repair
option, the Network Diagnostics engine runs the suggested repair.
3. If there are multiple repair options, the user selects an option, and the Network Diagnostics engine
requests the appropriate helper class to perform the repair. Windows Network Diagnostics reactivates
helper classes to try to determine if the cause of the problem is still valid.
4. If Network Diagnostics resolves the problem, Windows Network Diagnostics displays a message
noting that the problem is fixed. If Windows Network Diagnostics does not resolve the problem, it
prompts the user to select other repair options, if available.
5. If Network Diagnostics does not resolve the problem, and no other repair options are available, the
Network Diagnostics Engine reactivates helper classes to try to determine the problems cause.
You can access Windows Network Diagnostics manually from the Action Center. In Action Center, click
Troubleshooting, and then click Network and Internet.
You can then choose from the following network troubleshooting tests:
Internet Connections
Shared Folders
HomeGroup
Network Adapter
Incoming Connections
Connection to a Workplace Using DirectAccess

Troubleshooting Wired Networks
Determine the Scope of the Problem

Additional information about the problem helps you resolve network connection issues. If you are
troubleshooting a wired network connection, ask yourself the following questions:
How many users is the problem affecting? If the problem is affecting several users, this suggests a
server-side or network infrastructure problem rather than a client-side networking problem.
Is the problem persistent for the users that are affected? Intermittent problems can be more difficult
to reproduce and troubleshoot.
Does removing a problematic computer from the network solve the problem for other users? The
computer that you remove from the network may be generating a fault on the network.
Determine TCP/IP Configuration

Determining the Windows 7 computers TCP/IP configuration also can help you troubleshoot a network
problem. You can determine the TCP/IP configuration in three ways:
From Network and Sharing Center, select Change adapter settings, display the network connection
properties, select either Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4
(TCP/IPv4), as required, and then view the protocol properties.
Open a command prompt. Type the IPConfig /all command to view the IPv4 Address and IPv6
Address configurations. Use the following command to save the IPv4 and IPv6 configuration
information as a text file for future reference:
IPConfig /all >c:\IPConfig.txt
This command creates a text file in the root of drive C that contains the IPConfig command output.
Use the Netsh command to display specific configuration information. For example, to display the
TCP/IP configuration for IPv4 only, type the following command:
netsh interface ipv4 show config
You also can use the Netsh command to display specific IPv6 configuration information:
netsh interface ipv6 show addresses
Determine the Network Hardware Configuration

The last step in gathering information to help troubleshoot a connection problem with a wired network is
to determine your connections properties. To do this, you must verify that the computer that is running
Windows 7 has a valid local network segment IP address.
Determine your wired network adapter properties by using Device Manager. To determine the hardware
configuration for the computers network adapter, including the make and model, follow these steps:
1. From Control Panel, open Device Manager, expand Network adapters, and then view the installed
network adapter properties.
2. Click the Details tab to view the Device description property value. This value displays the network
adapter make and model.
3. From the Advanced tab, in the Property list, click a property to view or edit its value.
To view information about the driver used for the network adapter, follow these steps:
1. In the wired network card properties, click the Driver tab.
2. Click Driver Details to view the full path to the driver file.
3. Update or roll back the driver, as necessary.
Troubleshooting Wireless Networks
Use the NDF

Use the Network Diagnostics Framework (NDF) to troubleshoot wireless connections. If a wireless
connection is unsuccessful, start Windows Network Diagnostics to diagnose the problem and display a list
of possible fixes.
Review Authentication and Encryption Configuration

Windows 7 simplifies the process of configuring and troubleshooting wireless networks. The most
common issues affecting wireless network configuration are mismatches between the client and the
access point or authenticator with regards to authentication and encryption settings.
Note An authenticator is an authentication service that the access point uses to perform
the wireless authentication and encryption.
A configuration mismatch in the authentication and encryption settings between the client and the
wireless access point can lead to problems with wireless connections.
Windows 7 includes support for Wi-Fi Protected Access 2 (WPA2) encryption that allows for more secure
wireless connections. You should take advantage of WPA2 by upgrading your wireless access points to
support WPA2.
The following table summarizes the wireless authentication and encryption standards that are available in
Windows 7.
Security type Authentication Encryption

Open No authentication (open) No encryption
Shared (not No authentication (open) Shared key

recommended)
WPA-Personal No authentication WPA with a pre-shared key (also known as a

pass phrase)
Temporal Key Integrity Protocol (TKIP) or
Advanced Encryption Standard (AES)
WPA-Enterprise Institute of Electrical and WPA

Electronics Engineers, Inc. TKIP or AES
(IEEE) 802.1x authentication
WPA2-Personal No authentication WPA2 with a pre-shared key

TKIP or AES
WPA2-Enterprise IEEE 802.1x authentication WPA2

TKIP or AES
802.1x IEEE 802.1x authentication Wired Equivalent Privacy (WEP) or Dynamic

WEP
Configure wireless network connections manually or by using Group Policy.
To determine the wireless network settings, either review the wireless network connection settings or
examine the Group Policy settings.
To view or configure wireless network Group Policy settings, open Group Policy Management, expand
Computer Configuration, expand Windows Settings, expand Security Settings, and then select
Wireless Network (IEEE 802.11) Policies. You can create or edit wireless network Group Policy objects
(GPOs) for Windows 7, Windows Vista, and Windows XP client computers.
The following table lists the settings that Group Policy enables you to configure.
Setting Description
Infrastructure/Ad Hoc Defines the connection type as either Ad Hoc (peer-to-peer), or
Infrastructure, which requires a wireless access point (WAP).
Connect automatically Automatically connects clients affected by this policy to the configured
when this network is in network. Enabled by default.
range
Connect to a more Ensures that the more preferred networks take precedence. Enabled by
preferred network if default.
available
Connect even if the Enables a client computer to connect to the network even if the service
network is not broadcasting set identifier (SSID) is not broadcast. Disabled by default.
Network Name(s) (SSID) Identifies the WAP.

(continued)
Authentication Specifies the authentication method. WPA2-Enterprise is the default.
Encryption Specifies the encryption mechanism. AES is the default.
Select a network Enables you to define how computers authenticate using the Remote
authentication method Authentication Dial-In User Service (RADIUS) server in your organization.
For use with WPA2-Enterprise, WPA-Enterprise, and 802.1X
authentication methods.
Authentication mode Specifies the authentication mode. User, Computer, and Guest
authentication modes are available.
Note Many of the settings that the previous table describes apply only to infrastructure
network GPOs.
Ensure that the authentication and encryption method that you select on the client, or that you configure
by the policy, matches the access point capability.
Verify Wireless Address Allocation

A wireless connection, like any other connection, needs an IP address. You must configure the WAP with a
scope of IP addresses for the connecting clients. You must have sufficient IP addresses in the scope to
allocate addresses for the number of clients that are connecting to the network.
To determine whether a Windows 7based client has obtained an IP address, at the command prompt,
type IPConfig /all command, and then review the address given to the wireless connection. If Windows 7
allocated a 169.254.x.y (Automatic Private Internet Protocol) address to the interface, the operating
system indicates that the client was unable to obtain a valid IP address from the WAP.
Troubleshooting IPv4 Connectivity
When you experience network connectivity problems, follow a logical troubleshooting process by using
the available Windows 7 tools. Your troubleshooting process can consist of the following steps:
1. Consult Windows Network Diagnostics.
2. Use IPConfig to check local IP configuration.
3. Use the ping command to diagnose two-way communication with a remote system. Additionally,
consider using the PortQry Command Line Port Scanner (Portqry.exe) and the Telnet terminal
program to test connectivity to a specific application.
Note You must enable the Telnet feature on Windows 7.
4. Use the tracert and pathping command-line tools to identify each hop, or router, between two
systems.
5. Use the NSlookup administrative tool to verify the DNS configuration.
General Network Diagnostics

Use Windows Network Diagnostics to perform diagnostic procedures when Windows 7 encounters a
network connection problem. Windows Network Diagnostics analyzes the problem and, if possible,
presents a solution or a list of possible causes.
If Windows Network Diagnostics cannot fix the problem, use the tools and procedures included in this
topic to troubleshoot the problem further.
Checking Local IP Configuration

To determine the local IP configuration, use the IPConfig /all command. This command provides
information about the local computer, including the following:
IP address
Subnet mask
Host name
DNS server configuration
DNS suffixes
MAC address
How the IP configuration was obtained, for example, whether the IP configuration was obtained by
using the Dynamic Host Configuration Protocol (DHCP)
After running the IPConfig /all command, compare the IPConfig output with the IPConfig output of
another computer that is in the same subnet as the problematic host.
When studying the output, remember that:

The IP address must be in the same host range for the given subnet as the other local computer,
while being unique within the subnet.
The subnet mask must match that of the other local host. If the subnet mask does not match, the
computer has an incorrect network ID that can cause communication failures, particularly to remote
subnets.
The default gateway must match that of the other local host. If the default gateway is incorrect or
missing, the computer cannot communicate with remote subnets.
If the DNS server is incorrect or missing, the computer might not resolve names, and communication
can fail.
Because DHCP configures most computers, if the configuration does not match that of the other local
host, verify that the computer can obtain an IP address correctly by:
1. Opening an elevated command prompt, and releasing the existing address by using the IPConfig
/release command.
2. Renewing the address by using the IPConfig /renew command.
3. Reviewing the local IP configuration by using the IPConfig /all command.
If the host currently has an IP address in the range 169.254.0.0 to 169.254.255.254, the computer probably
failed to obtain a dynamically assigned address. This Automatic Private IP Addressing (APIPA) indicates
one of three problems:
Connecting to the DHCP server
DHCP server configuration
One of the DHCPs scopes

Verifying Two-Way Communication

If the computer has a valid IP configuration but cannot communicate with one or more remote hosts,
verify connectivity with the portqry, ping, and telnet commands.
Portqry reports on the current port status of TCP and User Datagram Protocol (UDP) ports on a computer
against which you run it. When you run portqry, the output returns one of the following responses about
ports on the target:
Listening. A process is listening on the computers port that you select. Portqry.exe received a
response from the port.
Not Listening. No process is listening on the target systems target port. Portqry.exe receives an
Internet Control Message Protocol (ICMP) Destination Unreachable - Port Unreachable message
back from the target UDP port. Alternatively, if the target port is a TCP port, portqry receives a TCP
acknowledgement packet with the Reset flag set.
Filtered. The port on the computer that you select is being filtered. Portqry.exe did not receive a
response from the port. A process may or may not be listening on the port. By default, Portqry.exe
queries TCP ports three times, and queries UDP ports one time before a report indicates that the port
is filtered.
Portqry can query a single port, an ordered list of ports, or a sequential range of ports.
For example, the following command tries to resolve Microsoft.com to an IP address, and then queries
TCP port 25 on the corresponding host:
portqry -n microsoft.com -p tcp -e 25
The ping tool confirms two-way communication between two computers. This means that if the ping tool
fails, the local computers configuration may not be the problems cause. You can use ping to ensure
communication with a logical process, such as:
1. Ping the remote computer.
2. Ping the remote gateway.
3. Ping the local IP address.
4. Ping the loopback address 127.0.0.1.

When using the ping tool, remember that:
You can ping both the computers name and IP address. If you ping the IP address successfully, but
not the name, it indicates that the name resolution is failing. If you successfully ping the name, but
the response does not resolve the fully qualified domain name (FQDN) name, the resolution did not
use DNS. This means a process, such as broadcasts or Windows Internet Name Service (WINS) was
used to resolve the name, and applications that require DNS may fail.
A Request Timed Out message indicates that there is a known route to the destination computer,
but that the configuration is incorrect for one or more computers or routers along the path
including the source and destination. Use pathping or tracert to help find the problem.
A Destination Host Unreachable message may indicate that the system cannot find a route to the
destination system, and therefore, does not know where to send the packet on the next hop. If you
verify that the local IP configuration is correct, use pathping and tracert to help isolate the routing
problem.
If you can successfully ping a remote host but cannot communicate with the applications installed on the
host, verify that the application is accessible from your local computer. For example, a firewall might be
blocking your communication attempt, or the remote host is not listening on the appropriate port. The
telnet and portqry tools can help identify issues that relate to blocked or nonresponsive ports.
Identify Each Hop between Two Systems

You can use pathping and tracert to identify each hop between the source and destination systems. If
communication fails, these utilities can help you identify how many hops are successful, and at which hop
the system communication fails.
Although tracert records the hops through which packets travel, pathping provides more information
about the routing process. Ping and pathping both use ICMP packets to test connectivity to every router
between the local host and the remote destination host. Pathping then calculates statistics about the
routes used and the routers involved, including the hop number, round-trip time, packet loss, host names,
and IP addresses or intermediate hosts.
To test routing connectivity to a remote host with pathping, open a command prompt, and type the
following command:
Pathping www.microsoft.com
The output displays all hops between local host and destination host, and then the statistical output.
Verify DNS Configuration

NSlookup enables you to ensure that the DNS server is available, and contains a record for the computer
with which you are attempting to communicate. This functionality is vital, because even if the computer is
available, if DNS is not working correctly, you might not be able to communicate by using computer
names.
Verify Port Availability

If you can successfully communicate with a remote host by using ping, but cannot access an application
on the remote host, it is possible that the remote host is not listening for your request on the expected
port, or that local or remote firewalls are blocking your request.
To determine whether the remote computer is listening on the expected port, use either the portqry or
telnet tools. For example, to determine if the HTTP port is accessible, type the following command from
an elevated command prompt:
PortQry n server e 80
The result will look something like this:
TCP port 80 (http service): LISTENING
A message that the port is FILTERED or NOT LISTENING can indicate that a firewall along the path
between the two hosts is blocking the request, or that the application uses a different port or has failed
on the remote host. If other hosts on the local subnet can communicate successfully, the problem
probably exists within the local firewall configuration settings.
You also can use telnet to verify that a port is listening. For example, if you want to verify Simple Mail
Transfer Protocol (SMTP) functionality, you can open a Telnet session to port 25 on the destination host.
Open a command prompt, and type telnet. From the Microsoft Telnet prompt, type the following
command:
Open nyc-dc1.contoso.com 25
If the port is available, you will receive a message similar to this:
220 site.contoso.com Microsoft Exchange Server
Note To troubleshoot applications by using telnet and portqry, you must understand
which ports your applications use.
In addition to Portqry.exe and Telnet.exe, you can use netstat.exe to discover information about ports in
use between your client computer and other remote systems. The following command lists the active
connections on your client computer:
Netstat n
Determine Firewall Configuration

If you cannot communicate successfully with a remote application, verify that the local firewall is not
blocking your attempt, before troubleshooting the application itself.
To determine which firewall rules are active, open Windows Firewall with Advanced Security, and click the
Monitoring node. The Monitoring section lists the active rules. Determine if any rules are responsible for
blocking your connection attempt.
Remember that the network location category might be responsible for your connectivity problem
because the public category is more restrictive than the private category. If you configure the network
with the wrong network location category, use the Network and Sharing Center to reconfigure the
network category.
Intermittent problems
When users report inconsistent or intermittent problems, you might need to approach the
troubleshooting process slightly differently. For example, if a users e-mail application functions while their
web browsing does not, this suggests a specific problem with web browsing rather than with the network
connectivity itself. The problem might lie with the client-side application, the browser, or the network
components through which web-browsing traffic passes, such as firewalls, Network Address Translation
(NAT) devices, and routers.
Demonstration: How to Troubleshoot IPv4 Connectivity
Verify the IP configuration.

Test connectivity.
Verify the firewall configuration.
Demonstration Steps
1. Use IPConfig.exe to verify the configuration.
2. View the Local Area Connection properties.
3. Use Netsh.exe to verify the configuration.
4. Use ping.exe and Netstat.exe to verify connectivity.
5. Open a webpage, and use Netstat.exe to view the active ports.
6. Use Windows Firewall with Advanced Security and Netsh advfirewall to view the firewalls
configuration.
Troubleshooting Name Resolution
Host names are assigned to computers running TCP/IP to make the computers easier to identify. Host
name resolution is the process of resolving a host name to its corresponding IP address.
Although Windows 7 computers actually support two namesthe host name and a NetBIOS computer
nameit is the host name that is most relevant in modern IP-based networks. Windows 7 typically
enables NetBIOS by default, and derives the NetBIOS name automatically from the computers host name.
Note You can use the nbtstat command-line tool to view NetBIOS names associated with
your computer, and to troubleshoot NetBIOS over TCP/IP.
What Is a Host Name?

The host name forms part of the FQDN. For example, if a computers host name is nyc-cl1, and it is part of
the contoso.com domain, the FQDN for that computer will be nyc-cl1.contoso.com.
Note The host name is up to 255 characters in length, and can contain alphanumeric
characters, periods, and hyphens. The FQDN, including the host name, cannot exceed 255
characters in length.
The domain portion of the FQDN is the DNS suffix. The computers primary DNS suffix is the name of the
domain within which it is a member.
For computers that are not part of a domain, you can view the primary DNS suffix from the DNS Suffix
and NetBIOS Computer Name dialog box that you access from the System Properties dialog box on
the Computer Name tab. By default, a non-domain member computer has no primary DNS suffix.
Note You can assign a separate DNS suffix to each individual network connection. View or
edit the connection-specific DNS suffixes from the Advanced TCP/IP Settings page that is
accessible from the IPv4 or the IPv6 for the relevant network connection.
The Host Name Resolution Process

The operating system resolves host names either by using a local text file called hosts, or by using DNS.
Additionally, if you enable NetBIOS on the computer, Windows 7 also uses NetBIOS name resolution
methods when resolving host names.
During the host name resolution process, Windows 7:
1. Checks whether the host name is the same as the local host name.
2. Searches the DNS resolver cache.

3. Sends a DNS request to its configured DNS servers.
4. Converts the host name to a NetBIOS name, and then checks the local NetBIOS name cache.
5. Contacts its configured WINS servers.

6. Broadcasts as many as three NetBIOS Name Query Request messages on the directly attached subnet.
7. Searches the LMHOSTS file.
Note Windows 7 appends the primary and connection-specific suffixes to all names that it
is resolving. If name resolution is unsuccessful initially, Windows 7 applies parent suffixes of
the primary DNS suffix. For example, if the DNS resolver attempts to resolve the name sea-
cl1, Windows 7 appends the .contoso.com suffix to attempt resolution. If that is unsuccessful,
the operating system appends .com to the name, and attempts resolution again. You can
configure this behavior from the Advanced TCP/IP Settings page.
The primary tools for troubleshooting host name resolution are IPConfig and Nslookup.
Note You should perform standard network troubleshooting techniques, such as running
NDF and verifying basic connectivity, before you begin to test name resolution.
When you troubleshoot name resolution, you must understand what name resolution methods the
computer is using, and in what order the computer uses them. Be sure to clear the DNS resolver cache
between resolution attempts.
If you cannot connect to a remote host, and you suspect a name-resolution problem, troubleshoot name
resolution by:
1. Opening an elevated command prompt, and then clearing the DNS resolver cache by typing the
following command:
IPConfig /flushdns
2. Attempt to ping the remote host by its IP address. This helps identify whether the issue is because of
name resolution. If the ping succeeds with the IP address, but fails by its host name, the problem
pertains to name resolution.
Note The remote host must allow inbound ICMP echo packets through its firewall for this
test to be viable.
3. Attempt to ping the remote host by its hostname, using the FQDN followed by a period. For example,
type the following command at the command prompt:
Ping nyc-cl1.contoso.com.
4. If the ping is successful, the problem likely does not relate to name resolution.
5. If the ping is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the
appropriate entry to the end of the file. For example, add this line, and then save the file:
10.10.0.21nyc-cl1.contoso.com
6. Perform the Ping-by-host-name test again. Name resolution should now be successful. Verify that the
name resolved correctly by examining the DNS resolver cache. Do this by typing the following at a
command prompt:
IPConfig /displaydns
7. Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
8. At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
Nslookup.exe d2 nyc-cl1.contoso.com. > filename.txt
You should understand how to interpret the output so that you can identify whether the name-
resolution problem exists with the client computers configuration, the name server, or the
configuration of records within the name server-zone database.
In the first section of the following output sample, the client resolver performs a reverse lookup to
determine the DNS server host name. You can view the query 10.0.10.10.in-addr.arpa, type = PTR,
class = IN in the QUESTIONS section. The returned result, name = nyc-dc1.contoso.com, identifies the
host name of the petitioned DNS server:
------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
10.0.10.10.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (73 bytes):
HEADER:
header flags: response, auth. answer, want recursion, recursion avail.
QUESTIONS:
10.0.10.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.0.10.10.in-addr.arpa
type = PTR, class = IN, dlen = 20
name = nyc-dc1.contoso.com
ttl = 1200 (20 mins)
------------
Server: nyc-dc1.contoso.com
Address: 10.10.0.10
In the following section, the client resolver performs a recursive query of the DNS server for the host
nyc-cl1.contoso.com, type = A, class = IN. The returned result is in the ANSWERS section, which is
shown below. Note that the answer also includes a time-to-live (TTL) value, which determines how
long the record is valid:
------------
HEADER:
QUESTIONS:
nyc-cl1.contoso.com, type = A, class = IN
------------
------------
HEADER:
QUESTIONS:
nyc-cl1.contoso.com, type = A, class = IN
ANSWERS:
-> nyc-cl1.contoso.com
type = A, class = IN, dlen = 4
internet address = 10.10.0.21
ttl = 1200 (20 mins)
In the remaining section, the client resolver performs a query for the IPv6 address of the sea-cl1 host,
as indicated in the QUESTIONS section. This query returns no information, as the lack of an ANSWERS
section below indicates:
------------
HEADER:
QUESTIONS:
nyc-cl1.contoso.com, type = AAAA, class = IN
------------
------------
HEADER:
QUESTIONS:
nyc-cl1.contoso.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> contoso.com
type = SOA, class = IN, dlen = 43
ttl = 3600 (1 hour)
primary name server = nyc-dc1.contoso.com
responsible mail addr = hostmaster.contoso.com
serial = 45
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
Name: nyc-cl1.contoso.com
Address: 10.10.0.21
If you can resolve a computers name successfully, but you cannot connect to an application on that
computer, investigate whether the local or remote firewalls are blocking your attempt.
Additional NSlookup commands

To look up different data types within the DNS by using NSlookup.exe, use the set type or set q
command at the command prompt. For example, to query for the mail exchanger data, type the
following:
Nslookup
> Set q=mx
> Mailhost
The output might look something like this:
Server: nyc-dc1.contoso.com
Address: 10.10.0.1
mail.contoso.com MX preference = 0, mail exchanger =
mail.contoso.com
mail.contoso.com internet address = 10.10.0.5
To query another name server directly, use the server or lserver commands to switch to that name server.
The lserver command uses the local server to get the address of the server to which you want to switch,
while the server command uses the current default server to get the address. For example:
Nslookup
> server 10.10.0.20
The output might look something like this:
Default Server: nyc-dc2.contoso.com

Address: 10.10.0.20
Demonstration: How to Troubleshoot Name Resolution
View entries in the local name cache.

Test name resolution.
Demonstration Steps
1. Use IPConfig.exe to view and purge the host name cache.
2. Create a test record in hosts file.
3. Use nslookup to verify name resolution process.
4. Use NBTSTAT to view NetBIOS name cache.

Considerations for IPv6 Networks
Windows 7 enables the IPv6 stack by default, and it is the preferred transport for communication.
IPv4 Functionality
The Windows 7 IPv6 stack does not impair IPv4 functionality, and enables better network connectivity for
applications that support IPv6. IPv6 connections can use IPv6 transition technologies such as Teredo to
operate behind routers that use NAT, without requiring NAT configuration or application modification.
Disabling IPv6
If your applications function in a purely IPv4 environment, you might consider disabling IPv6. You cannot
uninstall IPv6, but you can disable it in two ways:
In the Local Area Connection Properties dialog box, in the list under This connection uses the
following items, clear the Internet Protocol version 6 (TCP/IPv6) check box.
Create a registry key named HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\tcpip6\Parameters\DisabledComponents. Set the value for this registry key in
accordance with the following table.
Configuration combination Disabled components value

Disable all tunnel interfaces 0x1
Disable all local area network (LAN) and Point-to-Point 0x10

Protocol (PPP) interfaces
Disable all LAN, PPP, and tunnel interfaces 0x11
Use IPv4 in preference to IPv6 0x20
Disable IPv6 over all interfaces, and use IPv4 in 0xFF

preference to IPv6
Troubleshooting IPv6
The steps for troubleshooting an IPv6 connection are similar to those for troubleshooting an IPv4-based
connection. You can use many of the IPv4 troubleshooting tools to gather information to help
troubleshoot IPv6 connection problems.
Advanced Network Reporting
Perform advanced networking tests only when:
The NDF fails to fix the problem, and the additional manual steps that this module details do not
resolve the problem.
Microsoft Help and Support recommends it.
In Windows 7, the NDF and Event Tracing for Windows (ETW) integrate more closely than they did in
previous Windows versions. This enables diagnostics to log network events and packets in a single file.
Collecting all necessary information in a single step provides an efficient method of troubleshooting
network connectivity issues.
When you run Windows Network Diagnostics, a diagnostics session log is created and stored
automatically in Action Center/Troubleshooting/View History. Each diagnostic session generates a report
with diagnostics results.
Windows 7 categorizes NDF and network tracing events that pertain to a specific issue, and then outputs
them to an Event Trace Log (ETL) file. Consequently, you can examine the entire transaction, from end to
end, as a single collection of events.
Note You can analyze the data in the ETL file by using a number of tools, such as Network
Monitor, Event Viewer, the Netsh trace convert command, or Tracerpt.exe.
Windows 7 includes a new Netsh context, Netsh trace. Netsh trace integrates with NDF and Network
Tracing, and enables you to perform comprehensive tracing, network packet capturing, and filtering.
Problem Steps Recorder
Problem Steps Recorder (PSR) is an in-built troubleshooting tool that enables you record screen activity
and user actions, and optionally comments, into a diagnostic file.
The PSR tool saves the output as a zip file containing an MHTML document that you can view in Windows
Internet Explorer.
You can launch PSR from the command line or else from the Search box in Windows 7.
Lab: Troubleshooting Network Connectivity Issues
Lab Setup
Password: Pa$$w0rd
Domain: CONTOSO
5. Repeat these steps 2 to 4 for 6293A-NYC-SVR1, 6293A-NYC-CL1, and 6293A-NYC-CL2.

Lab Scenario
Contoso is planning the deployment of branch servers. As part of this process, the deployment team has
been configuring the first branch server, NYC-SVR1, with the necessary network infrastructure services.
You are not involved in this project. However, since the project kick off, there have been a number of
network-related problems.
Attempt resolution of the problems.
Document successful resolutions of the problems.

Exercise 1: Troubleshooting a Network Problem (1)

Scenario
Scott Bishop has called the help desk complaining that he cannot log onto his computer, which is a laptop
in the production department. In this exercise, you will investigate why Scott is unable to log on to his
computer.
1. Read the help-desk Incident Record for incident 603211.
Incident Record
Date of Call April 2

Time of Call 13:32
User Scott Bishop (Production Department)
Status OPEN
Incident Details
Scott cannot log on to his computer.
Error message:
There are currently no logon servers available to service the logon request.
Plan of Action
Resolution

X Task 2: Update the Plan of Action for Incident Record 603211


Note Ignore any error messages in the script.

User name: Scott
Password: Pa$$w0rd
Domain: Contoso
5. You are unsuccessful. What is the error message?
Note Some of the tasks that you perform to resolve this problem may not typically be the
responsibility of Tier 2 support staff. However, it is useful to see the problem resolution.
1. Using your knowledge of Windows 7 network technologies, and tools available for troubleshooting
network connections, attempt to resolve the problem.
2. Update the Resolution section of the incident record.
Repeat these steps for 6293A-NYC-CL1, 6293A-NYC-SVR1, and

6293A-NYC-CL2.
In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.
Password: Pa$$w0rd
Domain: Contoso

6293A-NYC-CL2.
Results: At the end of this exercise, you will have logged on successfully by using the user account.

Scenario
Scott Bishop has called the help desk complaining that he cannot access the corporate intranet site,
located on NYC-DC1. In this exercise, you will resolve the problem with connecting to the Contoso
intranet that Scott is experiencing.
1. Read the Help-Desk Incident Record for incident 603213.
Incident Record

Time of Call 14:20
Status OPEN
Incident Details
Scott is unable to access the intranet server.
URL required: http://intranet
IP configuration seems appropriate for subnet location.
Error message:
Internet Explorer cannot display the webpage.
Plan of Action
Resolution



1. Switch to the NYC-CL1 computer. You are logged on as Scott.
2. On the Taskbar, click Internet Explorer.
3. In the Address bar, type http://intranet, and then press Enter.
Note Some of the tasks you perform to resolve this problem may not be part of a Tier 2
support persons responsibilities; however, it is useful to see the problem resolution.
1. Using your knowledge of Windows 7 network technologies, and the tools that are available for
troubleshooting network connections, attempt to resolve the problem.

6293A-NYC-CL2.
In Hyper-V Manager, click 6293A-NYC-DC1, and in the Actions pane, click Start.

Password: Pa$$w0rd
Domain: Contoso

6293A-NYC-CL2.
Switch to NYC-CL1 and log on using the following credentials:
User name: Scott

Password: Pa$$w0rd
Domain: Contoso
Results: At the end of this exercise, you will have resolved the connectivity problem.

following steps:
4. Repeat these steps for 6293A-NYC-SVR1, 6293A-NYC-CL1, and

6293A-NYC-CL2.
Review Questions
1. You must reconfigure a client computers IPv4 configuration, but you do not have time to visit the
computer. What tool could you use, from the command line, to reconfigure the client computer?
2. To run the command-line tools, what would you need to do at the remote computer?
3. A client computer has obtained an IP address of 169.254.1.37. What would you do?
Tools
PortQry.exe Verifying listening ports on Download from Microsoft download website

IPv4 network
Telnet.exe Troubleshoot IPv4 Command line

applications
IPConfig.exe View and troubleshoot IP Command line

configuration
Ping.exe Verify connectivity in IP Command line

networks
Netstat.exe View information about active Command line

connections
Nslookup.exe Troubleshoot host name Command line

resolution
(continued)
NBTSTAT.exe Troubleshoot NetBIOS name Command line

resolution
Netsh.exe Configure IP settings Command line
Tracert.exe Tracing tool Command line
Problem Steps Recording tool Search/Run box

Recorder
6-1
Module 6
Troubleshooting Remote Connectivity Issues
Contents:
Lesson 1: Troubleshooting VPN Connectivity Issues 6-3
Lesson 2: Using Remote Desktop 6-25
Lesson 3: Troubleshooting User Issues by Using Remote Assistance 6-34

Lesson 4: Troubleshooting NAP Issues 6-40
Lesson 5: Troubleshooting DirectAccess Issues 6-52
Lab: Resolving Remote Connectivity Issues 6-61

Module Overview
To support your organizations mobile workforce, it is important that you understand how to configure
and troubleshoot technologies that enable remote users to connect to your organizations network
infrastructure. These technologies can include virtual private networks (VPNs), Network Access Protection
(NAP), and Windows 7 DirectAccess.
Objectives
Configure and troubleshoot VPN connections.
Use Remote Desktop.
Use Remote Assistance.

Troubleshoot NAP issues.
Troubleshoot DirectAccess issues.

Troubleshooting Remote Connectivity Issues 6-3
Lesson 1
Troubleshooting VPN Connectivity Issues
A VPN provides a point-to-point connection between components of a private network, through a public
network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a
connection to a virtual port that is listening on a VPN server.
To properly support a VPN environment within your organization, it is important that you understand
how to configure and troubleshoot VPNs.
Objectives
Describe a VPN.
Describe VPN tunneling protocols.
Describe the VPN negotiation process.
Create and configure a VPN connection.
Describe network policies.
Describe how to troubleshoot VPN connections.
Describe VPN reconnect.

What Is a Virtual Private Network?
A VPN emulates a point-to-point connection between components of a private network, through a public
network, such as the Internet.
To emulate this point-to-point link, the VPN client encapsulates the data and prefixes it with a header.
The header provides routing information that enables the data to traverse the shared or public network to
reach its endpoint.
To emulate a private link, the VPN client encrypts data, which helps to ensure confidentiality. Without
encryption keys, packets intercepted on the shared or public network are indecipherable. The link, or VPN
connection, is where the VPN client encapsulates and encrypts private data.
There are two types of VPN connections:
Remote access VPN
Site-to-site VPN
Remote Access VPN

Remote access VPN connections enable your organizations users who are working from home, at a
customer site, or from a public wireless access point, to access a server on your organizations private
network by using the infrastructure that a public network provides, such as the Internet.
From the users perspective, the VPN is a point-to-point connection between the computer, which is the
VPN client, and your organizations server. The exact infrastructure of the shared or public network is
irrelevant, because it appears logically as if it is sending the data over a dedicated private link.
Site-to-Site VPN
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices, or between your office and another
organization over a public network. This helps maintain secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN)
link. When networks connect over the Internet, a router forwards packets to another router across a VPN
connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN client)
authenticates itself to the answering router (the VPN server). Then, if you are using mutual authentication,
the answering router authenticates itself to the calling router.
In a site-to site VPN connection, the packets sent from either router across the VPN connection typically
do not originate at the routers.
Properties of VPN Connections

VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with
Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) share the following
properties:
Encapsulation
Authentication
Data encryption
Note The next topic covers these tunneling protocols.
Encapsulation
With VPN technology, private data is encapsulated with a header that contains routing information that
allows the data to traverse the transit network.
Authentication
Authentication for VPN connections takes three different forms, including:
User-level authentication by using Point-to-Point Protocol (PPP) authentication.
To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the
connection by using a PPP user-level authentication method, and then verifies that the VPN client has
the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the
VPN server, which provides protection against computers that are masquerading as VPN servers.
Computer-level authentication by using Internet Key Exchange (IKE).
The particulars of various troubleshooting methodologies can vary, and the processes involved in
troubleshooting computer-related problems are not precise. Most methodologies share some
common processes and procedures, which this topic aims to identify.
Any sort of troubleshooting methodologyregardless of whether you are troubleshooting

computers, plumbing systems, or automobile engineshas a common set of processes and
procedures, including the following:
Incidents pass through a series of processes that are designed to resolve problems as quickly and
efficiently as possible.
Classification, testing, escalation, and reporting provide the backbone of any troubleshooting
methodology.
The methodology evolves over time, as technologies change and new tools become available.
To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol
to exchange either computer certificates or a preshared key. In either case, the VPN client and
server authenticate each other at the computer level. Computer-certificate authentication is
recommended because it is a much stronger authentication method than computer-level
authentication, which occurs only for L2TP/IPsec connections.
Data origin authentication and data integrity.

To verify that the data sent on the VPN connection originated at the connections other end, and was
not modified in transit, the data contains a cryptographic checksum based on an encryption key
known only to the sender and the receiver. Data origin authentication and data integrity are only
available for L2TP/IPsec connections.
Data Encryption
To ensure the confidentiality of data as it traverses the shared or public transit network, the sender
encrypts the data, and the receiver decrypts it. The encryption and decryption processes will not work
unless both the sender and the receiver use the same encryption key. Furthermore, intercepted packets
sent along the VPN connection in the transit network are unintelligible to anyone who does not have this
common encryption key.
The encryption keys length is an important security parameter. You can use computational techniques to
determine the encryption key, which requires more computing power and computational time as the
encryption keys get larger. Using the largest possible key size helps ensure data confidentiality.
VPN Tunneling Protocols
To troubleshoot VPNs, you first must understand the various VPN configuration options, including the
selection of the appropriate VPN tunneling protocols.
PPTP
Point-to-Point Tunneling Protocol (PPTP) enables you to encrypt and encapsulate multiprotocol traffic in
an IP header that you send across an IP network, or across a public IP network, such as the Internet. You
can use PPTP for remote access or site-to-site VPN connections. When using the Internet as the VPN on a
public network, the PPTP server is a PPTP-enabled VPN server, with one interface on the Internet and a
second interface on the intranet.
L2TP
Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP) enables you to encrypt multiprotocol
traffic for transfer over any medium that supports point-to-point datagram delivery, such as IP or
asynchronous transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), and
combines the best features of both.
Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams; it uses
IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as
L2TP/IPsec.
SSTP
Secure Socket Tunneling Protocol (SSTP) is a new tunneling protocol that uses the Secure Hypertext
Transfer Protocol (HTTPS) protocol over TCP port 443 to pass traffic through firewalls and web proxies
that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over
the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong
authentication methods, such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).
SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec Tunnel Mode protocol over UDP port 500. Because
of its support for mobility (MOBIKE), IKEv2 is much more resilient to changing network connectivity, which
makes it a good choice for mobile users who move between access points and who switch between wired
and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client moves from
one wireless hotspot to another or when it switches from a wireless to a wired connection. This ability is a
requirement of VPN Reconnect.
Note IKEv2 is the default VPN tunneling protocol in Windows 7.

VPN Authentication Methods
The authentication of access clients is an important security concern. Authentication methods typically use
an authentication protocol that is negotiated during the connection establishment process. Often, the
reason a VPN does not connect is a mismatch between authentication settings in the VPN client, the VPN
server, or the Network Policies. It is important to understand the various VPN authentication methods.
PAP
Password Authentication Protocol (PAP) uses plaintext passwords, and is the least secure authentication
protocol. You would use PAP for negotiation only if the remote access client and remote access server
cannot negotiate a more secure form of validation. Windows Server 2008 R2 includes PAP to provide
support for older VPN clients.
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol
that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. Various
vendors of network access servers and clients use CHAP. A server running routing and remote access
supports CHAP to enable authentication of remote access clients that require it. Because CHAP requires
the use of a reversibly encrypted password, you should consider using another authentication protocol,
such as MS-CHAP version 2.
MS-CHAPv2
Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) is a one-way, encrypted password,
mutual-authentication process that avoids the need to store passwords using reversible encryption.
EAP
An Extensible Authentication Protocol (EAP) authentication scheme is known as an EAP type. Both the
remote access client and the authenticator must support the same EAP type for successful authentication
to occur. EAP-TLS is an EAP type that you use in certificate-based security environments. If you use smart
cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS
exchange of messages provides mutual authentication, negotiation of the encryption method, and
encrypted key determination between the remote access client and the authenticator. EAP-TLS provides
the strongest authentication and key determination method.
PEAP
Protected Extensible Authentication Protocol (PEAP) uses TLS to create an encrypted channel between an
authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a Network
Policy Server (NPS) or Remote Authentication Dial-in User Service (RADIUS) server.
PEAP does not specify an authentication method. However, it provides additional security for other EAP
authentication protocols, such as EAP-MSCHAPv2, that can operate through the TLS encrypted channel
that PEAP provides. PEAP is an authentication method for 802.11 wireless client computers. However, VPN
and other remote access clients do not support it.
Smart Cards
Using smart cards for user authentication is the strongest form of authentication in the Windows Server
2008 family of products. For remote access connections, you must use EAP with the smart card or other
certificate (TLS) EAP type, also known as EAP-TLS. To use smart cards for remote access authentication,
you must:
Configure remote access on the remote access server.
Install a computer certificate on the remote access server computer.

Configure the smart card or other certificate (TLS) EAP type in network policies.
Enable smart card authentication on the dial-up or VPN connection on the remote access client.
Demonstration: How to Create a VPN Connection
In this demonstration, you will see how to configure a VPN connection. This process involves configuring
some server-side settings that a Tier 2 support person typically would not configure.
Demonstration Steps
1. From NYC-DC1, using Active Directory Users and Computers, verify the dial-in permission for Adam
Carter.
2. From NYC-SVR1, open Server Manager, and then install the Network Policy and Access Services role.
3. Configure VPN Access with Routing and Remote Access on NYC-SVR1.
4. On NYC-CL1, create a VPN connection.
5. Test the connection. There is no matching policy, and the test fails.
What Are Network Policies?
Network policies determine whether a connection attempt is successful. Network policies also define
connection characteristics for successful connections, such as day and time restrictions, session idle-
disconnect times, and other settings.
Network policies are sets of conditions, constraints, and settings that enable you to designate who is
authorized to connect to your network, and the circumstances under which they can, or cannot, connect.
Additionally, deploying NAP adds a health policy to the network policy configuration so that NPS
performs client health checks during the authorization process.
You can view network policies as rules, and each rule has a set of conditions and settings. NPS compares
the rules conditions to the properties of connection requests. If a match occurs between the rule and the
connection request, NPS applies the settings that you define in the rule.
When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the lists first rule, then the second, and so on, until a match is found. The
diagram below shows this process:
Note Once NPS finds a matching rule, it disregards further rules. Therefore, it is important
that you order your network policies appropriately.
Each network policy has a Policy State setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate the policy when authorizing connection requests.
Network Policy Properties

Each network policy has four categories of properties:
1. Overview
2. Conditions
3. Constraints
4. Settings
Properties in the Overview category allow you to specify whether to enable the policy; whether the policy
grants or denies access; and whether a specific network connection method, or type of network access
server, is required for connection requests. Overview properties also enable you to specify whether to
ignore the dial-in properties of user accounts in Active Directory Domain Services (AD DS). If you select
this option, NPS uses only the network policys settings to determine whether to authorize the connection.
Properties in the Conditions category allow you to specify the conditions that the connection request must
have to match the network policy. If the conditions configured in the policy match the connection
request, NPS applies the network-policy settings to the connection. For example, if you specify the
network access server IP version 4 (IPv4) address (NAS IPv4 Address) as a condition of the network policy,
and then NPS receives a connection request from a NAS that has the specified IP address, the condition in
the policy matches the connection request.
Constraints are additional parameters of the network policy that are required to match the connection
request. If the connection request does not match a constraint, NPS automatically rejects the request, and
then denies the request. Unlike the NPS response to unmatched conditions in the network policy, if a
constraint is not matched, NPS does not evaluate additional network policies.
Settings allow you to specify the properties that NPS applies to the connection request if it finds matches
for all of the policys network policy conditions.
When you add a new network policy using the NPS Microsoft Management Console (MMC) snap-in, you
must use the New Network Policy Wizard. After you create a network policy by using the wizard, you can
customize the policy by double-clicking it in NPS to obtain the policy properties.
NPS uses network policies and the dial-in properties of user accounts to determine whether to authorize a
connection request to your network. You can configure a new network policy in either the NPS MMC
snap-in or the Routing and Remote Access Service MMC snap-in.
Creating Your Policy

When you use the New Network Policy Wizard to create a network policy:
NPS uses the value that you specify as the network connection method to configure the Policy Type
condition automatically. If you keep the default value of Unspecified, NPS evaluates the network
policy that you create for all network connection types through any type of network access server. If
you specify a network connection method, NPS evaluates the network policy only if the connection
request originates from the type of network access server that you specify. For example, if you specify
Remote Desktop Gateway, NPS evaluates the network policy only for connection requests that
originate from Remote Desktop Gateway servers.
On the Specify Access Permission page, you must select Access granted if you want the policy to
allow users to connect to your network. If you want the policy to prevent users from connecting to
your network, select Access denied. If you want user account dial-in properties in AD DS to
determine access permission, you can select the Access is determined by User Dial-in properties
(which override NPS policy) check box.
Note To complete the following procedure, you must be a member of either the Domain
Admins group or the Enterprise Admins group.
Adding a Network Policy by Using the Windows Interface

To add a network policy by using the Windows interface:
1. Open the NPS console, and expand Policies.
2. In the console tree, right-click Network Policies, and then click New. The New Network Policy
Wizard opens.
3. Use the New Network Policy Wizard to create a policy.
4. Configure the Network Policy properties, which the following section describes.
Configure Your Policys Properties

Once you create your policy, you can use the policys Properties dialog box to view or reconfigure its
settings.
Network Policy Properties: Overview Tab

From the Overview tab of the Properties sheet for a network policy, or while running the New Network
Policy Wizard, you can configure the following:
Policy name. Type a friendly and meaningful name for the network policy.
Policy State. Designate whether to enable the policy.
Access Permission. Designate whether the policy grants or denies access. Also, specify whether NPS
should ignore the dial-in properties of user accounts in AD DS when using the policy to perform the
connection attempts authorization.
Note If you have many user accounts in AD DS, consider configuring the dial-in properties
of user accounts to control network access through network policy. However, you can
accomplish the same result for individual policies by configuring them to ignore dial-in
properties of user accounts.
The following table details network connection methods that you can use to create a connection request.
Network connection method Description

Unspecified Specifies that NPS must evaluate the network policy for all connection
requests that originate from any type of network access server, and for
any connection method.
Remote Desktop Gateway Specifies that NPS must evaluate the network policy for connection
requests that originate from servers that are running Remote Desktop
Gateway.
Remote Access Server (VPN- Specifies that NPS must evaluate the network policy for connection
Dial-up) requests that originate from a computer that is running the Routing and
Remote Access service configured as a dial-up or VPN server. If you use
another dial-up or VPN server, the server must support the RADIUS
protocol and the authentication protocols that NPS provides for dial-up
and VPN connections.
Dynamic Host Configuration Specifies that NPS must evaluate the network policy for connection
Protocol (DHCP) Server requests that originate from servers that are running DHCP.
Health Registration Authority Specifies that NPS must evaluate the network policy for connection
requests that originate from servers that are running the Health
Registration Authority.
Host Credential Authorization Specifies that NPS must evaluate the network policy for connection
Protocol (HCAP) server requests that originate from servers that are running HCAP.
Network Policy Properties: Conditions Tab

You must configure at least one condition for every network policy. NPS provides several groups of
conditions that enable you to clearly define the properties that the connection request that NPS receives
must have to match the policy.
The following table outlines the available groups of conditions.
Condition group Description
Groups Enables you to specify the user or computer groups that you configure in AD DS,
and specify the groups to which you want the network policys other rules to apply
when group members attempt to connect to the network.
HCAP Enables you to integrate your NPS NAP solution with Cisco Network Admission
Control. To use these conditions, you must deploy Cisco Network Admission
Control and NAP. You also must deploy an HCAP server running both Internet
Information Services (IIS) and NPS.
Day and Time Enables you to specify, at a weekly interval, whether to allow connections on a
Restrictions specific set of days and times.
For example, you can configure this condition to allow access to your network only
between the hours of 08:00 and 17:00, Monday through Thursday. With this
condition value, users whose connection requests match all conditions of the
network policy cannot connect to the network on Fridays, Saturdays, Sundays, and
during other weekdays between the hours of 17:00 and 08:00, but they can
connect between Monday and Thursday between 08:00 and 17:00.
Conversely, you can specify the days and times during which you want to deny
network connections, which means that users can access your network only on the
unspecified days and times. For example, if you configure this condition to deny
connections on Sundays, users cannot connect at any time on Sundays, but they
can connect Monday through Saturday at any time.
NAP Includes several settings, such as Identity Type, MS-Service Class, NAP-Capable
Computers, Operating System, and Policy Expiration.
Note The Identity Type condition is for NAP DHCP and IPsec deployments to
allow client health checks in circumstances where NPS does not receive an Access-
Request message that contains a value for the User-Name attribute. In these
circumstances, client health checks are performed, but authentication and
authorization are not.
Connection Includes several settings, such as Access Client IPv4 Address, Access Client IPv6
Properties Address, Authentication Type, Allowed EAP Types, Framed Protocol, Service Type,
and Tunnel Type.
RADIUS Client Includes several settings, such as Calling Station ID, Client Friendly Name, Client
Properties IPv4 Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.
Gateway Includes several settings, such as Called Station ID, NAS Identifier, NAS IPv4
Address, NAS IPv6 Address, and NAS Port Type.
Important Client computers, such as laptops and other computers that are running client-
operating systems, are not RADIUS clients. RADIUS clients are network access serverssuch
as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers
because they use the RADIUS protocol to communicate with RADIUS servers, such as NPS
servers.
Network Policy Properties: Constraints Tab

Constraints are optional network policy parameters that differ from network policy conditions in one
substantial way: when a condition does not match a connection request, NPS continues to evaluate other
configured network policies to find a match for that connection request. When a constraint does not
match a connection request, NPS does not evaluate further network policies; instead, it rejects the
connection request, and then denies network access to the user or computer.
The following table describes the constraints that you can configure in network policy.
Constraint Description
Authentication Enables you to specify the authentication methods that are required for the
Methods connection request to match the network policy.
Idle Timeout Enables you to specify the maximum time, in minutes, that the network access
server can remain idle before the connection disconnects.
Session Timeout Enables you to specify the maximum amount of time, in minutes, that a user
can be connected to the network.
Called Station ID Enables you to specify the telephone number of the dial-up server that clients
use to access the network.
Day and time Enables you to specify when users can connect to the network.
restrictions
NAS Port Type Enables you to specify the allowable access media types that users can use to
connect to the network.
Network Policy Properties: Settings Tab

NPS applies the settings that you configure in the network policy to the connection, only if all of the
conditions and constraints that you configure in the policy match the connection requests properties.
The available groups of settings that you can configure are:

RADIUS attributes, which are described in:
Request for Comments (RFC) 2865
RFC 2866
RFC 2867
RFC 2868
RFC 2869
RFC 3162
RFCs and Internet drafts for vendor-specific attributes (VSAs) define additional RADIUS attributes.
Important If you plan to return to RADIUS clients any additional RADIUS attributes or
VSAs with the responses to RADIUS requests, you must add the RADIUS attributes or VSAs to
the appropriate network policy.
With NAP Enforcement, you can specify how you want to:
Enforce NAP.
Remediate server groups.
Troubleshoot URLs.
Use auto-remediation.
Routing and Remote Access.
These settings include:
Multilink and Bandwidth Allocation Protocol (BAP)

IP filters
Encryption
IP settings
Troubleshooting VPNs
In general, when you are troubleshooting, it is important that you verify that the settings for the client-
side tunneling protocol and authentication protocols match those configured on the Routing and Remote
Access server and the Network Policy Server. Also ensure that the client is attempting to connect to the
correct Routing and Remote Access server.
When using an authentication protocol that requires a certificate, you may discover that your users are
unable to connect because an inappropriate certificate is configured on the Routing and Remote Access
server. If you suspect this is the problem, try reconfiguring to use an authentication protocol that does not
require certificates. If this is successful, then examine the certificates used, and then verify that the
certificate purpose and subject names are appropriate for your configuration.
Logging
Aside from general troubleshooting techniques, you also can enable logging for Remote Access.
Remote Access Service (RAS) trace logs can help you troubleshoot RAS connection-related issues. To
enable RAS logging, run the command:
netsh ras diagnostics set rastracing * enabled
Windows creates and stores the trace logs in the %windir%\tracing folder. You can flush the logs with the
following command:
netsh ras diagnostics set rastracing * disabled

Some of the trace log files that help diagnose problems are:
PPP.log
RASMAN.log
IASHLPR.log
RASIPCP.log
Note RAS Trace logs can be difficult to interpret, and you may need to escalate them to
the appropriate experts so that they can debug them.
For additional troubleshooting help, you also can check the Event Viewer System log, and
look for events with the sources of RemoteAccess or Rasman.
Examining Common Connectivity Issues

This section lists common issues that you may encounter when connecting to a Remote Access Server
from Windows 7:
Error 800: VPN server is unreachable
Cause: PPTP/L2TP/SSTP packets from the VPN client cannot reach the VPN server.
Solution: Ensure the appropriate ports are open on the firewall:
PPTP: For PPTP traffic, configure the network firewall to open TCP port 1723 and to forward
IP protocol 47 for GRE traffic to the VPN server.
L2TP: For L2TP traffic, configure the network firewall to open UDP port 1701 and to allow
IPsec ESP formatted packets (IP protocol 50).
SSTP: For SSTP, enable TCP 443.
Error 721: Remote computer is not responding
Cause: This issue can occur if the network firewall does not permit GRE traffic (IP protocol 47).
PPTP uses GRE for tunneled data.
Solution: Configure the network firewall between the VPN client and the server to permit GRE.
Additionally, make sure that the network firewall permits TCP traffic on port 1723. Both of these
conditions must be met to establish VPN connectivity by using PPTP.
Note The firewall might reside on or in front of the VPN client, or in front of the VPN
server.
Error 741/742: Encryption mismatch error
Cause: These errors occur if the VPN client requests an invalid encryption level or if the VPN
server does not support an encryption type that the client requests.
Solution: Check the properties on the Security tab of the VPN connection on the VPN client. If
Require data encryption (disconnect if none) is selected, clear the selection, and retry the
connection. If you are using NPS, check the encryption level in the network policy in the NPS
console or policies on other RADIUS servers. Ensure that the encryption level that the VPN client
requested is selected on the VPN server.
Resolving General Remote Access VPN Connection Problems

To resolve general problems with establishing a remote access VPN connection:
Using the ping command, verify that the host name is being resolved to its correct IP address. The
ping itself might not be successful due to packet filtering that is preventing the delivery of Internet
Control Message Protocol (ICMP) messages to and from the VPN server.
Verify that the credentials of the VPN client, which consist of user name, password, and domain name,
are correct, and that the VPN server can validate them.
Verify that the user account of the VPN client is not locked out, expired, disabled, or that the time the
connection is being made does not correspond to the configured logon hours. If the password on the
account has expired, verify that the remote access VPN client is using MS-CHAP v2. MS-CHAP v2 is
the only authentication protocol that Windows Server 2008 R2 provides that allows you to change an
expired password during the connection process.
For an administrator-level account with an expired password, reset the password using another
administrator-level account.
Verify that the user account has not been locked out due to remote access account lockout.
Verify that the Routing and Remote Access service is running on the VPN server.
Verify that the VPN server is enabled for remote access from the General tab in the properties of a
VPN server in the Routing and Remote Access snap-in.
Verify that the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices are enabled for inbound
remote access from the properties of the Ports object in the Routing and Remote Access snap-in.
Verify that the VPN client, the VPN server, and the network policy corresponding to VPN connections
are configured to use at least one common authentication method.
Verify that the configuration of the VPN client and the network policy corresponding to VPN
connections use at least one common encryption strength.
Verify that the connections parameters have permission through network policies.
L2TP/IPsec Authentication Issues

The following list describes the most common reasons that L2TP/IPsec connections fail:
No certificate. By default, L2TP/IPsec connections require that, for IPsec peer authentication, an
exchange of computer certificates occur between the remote access server and remote access client.
Check the Local Computer certificate stores of the remote access client and remote access server
using the Certificates snap-in to ensure that a suitable certificate exists.
Incorrect certificate. The VPN client must have a valid computer certificate installed that was issued by
a certification authority (CA) that follows a valid certificate chain from the issuing CA to a root CA that
the VPN server trusts. Additionally, the VPN server must have a valid computer certificate installed
that was issued by a CA that follows a valid certificate chain from the issuing CA to a root CA that the
VPN client trusts.
A NAT device exists between the remote access client and remote access server. If there is a NAT
between a Microsoft Windows 2000, Windows Server 2003, or Windows XP-based L2TP/IPsec client,
and a Windows Server 2008 L2TP/IPsec server, you cannot establish an L2TP/IPsec connection unless
both the client and server support IPsec NAT-T.
A firewall between the remote access client and remote access server. If there is a firewall between a
Windows L2TP/IPsec client and a Windows Server 2008 R2 L2TP/IPsec server, and you cannot
establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec traffic.
EAP-TLS Authentication Issues

When you use EAP-TLS for authentication, the VPN client submits a user certificate and the authenticating
server (the VPN server or the RADIUS server) submits a computer certificate. To enable the authenticating
server to validate the VPN clients certificate, the following must be true for each certificate in the
certificate chain that the VPN client sends:
The current date must be within the certificates validity dates. When certificates are issued, they are
issued with a range of valid dates, before which they cannot be used and after which they are
considered expired.
The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing CA
maintains a list of certificates that are not considered valid by publishing an up-to-date certificate
revocation list (CRL). By default, the authenticating server checks all certificates in the VPN clients
certificate chain (the series of certificates from the VPN client certificate to the root CA) for
revocation. If any of the chains certificates have been revoked, certificate validation fails.
For the VPN client to validate the authenticating servers certificate for either EAP-TLS authentication,
the following must be true for each certificate in the certificate chain that the authenticating server
sends:
The certificate must have a valid digital signature. CAs digitally sign certificates that they issue. The
VPN client verifies the digital signature of each certificate in the chain, with the exception of the root
CA certificate, by obtaining the public key from the certificates issuing CA and mathematically
validating the digital signature.
What Is VPN Reconnect?
In dynamic business scenarios, users must be able to access data securely at any time, from anywhere, and
be able to access it continuously, without interruption. For example, users might want to access data
securely on the companys server while in the head office, or from a branch office, or while on the road.
To meet this requirement, you can configure the VPN Reconnect feature that is available in Windows
Server 2008 R2 and Windows 7. This enables users to access the companys data securely by using a VPN
connection, which reconnects automatically if connectivity is interrupted. It also enables roaming between
different networks.
VPN Reconnect uses the IKEv2 technology to provide seamless and consistent VPN connectivity. VPN
Reconnect automatically reestablishes a VPN connection when Internet connectivity becomes available.
Users who connect by using a wireless mobile broadband benefit most from this capability.
Consider a user with a laptop that is running Windows 7. When the user travels to work in a train, the user
connects to the Internet by using a wireless mobile broadband card, and then establishes a VPN
connection to the companys network. When the train passes through a tunnel, the Internet connection is
lost. After the train comes out of the tunnel, the wireless mobile broadband card reconnects automatically
to the Internet. With earlier versions of Windows client and server operating systems, VPN did not
reconnect automatically. Therefore, users had to repeat the VPN connection process manually each time
their connection was lost. This was time-consuming for mobile users who often experienced intermittent
network connectivity.
VPN Reconnect enables Windows Server 2008 R2 and Windows 7 to reestablish active VPN connections
automatically when the network reestablishes Internet connectivity. Even though the reconnection might
take several seconds, users stay connected and have uninterrupted access to internal network resources.
The system requirements for using the VPN Reconnect feature are:
Windows Server 2008 R2 as a VPN server.
Windows 7 or Windows Server 2008 R2 client.
Public key infrastructure (PKI), because a computer certificate is required for a remote connection
with VPN Reconnect. You can use certificates that either an internal or public CA issues.
To enable VPN Reconnect, after selecting IVEv2 as your preferred tunneling protocol, select the
Advanced Properties, and ensure that you enable the Mobility setting and configure the Network
outage time (default is 30 minutes).
Lesson 2
Using Remote Desktop
The Remote Desktop Protocol (RDP) provides remote display and input capabilities over network
connections for Windows-based applications. It is important that you understand how to enable,
configure, and troubleshoot Remote Desktop connections to support your organizations users.
Objectives
Describe how to enable Windows Remote Desktop.
Enable Remote Desktop.
Describe how to configure Remote Desktop by using Group Policy.
Apply best practices for troubleshooting issues with Remote Desktop connections.
Overview of Windows Remote Desktop
The Remote Desktop Connection feature, simply called Remote Desktop, is a technology that uses RDP,
and allows you to connect to a remote computers console. The Remote Desktop client is installed in
Windows 7, but is not enabled by default.
Enabling Remote Desktop

You can enable Remote Desktop in the System Properties dialog box, on the Remote tab. Access System
properties through Control Panel, or by right-clicking Computer, and then clicking Properties.
Remote Desktop has three settings:
Dont allow connections to this computer.

This is the default setting, in which remote connections are disabled.
Allow connections from computers running any version of Remote Desktop (less secure).
If you are unsure of the version for the remote desktop client software, this is the best choice.
Allow connections only from computers running Remote Desktop with Network Level Authentication.
This setting limits connections to computers that are running the Windows XP operating system with
Service Pack 3 (SP3), Windows 7, and the Windows Server 2008 operating system or newer.
Remote Desktop Permissions

By default, if you enable Remote Desktop, any Administrators group member can make a Remote
Desktop connection. Administrators can grant remote access to other users by adding them to the
Remote Desktop Users group on the local computer.
Important Granting a user remote access by adding them to the Remote Desktop Users
group does not grant administrative rights to that user it simply allows them to make the
connection.
Remote Desktop uses RDP over TCP port 3389. By default, once you enable Remote Desktop, authorized
users can connect from any computer that is running the appropriate Remote Desktop client software.
You can use Windows Firewall to limit which computers can access port 3389.
Note You can change the listening port for Remote Desktop by editing the registry.
Remote Desktop Security

By default, the client and server negotiate to use the highest encryption that both client and server
understand. For example, if a client that connects can only handle 64-bit encryption, then that is the
sessions encryption level. When possible, the entire Remote Desktop session is encrypted at 128-bits for
data transmissions in both the client-to-server and server-to-client direction. Use Group Policy to enforce
high encryption, as necessary.
Using Remote Desktop

The Remote Desktop Connection client software is built into Windows 7. This Remote Desktop version
supports NLA to provide more secure communications.
To launch Remote Desktop, from the Start menu, click All Programs, click Accessories, and then click
Remote Desktop Connection. You also can type mstsc.exe in the Search box to launch a remote
session.
To connect to the remote computer, you can type in the name or the IP address of the remote computer.
You will be asked for credentials when you connect. If another user is logged on when you attempt to
connect, that user has 30 seconds to refuse to allow your connection. If the logged-on user allows your
connection or does not respond, your connection will occur successfully.
The following table lists the client options that you can configure by using the Options tabs on the
Remote Desktop Connection dialog box.
Tab Options
General Enter the computer and user name, and whether to save the connection as an
RDP file.
Display Choose the remote displays screen size and color quality.
Local Resources Use remote computer resources in your session, such as the printer or
clipboard.
Programs Configure a program to start automatically following a remote connection.
Experience Configure the way you want the remote session to appear visually. The more
features that you add, the more bandwidth it takes.
Advanced Tell the Remote Desktop client how to behave if the RDP server fails to prove
its authenticity. You can choose whether to connect without warning or to
receive a warning, and whether you want to connect or prevent the
connection.
You can configure Remote Desktop connections, then save them to RDP files, and then distribute them to
users. You can open these files in Remote Desktop.
Practice: Enabling Remote Desktop
In this practice, you will enable and configure Remote Desktop. This involves configuring Windows
Firewall rules.
Instructions
For this practice, you will use the available virtual machine environment. 6293A-NYC-DC1,
6293A-NYC-SVR1, and 6293A-NYC-CL1 should be running.
Detailed Steps
X Task 1: Configure the Windows Firewall

2. Log off, and then log on by using the following information:

Password: Pa$$w0rd
Domain: Contoso
3. Click Start, and then in the Search box, type Firewall.
4. In the Programs list, click Windows Firewall.
5. In the Windows Firewall dialog box, click Allow a program or feature through Windows Firewall.
6. In the Name list, select the Remote Desktop check box, and then select the check boxes for the
Domain, Home/Work, and Public profiles. Click OK.
7. Close Windows Firewall.

X Task 2: Enable Remote Desktop

2. Click Remote settings.
3. Under Remote Desktop, click Allow connections from computers running any version of Remote
Desktop (less secure).
4. Click Select Users, click Add.

5. In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adam, click Check Names, and then click OK.
6. In the Remote Desktop Users dialog box, click OK.
7. In the System Properties dialog box, click OK.
8. Close all open windows and log off.
X Task 3: Use Remote Desktop

2. Click Start, point to All Programs, point to Accessories, and then click Remote Desktop
Connection.
3. In the Remote Desktop Connection dialog box, in the Computer box, type nyc-cl1, and then click
Options.
4. Click the Advanced tab.
5. Under Server authentication, in the If server authentication fails list, click Connect and dont warn
me.
6. Click Connect.
7. In the Windows Security dialog box, click User another account.

8. In the User name box, type Adam, in the Password box, type Pa$$w0rd, and then click OK.
10. Notice the computer name.

11. Log off the remote desktop session.
12. Close all open windows on NYC-DC1.
13. Switch to the NYC-CL1 virtual machine.
14. Notice you have been logged off.
15. Log on as Contoso\Adam with a password of Pa$$w0rd.


following steps:

4. Repeat these steps for both 6293A-NYC-SVR1 and 6293A-NYC-CL1.
Configuring Remote Desktop by Using GPOs
You can use Group Policy to control Remote Desktop behavior across your organization. You also can
control all aspects of Remote Desktop through policy settings for Remote Desktop Services.
Access policy settings for the computer by using Group Policy Management, and then edit the
appropriate policy by expanding Computer Configuration, expanding Policies, expanding
Administrative Templates, expanding Windows Components, and then expanding Remote Desktop
Services.
Computer policy settings for Remote Desktop include the policies that the following table details.
Policy setting for the computer Description

Remote Desktop Connection This controls whether users can save passwords on this
Client>Do not allow passwords to computer from Remote Desktop Services clients.
be saved
Remote Desktop Connection When you enable this setting, a user is prompted on the client
Client>Prompt for credentials on computer instead of on the terminal server to provide
client computer credentials for a remote connection to a remote desktop server.
If user credentials are saved and available on the client
computer, the user is not prompted to provide credentials.
Remote Desktop Session When enabled, users who are members of the Remote Desktop
Host>Connections>Allow users to Users group on the target computer can connect remotely to
connect remotely using Remote the target computer using Remote Desktop Services.
Desktop Services
(continued)
Policy setting for the computer Description

Remote Desktop Session Host This policy contains settings for each of the different resources,
>Device and Resource Redirection such as audio and clipboard. Specifies whether to prevent data
redirection from these devices to the remote client in a Remote
Desktop Services session.
Remote Desktop Session Host If you enable this setting, all communications between clients
>Security>Set client connection and terminal servers during remote connections must use the
encryption level encryption method that this setting specifies. By default, the
encryption level is set to High.
Remote Desktop Session Host This policy controls session time limits for disconnected, idle,
>Session Time Limits and active sessions, and controls whether to terminate sessions
when limits are reached.
You can access policy settings for the user by expanding User Configuration, expanding Policies,
expanding Administrative Templates, expanding Windows Components, and then expanding
Terminal Services.
The following table lists the options for user policy settings for Remote Desktop.
Policy setting for the user Description

Remote Desktop This policy controls whether users can save passwords on this computer
Connection Client>Do not from Remote Desktop Services clients.
allow passwords to be saved
Remote Desktop Session This policy specifies a program to run automatically when a user logs on
Host >Remote Session to a remote computer. By default, Remote Desktop Services sessions
Environment> Start a provide access to the full Windows desktop, unless otherwise specified
program on connection with this setting. Enabling this setting overrides the Start Program
settings set by the server administrator or user.
Remote Desktop Session This policy controls session time limits for disconnected, idle, and active
Host>Session Time Limits sessions, and controls whether to terminate sessions when users reach
these limits.
Troubleshooting Remote Desktop
Remote Desktop sessions typically are successful. However, a number of things can go wrong during the
connection and authentication process. This section and the following table discuss some of the most
common issues.
Issue Cause
Cannot connect to the Check the Windows 7 edition. Home editions do not allow inbound,
remote computer remote connections.
Verify that the Windows Firewall is allowing traffic to port 3389.
If the target computer is behind a Network Address Translation (NAT)
device, configure port forwarding through NAT to the target computer.
Check the system properties, and ensure that Remote Desktop is enabled
on the target computer.
Ensure that the target computer is not in sleep mode or hibernation.
Ensure that the user who is attempting to connect has permission to make
a connection.
Remote computer Verify that the computer name is correct.

cannot be found Verify that the address record on the DNS server is correct. Try using the
IP address instead of the name.
Unable to copy text Ensure the clipboard is selected as a local resource.

from the remote
computer
Lesson 3
Troubleshooting User Issues by Using Remote Assistance
Remote Assistance is a built-in tool that allows users to control another operating system by connecting
to it remotely. Windows Remote Assistance is a useful tool for providing remote assistance when users
need help. Remote Assistance is available in all Windows 7 editions.
Objectives
Describe the new Remote Assistance features.
Describe how to offer or request Remote Assistance.
Create and respond to an invitation for Remote Assistance.
Describe how to configure Remote Assistance through Group Policy.

Using Remote Assistance to Assist Your Users
When you connect to a users computer with Remote Assistance, you can see their desktop, any open
documents, and any visible private information. Remote Assistance creates a chat session between you
and the user to communicate via text messages.
Additionally, if the user allows you to control his or her computer by remotely operating his or her mouse
and keyboard, you can perform various administrative functions, such as deleting files or changing
settings.
When you ask to share control of the desktop, a check box is visible. When the user selects this checkbox,
it enables you to respond to User Account Control prompts. You can respond to requests for
administrator consent or administrator credentials, such as a user name or password. You then can run
administrator-level programs without the users participation.
For you or another helper to share the control of a computer, the user must grant permission. Likewise, if
the user wants to stop you or another helper from sharing control, they can click Cancel, and then click
Stop sharing, or press E.
You can offer Remote Assistance to users in anticipation of users requesting assistance from you. This is
useful in situations where you predict that users may require assistance, such as after you deploy a new
application or implement a new procedure.
The Help and Support Center provides links to assist helpers in offering Remote Assistance to users. By
using the computer name or IP address, you can send an invitation to the user. A remote session begins
when the user accepts the request.
Remote Assistance in Windows 7
Remote Assistance provides a way for users to get the help they need, and makes it easier and less costly
for corporate help desks to assist users. Remote Assistance enables users to invite you to connect to their
computers so that you can view their desktops when they need assistance. With the users permission, the
helper can even share control of the users computer to resolve issues remotely. Windows 7 enables
Remote Assistance by default.
In Windows XP, you can access Remote Assistance only through Help and Support. In Windows 7, the
Help and Support Center still provides a link to Remote Assistance, but Remote Assistance also appears as
a stand-alone application. It is in the Maintenance section of All Programs on the Start menu, or you
can launch it by executing msra.exe.
Sending an Invitation
A user who needs assistance can initiate a Remote Assistance session by sending an invitation to the
helper.
The following table lists the methods by which users can send invitations.
Invitation method Description

Instant messaging Use Windows Messenger to send the invitation. The Tools menu lists an option
to request Remote Assistance.
Email Email the invitation to the helper. Remote Assistance automatically launches a
blank email form. If the user does not have an email client configured, then
Windows Mail prompts for configuration.
Saving a file Save the invitation to a file in a network location that the helper can access.
You can use the Help and Support Center links to assist in saving the invitation
as a file.
After creating the invitation, the user must create a password to protect the invitation. The requester must
transmit the password to the helper in a separate communication. A Remote Assistance window then
appears and waits for an incoming connection. Do not close this window, or the helper will be unable to
respond.
Administrators can control many aspects of the invitation, such as how long an invitation remains valid,
and whether someone can control the computer remotely. These settings are in the Advanced section of
the Remote tab in System Properties. The default settings allow remote control, and invitations are valid
for six hours.
Note You must configure Windows Firewall to allow communication through port 3389.
Accepting an Invitation
After the recipient receives your invitation, the recipient can respond by saving and then opening the
attached file, and then entering the password. Remote Assistance creates an encrypted connection either
over the Internet or over the network that connects the computers. The requesting user has to click Yes to
complete the transaction.
Demonstration: How to Use Remote Assistance (Optional)
In this demonstration, you will see how to use Remote Assistance to help to resolve a users problem with
an Office feature.
Demonstration Steps
1. On NYC-CL1, create a Microsoft Office Word document.
2. Request remote assistance.

3. From NYC-DC1, provide remote assistance.
4. Start a chat session with the user.
5. Take remote control of the users computer.

6. Demonstrate the required feature to the user.
7. Close remote assistance.

Configuring Remote Assistance by Using GPOs
You can manage some aspects of Remote Assistance by using Group Policy. Configure Group Policy
objects (GPOs) on the local computer or in AD DS to control the Remote Assistance behavior. You can
access Remote Assistance policy settings by expanding Computer Configuration, expanding Policies,
expanding Administrative Templates, expanding System, and then expanding Remote Assistance.
The following table lists the Remote Assistance policy settings.
Policy setting Description

Allow only Vista This policy generates Remote Assistance invitations with improved encryption. This
or newer setting does not affect Remote Assistance connections that are initiated by instant-
connections messaging contacts or by unsolicited Offer Remote Assistance.
Turn on session Turn logging on. Log files are located in the users Documents folder under
logging Remote Assistance.
Turn on This policy improves performance in low bandwidth scenarios. This setting scales
bandwidth incrementally from No optimization to Full optimization.
optimization
Solicited Enable Solicited Remote Assistance on this computer. Disabling this setting
Remote prevents users from asking for Remote Assistance. You also can configure
Assistance invitation time limits, and whether to allow remote control.
Offer Remote Turn on Offer (Unsolicited) Remote Assistance on this computer. You must enable
Assistance this policy for users to receive unsolicited Remote Assistance.
Lesson 4
Troubleshooting NAP Issues
Network Access Protection (NAP) enables you to create customized health-requirement policies to
validate computer health before allowing access or communication. NAP also updates compliant
computers automatically to ensure ongoing compliance and limit the access of noncompliant computers
to a restricted network until they become compliant.
Understanding how NAP works enables you to determine why client computers are unable to connect to
your organizations network resources when they are not compliant.
Objectives
Describe the function of NAP.
Describe the components required to enable NAP.
Describe how to use NAP within your organization.
Configure client-side NAP settings.
Troubleshoot NAP.
What Is NAP?
NAP for Windows Server 2008 R2, Windows 7, and Windows Vista, provides components and an
application programming interface (API) that help you enforce compliance with your organizations
health-requirement policies for network access or communication.
NAP enables you to create solutions for validating computers that connect to your networks, and it
provides the necessary updates or access to necessary health-update resources. Additionally, it limits the
access or communication of noncompliant computers.
You can integrate NAPs enforcement features with software from other vendors or with custom
programs. You also can customize the health-maintenance solution that developers within your
organization may develop and deploy, whether for monitoring the computers that are accessing the
network for health policy compliance, automatically updating computers with software updates to meet
health-policy requirements, or limiting the access to a restricted network of computers that do not meet
health-policy requirements.
It is important to remember that NAP does not protect a network from malicious users. Rather, it helps
you maintain the health of your organizations networked computers automatically, which in turn helps
maintain your networks overall integrity. For example, if a computer has all the software and
configuration settings that the health policy requires, the computer is compliant, and will have unlimited
network access. However, NAP does not prevent an authorized user with a compliant computer from
uploading a malicious program to the network or engaging in other inappropriate behavior.
Aspects of NAP
NAP has three important and distinct aspects:
Health state validation. When a computer attempts to connect to the network, NAP validates the
computers health state against the health-requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant. In a monitoring-only environment, NAP
evaluates the health state of all computers, and then logs the compliance state of each computer for
analysis. In a limited access environment, computers that comply with the health-requirement policies
have unlimited network access. Computers that do not comply with health-requirement policies may
have access which is limited to a restricted network.
Health policy compliance. You can help ensure compliance with health-requirement policies by
choosing to update noncompliant computers automatically with missing software updates or
configuration changes through management software, such as Microsoft System Center
Configuration Manager. In a monitoring-only environment, computers will have network access
before they are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates and configuration
changes are complete. In both environments, computers that are compatible with NAP can become
compliant automatically, and you can define exceptions for computers that are not compatible with
NAP.
Limited access. You can protect your networks by limiting the access of noncompliant computers. You
can base limited network access on a specific amount of time, or on what resources the noncompliant
computer can access. In the latter case, you define a restricted network containing health update
resources, and the limited access will last until the noncompliant computer comes into compliance.
You also can configure exceptions so that computers that are not compatible with NAP do not have
their network access limited.
Components of NAP
The following table lists the components of a NAP-enabled network infrastructure.
Components Description
NAP clients Computers that support the NAP platform for system health-validated network
access or communication.
NAP enforcement Computers or network-access devices that use NAP, or that you can use with
points NAP, to require evaluation of a NAP clients health state, and then provide
restricted network access or communication. NAP enforcement points use a
Network Policy Server (NPS) that is acting as a NAP health policy server to
evaluate the health state of NAP clients, whether network access or
communication is allowed, and the set of remediation actions that a
noncompliant NAP client must perform.
NAP enforcement points include the following:
Health Registration Authority (HRA). This is a computer that runs Windows
Server 2008 R2 and IIS, and that obtains health certificates from a certification
authority (CA) for compliant computers.
VPN server. A computer that runs Windows Server 2008 R2, and Routing and
Remote Access, and that enables VPN intranet connections via remote access.
DHCP server. A computer that runs Windows Server 2008 R2 and the DHCP
Server service, and that provides automatic IPv4 address configuration to
intranet DHCP clients.
Network access devices. These are Ethernet switches or wireless access points
that support Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X
authentication.
(continued)
Components Description
NAP health policy These are computers that run Windows Server 2008 R2 and the NPS service, and
servers that store health-requirement policies and provide health-state validation for
NAP. NPS is the replacement for the Internet Authentication Service (IAS), and the
Remote Authentication Dial-In User Service (RADIUS) server and proxy that
Windows Server 2003 provides.
NPS also acts as an authentication, authorization, and accounting (AAA) server for
network access. When acting as an AAA server or NAP health policy server, NPS
typically runs on a separate server for centralized configuration of network access
and health-requirement policies. The NPS service runs also on Windows Server
2008-based NAP enforcement points that do not have a built-in RADIUS client,
such as an HRA or DHCP server. However, in these configurations, the NPS service
is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health
policy server.
Health requirement These computers provide the current systems health state for NAP health policy
servers servers. An example of these would be a health-requirement server for an
antivirus program that tracks the latest version of the antivirus signature file.
AD DS This Windows directory service stores account credentials and properties, and
stores Group Policy settings. Although not required for health-state validation,
Active Directory is required for IPsec-protected communications, 802.1X-
authenticated connections, and remote access VPN connections.
Restricted network This is a separate logical or physical network that contains remediation servers
and NAP clients with limited access.
Remediation These are computers that contain health update resources that NAP clients can
servers access to remediate their noncompliant state. Examples include antivirus
signature distribution servers and software update servers.
NAP clients with These are computers placed on the restricted network when they do not comply
limited access with health-requirement policies.
Discussion: How Would You Use NAP?
The need to enforce client health requirements varies between organizations. Some organizations have
already implemented a solution, while others are just evaluating it. NAP is the Microsoft solution for
enforcing client health requirements.
NAP has the following enforcement methods:
DHCP
VPN
802.1x
IPsec
TS Gateway
Question: Can you envision using NAP? If so, what NAP enforcement method would be
suitable?
Configuring Client-Side NAP Settings
You should remember these basic guidelines when you configure NAP clients:
Some NAP deployments that use Windows Security Health Validator require that you enable Security
Center.
The Network Access Protection service is required when you deploy NAP to NAP-capable client
computers.
You must also configure the NAP enforcement clients on the NAP-capable computers.
Enable Security Center in Group Policy

You can use this procedure to enable Security Center on NAP-capable clients by using Group Policy. Some
NAP deployments that use Windows Security Health Validator require Security Center.
Note To complete this procedure, you must be a member of one of the following groups
on the local computer: Domain Admins, Enterprise Admins, or Administrators.
To enable Security Center in Group Policy:

1. Open the Group Policy Management console, and then click Add.
2. In the Select Group Policy Object dialog box, click Finish, and then click OK.
3. In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.
4. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
Enable the Network Access Protection Service on Clients

You can use this procedure to enable and configure NAP service on NAP-capable client computers. When
you deploy NAP, you must enable this service.
Note To complete this procedure, you must be a member of one of the following groups
on the local computer: Domain Admins, Enterprise Admins, or Administrators.
To enable the NAP service on client computers:
1. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then
double-click Services.
2. In the services list, scroll down to, and then double-click, Network Access Protection Agent.
3. In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.
Enable and Disable NAP Enforcement Clients

You can use this procedure to enable or disable one or more NAP enforcement clients on NAP-capable
computers. These clients may include:
DHCP Enforcement Client
Remote Access Enforcement Client
EAP Enforcement Client
IPsec Enforcement Client

TS Gateway Enforcement Client
To enable and disable NAP Enforcement Clients:
1. Open the NAP client configuration console: click Start, click All Programs, click Accessories, click
Run, type NAPCLCFG.MSC, and then click OK.
2. Click Enforcement Clients. In the details pane, right-click the enforcement client that you want to
enable or disable, and then click Enable or Disable.
Note To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to
perform this procedure. As a security best practice, consider performing this procedure by
using the Run as command.
Best Practices for Troubleshooting NAP
When a NAP-capable client attempts to connect to your network, several NAP components assess its
health.
Troubleshooting Procedure
If a problem occurs when a client attempts a connection, you can troubleshoot the connection by using
the following procedures:
Determine that all the client-side components are running. You should ensure that Windows Security
Center is enabled, and that the client-side NAP Enforcement clients are configured correctly.
Determine the requirements of the system health validator (SHV). Reasons that the client is not
compliant may include the absence of a firewall or absence of installed security updates which are
current.
Verify that the settings of the health policies are appropriate. The health policy determines network
access by assessing the client against the SHV requirements. You should verify that the health policy
grants the appropriate access.
Verify that the client matches the conditions and constraints on the health policy. You should ensure
that the clients settings meet the health policy conditions and constraints that you configure.
Check to ensure that the client is NAP-capable. The client will only connect if it is NAP-capable.
NAP Tracing
You can use the NAP Client Configuration snap-in to configure NAP tracing, in addition to
troubleshooting by using the preceding general troubleshooting procedures. NAP tracing records NAP
events in a log file, which you can use for troubleshooting and maintenance. You also can use tracing logs
to evaluate your networks health and security. You can configure three levels of tracing: Basic, Advanced,
and Debug.
You should enable NAP tracing when:
You troubleshoot NAP problems.
You evaluate the overall health and security of your organizations computers.
There are two tools available for configuring NAP tracing:
The NAP Client Configuration console is part of the Windows user interface.
The command-line tool, netsh.
Using the Windows User Interface

To enable or disable NAP tracing using the Windows user interface and specify the level of detail that the
tracing records:
1. Open the NAP Client Configuration console by clicking Start, clicking Programs, clicking
Accessories, clicking Run, typing napclcfg.msc, and then clicking OK.
2. In the console tree, right-click NAP Client Configuration (Local Computer), and then click
Properties.
3. In the NAP Client Configuration (Local Computer) Properties dialog box, choose Enabled or
Disabled.
the local computer, or you must have been delegated the appropriate authority. As a
security best practice, consider performing this operation using the Run As command.
4. If enabled is chosen, under Specify the level of detail at which the tracing logs are written, select
Basic, Advanced, or Debug.
Using a Command-Line Tool

To use a command-line tool to enable or disable NAP tracing and to specify the level of detail that the
tracing records:
1. Open a command prompt by clicking Start, clicking All Programs, clicking Accessories, and clicking
Command Prompt.
2. The following are your options for enabling or disabling NAP tracing, and configuring NAP tracing:
To enable NAP tracing and configure for basic or advanced logging, type: netsh nap client set
tracing state=enable level =[advanced or basic].
To enable NAP tracing for debug information, type: netsh nap client set tracing state=enable
level =verbose.
To disable NAP tracing, type: netsh nap client set tracing state=disable.
the local computer, or you must have been delegated the appropriate authority. As a
security best practice, consider performing this operation using the Run As command.
Viewing Log Files

To view the log files, navigate to the %systemroot%\tracing\nap directory, and open the particular
trace log that you want to view.
Using Netsh Commands

You can use the netsh NAP command to help you to troubleshoot NAP issues. The following commands
are particularly useful:
netsh NAP client show state
This command displays the status of a NAP client, including the:
Restriction state.
Status of enforcement clients.
Status of installed Secure Hash Algorithm (SHAs).
Trusted server groups that are configured.
netsh NAP client show config
This command displays the local configuration settings on a NAP client, including:
Cryptographic settings.
Enforcement client settings.
Trusted server-groups settings.
Client-tracing settings that have been configured.
netsh NAP client show group
This command displays the Group Policy configuration settings on a NAP client, including:
Cryptographic settings.
Enforcement client settings.
Trusted server groups settings.

Client tracing settings that are configured.
NAP Event Logs

NAP services record NAP-related events into the Windows event logs. To view these events, open Event
Viewer, and select Custom Views. Select Server Roles, and then select Network Policy and Access
Services.
The events in the following table provide information about NAP services running on an NPS server.
Event ID Description Cause

6272 Network Policy Occurs when a NAP client is successfully authenticated and,
Server granted depending on its health state, obtains full or restricted access to
access to a user. the network.
16273 Network Policy Occurs when there is a problem with authentication or

Server denied access authorization, and the problem is associated with a reason code.
to a user.
6274 Network Policy Occurs if there is a configuration problem. It can occur if

Server discarded the RADIUS client settings are incorrect, or if NPS cannot create
request for a user. accounting logs.
6276 Network Policy Occurs when the client-access request matches a network policy
Server quarantined a that is configured with a NAP enforcement setting of Allow
user. limited access.
6277 Network Policy Occurs when the client-access request matches a network policy
Server granted that is configured with a NAP enforcement setting of Allow full
access to a user but network access for a limited time when the date specified in the
put it on probation policy has passed.
because the host did
not meet the
defined health
policy.
6278 Network Policy Occurs when the client access request matches a network policy
Server granted full that is configured with a NAP enforcement setting of Allow full
access to a user network access.
because the host
met the defined
health policy.
Lesson 5
Troubleshooting DirectAccess Issues
Organizations often rely on VPN connections to provide remote users with secure access to data and
resources on the corporate network. VPN connections are easy to configure, and several different clients
support them. However, users must establish VPN connections before they can use these clients, which
may require additional configuration of the corporate firewall. Additionally, VPN connections usually
enable remote access to the entire corporate network, and typically organizations cannot manage remote
computers effectively.
To manage remote computers easily and overcome limitations in VPN connections, organizations can
implement DirectAccess, which provides a seamless connection between the internal network and the
remote computer, as long as there is an Internet connection.
Note DirectAccess is available in Windows Server 2008 R2 and Windows 7.
Objectives
Describe DirectAccess.
Describe how DirectAccess works.
Configure DirectAccess.
Troubleshoot DirectAccess Connectivity.

What Is DirectAccess?
Windows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamless
remote access to intranet resources without users having to first establish a VPN connection. The
DirectAccess feature also ensures seamless connectivity for internal users and remote users on application
infrastructure.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application on the client computer to have complete access to intranet resources.
DirectAccess also enables you to specify resources and client-side applications that are restricted for
remote access.
Organizations benefit from DirectAccess because remote computers can be managed as if they are local
computersusing the same management and update serversto ensure they are always current and in
compliance with security and system health policies. You also can define more detailed access-control
policies for remote access when compared with defining access control policies in VPN solutions.
DirectAccess has the following features:
Automatically connects the client computer to the corporate intranet when it is connected to the
Internet.
Uses various protocols, including HTTPS, to establish IP version 6 (IPv6) connectivity. HTTPS typically is
allowed through firewalls.
Supports selected server access and IPsec authentication with an intranet network server.
Supports end-to-end authentication and encryption.
Supports management of remote client computers.

Allows remote users to connect directly to intranet servers.
DirectAccess has the following benefits:
Always-on connectivity. Whenever the user connects the client computer to the Internet, the client
computer is connected to the intranet also. This connectivity enables remote client computers to
access and update applications easily, makes intranet resources always available, and enables users to
connect to the corporate intranet from anywhere and anytime which maximizes their productivity
and performance.
Seamless connectivity. DirectAccess provides a consistent connectivity experience, regardless of

whether the client computer is local or remote. This allows users to focus more on productivity and
less on connectivity options and process. This consistency can reduce both costs for user training and
support incidents.
Bidirectional access. You can configure DirectAccess so that DirectAccess clients have access to
intranet resources, and computers on the intranet have access from the intranet to those DirectAccess
clients. This enables DirectAccess to be bidirectional, so that DirectAccess users have access to intranet
resources, and you can have access to DirectAccess clients when they are connecting over a public
network. This ensures that the client computers always have the most recent security updates, as well
as enforcement of the domains Group Policy, and that there is no difference whether users are on the
corporate intranet or on the public network.
This bidirectional access also results in:
Decreased update time.
Increased security.
Decreased update miss rate.
Improved compliance monitoring.
Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This tighter degree of control allows security architects to precisely control remote
users who access specified resources. IPsec encryption is used for protecting DirectAccess traffic so
that users can ensure that their communication is safe. You can use a granular policy to define who
can use DirectAccess, and from where.
Integrated solution. DirectAccess fully integrates with Server and Domain Isolation and NAP solutions,
resulting in the seamless integration of security, access, and health requirement policies between the
intranet and remote computers.
How Does DirectAccess Work?
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
The DirectAccess client computer that is running Windows 7 detects whether it is connected to a
network.
The DirectAccess client computer attempts to connect to an intranet website that is specified during
the DirectAccess configuration. If the website is available, the DirectAccess client verifies that the
client computer is connected to the intranet, and the DirectAccess connection process stops. If the
website is not available, the DirectAccess client verifies that the client computer is connected to the
Internet, and the DirectAccess connection process continues.
The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to occur.
If a firewall or proxy server prevents the client computer from using 6to4 or Teredo from connecting
to the DirectAccess server, the client computer attempts to connect automatically by using the IP-
HTTPS protocol, which uses an SSL connection to ensure connectivity.
To establish the IPsec session, the DirectAccess client and server authenticate each other by using
computer certificates.
By validating AD DS group memberships, the DirectAccess server verifies that the computer and user
are authorized to connect by using DirectAccess.
If you enable and configure NAP for health validation, the DirectAccess client obtains a health
certificate from an HRA located on the Internet prior to connecting to the DirectAccess server.
The HRA forwards the DirectAccess clients health status information to an NAP health policy server.
The NAP health policy server processes the policies that the NPS defines, and then determines
whether the client is compliant with systems health requirements. If the client is compliant, the HRA
obtains the health certificate for the DirectAccess client. When the DirectAccess client connects to the
DirectAccess server, the health certificate is submitted for authentication.
The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet
resources to which the user has been granted access.
Configuring DirectAccess
To configure DirectAccess, you need to perform the following steps:
1. Install Windows Server 2008 R2 on a server computer with two physical network adapters.
2. Join the DirectAccess server to an Active Directory domain.
3. Install the DirectAccess Management feature, and configure the DirectAccess server so that it is on
the perimeter network with one network adapter connected to the Internet and at least one other
network adapter connected to the intranet. Ensure that both network adapters are enabled and have
their respective IPv4 addresses configured, if there is no native IPv6 connectivity available. This is
critical for the DirectAccess server to derive its configuration information automatically. Otherwise,
you will need to configure detailed configuration manually.
4. Verify that the ports and protocols necessary for DirectAccess and ICMP Echo Request are enabled in
the firewall exceptions, and are opened on the perimeter and Internet-facing firewalls.
5. The DirectAccess server needs at least two consecutive public, static IPv4 addresses that can be
resolved externally through DNS. Ensure that you have an IPv4 address available, and that you have
the ability to publish that address in your externally-facing DNS server.
6. If you have disabled IPv6 on clients and servers, enable IPv6 because DirectAccess requires it.
7. Create a security group in Active Directory, and then add all client computer accounts that will be
accessing the intranet through DirectAccess.
8. Install a web server on the DirectAccess server to enable DirectAccess clients to determine if they are
inside or outside the intranet.
9. Designate one of the server network adapters as the Internet-facing interface. This interface will
require two consecutive, public IPv4 addresses. You must assign both of these IPv4 addresses to the
same interface.
10. On the DirectAccess server, ensure that you configure the Internet-facing interface to be either a
public or a private interface, depending on your network design. Configure the intranet interfaces as
Domain interfaces. DirectAccess supports no other combinations. If you have more than two
interfaces, ensure that you select no more than two classification types.
11. Add and configure the Certificate Authority server role, create the certificate template and the CRL
distribution point, publish the CRL list, and then distribute the computer certificates.
Troubleshooting DirectAccess Client Issues
The process that you would use to troubleshooting the DirectAccess server configuration is beyond the
scope of an EDST. However, you do need to understand how to troubleshoot DirectAccess from the
clients perspective.
If you have difficulty locating a specific server on the internal network, it may not have an IPv6 address. All
servers that you can access by using DirectAccess must have an IPv6 address.
The following is the general process for troubleshooting DirectAccess clients:
1. Verify that the client version is Windows 7 Enterprise Edition or Windows 7 Ultimate Edition. Those
are the only supported versions.
2. Verify that the client is joined to the domain. The computer account also must be a member of the
security groups selected for access during server-side configuration.
3. Verify that the client has downloaded the necessary GPOs with DirectAccess configuration
information. You can use RSoP to verify that the correct GPO has been applied.
4. Verify IPv6 connectivity with the DirectAccess server by using the ping protocol to verify connectivity
to the servers IPv6 address.
5. Verify that the client is correctly identifying whether it is on the internal network or the Internet. Use
the netsh dnsclient show state command, and then read the Machine location field.
6. Verify that clients on the Internet are not using the domain profile, by using Windows Firewall with
Advanced Security or the netsh advfirewall monitor show currentprofile command.
7. Verify that connected clients can resolve DNS names on the internal network. Use NSLookup to verify
that a DNS name can be resolved to an IPv6 address.
8. Verify that IPsec connectivity has been negotiated successfully. Use Windows Firewall with Advanced
Security to view IPsec connections, or use the netsh advfirewall monitor show mmsa and netsh
advfirewall monitor show qmsa commands.
Lab: Resolving Remote Connectivity Issues
Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat these steps two through four for 6293A-NYC-SVR2 and 6293A-NYC-CL1.
Lab Scenario
A user reported a recent problem connecting to the corporate intranet from his home. He cannot connect
to the intranet, and receives the error that the help-desk ticket documents. The help desk checked the
basic network settings, but is unsure how to proceed.
Read the help-desk ticket.

Attempt a resolution of the problem.
Document a successful resolution of the problem.

Exercise: Resolving a Remote Connectivity Problem

Scenario
In this exercise, you will investigate the cause of the VPN connectivity failure.
Incident Record
Date of Call May 5

Time of Call 08:05
User Max Stevens (Research Department)
Status OPEN
Incident Details
Max reports that he cannot connect to the corporate intranet site from home. He uses a preconfigured
VPN.
The intranet site is accessible when Max connects his computer locally in the Contoso domain.
VPN settings for Contoso home users:
Users connecting using VPN must use EAP authentication.
The preferred RAS server is NYC-SVR2.
NAP has been implemented in Contoso in recent weeks using VPN enforcement. IPv4 filters
restrict connectivity to remediation servers.
Plan of Action
Resolution



3. Wait while the computer restarts.
Password: Pa$$w0rd
5. Attempt to connect using the Contoso VPN.

Password: Pa$$w0rd
Domain: Contoso
7. What error message do you see?
1. Using your knowledge of remote connectivity issues, and tools available for troubleshooting the
remote networking environment, attempt to resolve the problem.

Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1.
Password: Pa$$w0rd
Domain: Contoso
Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1.
For NYC-CL1, log on by using the following credentials:
Password: Pa$$w0rd
Results: At the end of this exercise, you will have resolved the remote connectivity problem.

following steps:

4. Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1.

Review Questions
1. Users are complaining that they are unable to connect to the corporate network using VPNs
following recent firewall configuration changes. The team responsible for implementing security
policies has determined that only TCP port 443 is allowed through into the internal network. Which
tunneling protocol supports this restriction?
2. A user from accounts has attempted to connect to the corporate network using a VPN, and keeps
receiving error 800. To help resolve the issue, what would you attempt?
3. What tools could you use to help resolve the preceding problem?
4. You have a VPN server with two configured network policies. The first has a condition that grants
access to members of the Contoso group, to which everyone in your organization belongs, but has a
constraint of day and time restrictions for office hours only. The second policy had a condition of
membership of the Domain Admins group and no constraints. Why are administrators being refused
connections out of office hours, and what can you do about it?
Tools

MSTSC.exe Remote Desktop Connections Start Menu
MSRA.exe Remote Assistance Start Menu

7-1
Module 7
Troubleshooting Logon and Resource Access Issues
Contents:
Lesson 1: Troubleshooting User Logon Issues 7-3
Lesson 2: Troubleshooting User Profile Issues 7-13
Lesson 3: Troubleshooting File Access Issues 7-19

Lesson 4: Troubleshooting File Permissions Issues 7-28
Lesson 5: Troubleshooting Printer Access Issues 7-36
Lab: Troubleshooting Logon and Resource Access Issues 7-44

Module Overview
It is essential that users gain access to all of the resources that they need to perform their jobs, such as the
data stored in their profiles, their files, and access to their printers. The first step in gaining access to these
resources is a successful logon.
User profiles, file access, and printer access all have unique issues that can affect the user experience
negatively. You need to be able to troubleshoot and resolve issues related to all of these areas.
Objectives
Troubleshoot user logon issues.

Troubleshoot user profile issues.
Troubleshoot file access issues.
Troubleshoot file permissions issues.
Troubleshoot printer access issues.

Troubleshooting Logon and Resource Access Issues 7-3
Lesson 1
Troubleshooting User Logon Issues
To troubleshoot the logon process successfully, you need a thorough understanding of the logon process,
including how Windows 7 uses cached credentials, and Active Directory Domain Services (AD DS)
password and user policies. Additionally, you must be aware of the methods that you can use to identify
the cause of logon issues.
Objectives
Discuss potential problems in the logon process.
Describe the logon process.
Describe cached credentials.

Configure password policies and user properties.
Describe methods to identify logon errors.

Discussion: Causes of Logon Issues
Your users must be able to log on successfully so that they can access the files, printers, and other
resources that they require to do their jobs. There are a wide variety of reasons that a user might not be
able to log on.
Question: What are some logon problems that users may experience?
What Is the Logon Process?
The logon process authenticates both computer and user accounts. Domain controllers perform the
authentication:
During the startup process for computer accounts.
When the user logs on for user accounts.

At startup, a computer queries the configured Domain Name System (DNS) server to find domain
controllers that are available to perform authentication. If you configure your Active Directory sites
properly, a computer uses domain controllers in the local physical location for authentication, which is
much faster than authenticating to a domain controller in another physical location.
If you do not configure the list of DNS servers on a Windows 7 computer appropriately, then it cannot
obtain a list of domain controllers, and the following may occur:
Authentication fails. The user is unable to access the local computer or network resources.
Windows 7 uses cached credentials. The user is able to access the local computer and may be able to
access some network resources.
Authentication is very slow but successful. This occurs when a suitable domain controller is on the
local subnet, and the client computer can locate the domain controller by using NetBIOS broadcasts.
During the logon process, Windows assigns a security token for both the computer and the user accounts.
The security token contains a list of groups of which the computer or user account is a member. Windows
uses this list of groups to identify permissions when the computer or user attempts to access resources. If
you add a computer or user account to a group, you must ensure that you reauthenticate the account to
update the security token with group membership.
Cached Credentials
Cached credentials allow users to authenticate to a local computer by using domain credentials when a
domain controller is unavailable to perform authentication.
Cached credentials are useful particularly for a roaming user who works on a laptop computer. When you
use cached credentials, the user can log on to a local computer by using the cached domain logon
credentials, even when the users computer is not connected to the domain. Users must have cached
credentials to access offline files and folders when they are not connected to the network.
When a domain controller is available and then a user logs on to a Windows 7 computer successfully,
Windows 7 creates and stores cached credentials locally. Windows 7 updates cached credentials each time
a user logs on to the domain.
Note If a user has not authenticated successfully to the domain from a computer since
their last password change, the cached credentials still contain the previous password. The
user must logon by using the previous password when using those cached credentials.
If a user does not have cached credentials on a computer, and the domain controller is unavailable, then
Windows 7 cannot authenticate the user. In most cases, Windows 7 notifies the user when cached
credentials are used during the logon process.
By default, Windows 7 caches the credentials of the last 10 user accounts to log onto a specific computer,
and you can modify this number either by editing the registry (HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount) or by using Group Policy
(Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\Interactive Logon: Number of previous logons to cache).
The default number of cached credentials that Windows 7 can store is ten, however you can configure
Windows 7 to store up to a maximum of 50. If you set the number of cached credentials to zero, then
Windows 7 must contact a domain controller before users can obtain access to the local computer.
Note You should be aware of any modifications that you organization makes to the default
configuration of cached credentials.
Group Policy Settings That Affect User Logon
In a corporate environment, password policies define the configuration of user passwords. Although
domain administrators configure password policies, you should know the available password policy
options so that you recognize when they are affecting the ability of users to log on.
Group Policy
You configure password policies in Group Policy, which contains settings for account lockout. When you
enable account lockout, a user that attempts to log on using an incorrect password is locked out after a
defined number of attempts. It is important to remember that account lockouts can occur based on
attempted logons to any system that authenticates users to AD DS. The most common scenario is users
logging on at workstations, but account lockout also applies to applications such as Outlook Web App.
The following table lists important Group Policy settings that can affect user logons.
Setting Description Default setting

Enforce When enforce password history is By default, Group Policy remembers 24
password history enabled, users cannot reuse passwords. passwords.
Maximum Maximum password age is the longest By default, users must change their
password age span of time that a password can exist password every 42 days.
before it must be changed by the user.
Minimum Minimum password age is the By default, user must keep a password
password age minimum amount of time that a user for one day. This prevents users from
must keep a password. cycling quickly through a list of
passwords and defeating the password
history requirement.
(continued)
Setting Description Default setting

Minimum Minimum password length is the By default, a minimum length of seven
password length minimum number of characters in the characters is required.
password used by domain users.
Passwords must If Passwords must meet complexity Three of the four elements must be
meet complexity requirements is enabled, users must present. This is enabled by default.
requirements create complex passwords that include
uppercase and lowercase characters,
numbers, and symbols.
Account lockout This defines the number of invalid logon The default value is 0, which means
threshold attempts that users can make before accounts never become locked.
Windows locks their account. When you
enable Account lockout threshold, you
can define the period within which the
invalid attempts must occur, and how
long the account remains locked.
Note Windows Server 2008 introduced the ability to configure fine-grained password
polices for individual groups and users by using password policies. Fine-grained password
policies enable you to specify multiple password policies, and apply different password
restrictions and account-lockout policies to different sets of users within a single domain.
Please note that configuration of fine-grained password policies is beyond this courses
scope.
User Account Settings That Affect User Logon
AD DS stores user accounts, which network administrators or other support staff, such as help desk,
manage. Each user account has settings that are relevant to the logon process. You need to be aware of
these settings so that you can identify them as potential sources of logon issues, and then escalate the
issue to the appropriate group in your organization.
The following table lists user account settings that can impact user logon.
Setting Description
User logon name This is the username that should be used when logging on.
Unlock account If you believe that an account is locked due to invalid logon attempts, use this
check box to unlock the account.
User must change When this setting is enabled, the user must change their password during the
password at next next log on. If the user does not change their password, they may not be able
logon. to log on.
User cannot change If this setting is enabled, the user cannot change their password. This setting
password overrides any requirements to change a password in the domain password
policy. This setting is typically used only for service accounts.
Password never When this setting is enabled, the user cannot be forced to change their
expires password. This setting overrides any requirements to change a password in the
domain password policy. This setting often is used for service accounts, but
may also be used for some users that are exempt from changing passwords for
political reasons.
(continued)
Setting Description
Account is disabled Enabling this setting prevents users from logging on using this account. This
setting is typically used when an employee is out of the office for a long period
of time or when an employee is terminated.
Smart card is When this setting is enabled a user is required to use a smart card to perform
required for logons. Requiring a smart card enhances security in environments with
interactive logon infrastructure to support smartcard-based logons.
Account expires Allows configuration of a date after which an account is disabled. Typically
used only for contract employees or other temporary staff.
Methods to Identify Logon Errors
You can resolve most of errors that relate to logons quickly, once you identify the problem. You can use
the following methods and tools to help you troubleshoot logon errors:
On-screen errors. Most user logon errors provide an accurate description on the screen. However,
many users may not interpret these messages correctly. Often viewing the error yourself is more
accurate than relying on a users description of it.
Active Directory Users and Computers. You can use this tool to verify the users logon name and if the
account is disabled. You also can use this tool to unlock the account and reset the password, if
necessary.
Event logs. You can use Event Viewer to view event logs that may give some indication why a logon
error is occurring. The Security logs on a computer or on a domain controller that indicates if
authentication errors are occurring. The System log of a computer indicates if the computer account
is not authenticating correctly.
If a user is able to log on, but is unable to access network resources, the logon process might be using the
users cached credentials. If this happens, you should verify network connectivity for the computer, and
verify that the computer account is authenticating properly.
If your organization does not restrict user logon to specific computers, the user can attempt to log on to a
second computer, which identifies whether the authentication issue pertains to a specific computer. You
can use the results of this test to limit your troubleshooting to appropriate items. For example, if the issue
is not computer-specific, then it is not a local computer configuration issue.
Lesson 2
Troubleshooting User Profile Issues
User profiles contain user settings that configure a computer for use by a specific user. In some cases, you
can configure roaming profiles to enable a user to retain their settings when they work on more than one
computer. You must understand user profiles, and how to troubleshoot them, to configure computers
correctly for users.
Objectives
Describe user profiles and their contents.
Describe roaming user profiles.
Discuss user profile issues.

Configure default profiles.
User Profiles and Their Contents
A user profile is a collection of user-specific settings in Windows 7. Each user has a folder in C:\Users that
contains the users profile. The profile folders in C:\Users are named after the user account. For example, if
the user account is Adam, then the profile folder is C:\Users.Adam. In some cases, you can append the
domains name to the profile, if the account name conflicts with an existing local user.
A user profile contains:
User-specific registry settings (user.dat)
Application configuration files (AppData)
Desktop
Start Menu
Favorites
My Documents
Downloads
Other folders that specific applications create
Windows 7 also has a public profile that it stores in C:\Users\Public. All users profiles include the contents
of this public profile when a user logs on. For example, if you create a shortcut in C:\Users\Public\Desktop,
it appears on the desktop of all users that log on to that computer. For this reason, some applications
store system-wide configuration information in the public profile.
Roaming User Profiles
Windows 7 profiles are local by default, which means that Windows 7 stores them only on the local
computer. If a user logs on to a second computer, none of that users settings are configured on the
second computer, and any customization in the profile is not available. For example, application
configurations, such as that for Microsoft Office Outlook or customizations in Microsoft Office Word,
are not available on the new computer.
You can use roaming profiles to allow users to roam between computers and still access their
configuration settings. A network file shares stores the roaming profile, and when a user logs on to a new
computer, Windows copies the roaming profile from the network file share to the local computer. When
the user logs off, Windows saves the profile locally, and then uploads it to the network file share.
Using Mandatory Profiles

A mandatory profile is a read-only roaming user profile. You can use a mandatory profile to ensure that
users do not change configuration settings. When the user logs on, Windows copies the mandatory
profile from the server to the local computer, just like a regular roaming user profile. However, when the
user logs off, Windows does not update the mandatory profile on the network share. In most cases,
multiple users share a mandatory roaming profile.
Configuring a Roaming Profile

To configure a users profile to become a roaming profile, provide a profile path in the properties of the
user account. To change a roaming user profile into mandatory profile, rename the ntuser.dat file in the
profile to ntuser.man.
If you copy a profile, be sure to use the Copy To functionality in the Profiles window of Advanced System
Settings. This ensures that Windows updates the security permissions, which allows other users to access
the profile.
Note You should never copy a profile by using a simple file copy, because Windows does
not update security permissions properly.
Discussion: Issues with User Profiles
Because user profiles contain the user-specific configuration settings for Windows 7, the configuration of
user profiles has a high impact on user satisfaction. If user profiles are not working correctly, the user may
not have settings such as drive mappings, desktop shortcuts, and application settings.
Question: What are some of the issues that can occur that relate to user profiles?
Default User Profiles
The first time that users log on to computers, Windows 7 creates their profiles by copying the default
profile on the local computers. All of the files and settings in the default profile become part of the user
profile, including the user-specific registry settings in NTUSER.DAT. If users move to a new computer, they
will lose all of their profile customizations, and will have to use a default profile unless you use Windows
Easy Transfer or the User State Migration Tool to migrate profile contents to the new computer.
Windows 7 stores the default profile in C:\Users\Default, which is a system folder that is not visible
normally. Modifying the default profile allows you to configure settings for users before they log on
initially to a computer. Simple modifications, such as adding a desktop shortcut, are easy to accomplish by
placing the appropriate file in the default profile.
Modifying the registry settings in the default profile is relatively complex. The method that Microsoft
supports to modify the default profile (including the registry) is to run sysprep.exe, a tool that prepares a
computer for imaging. Sysprep.exe copies the current administrative profile to be the default profile. It is
not possible to copy and paste another profile over the default profile, as was possible in earlier Windows
versions.
Note Because changes to the default profile do not propagate to user profiles after the
first logon, we do not recommend that you configure user profiles by modifying the default
profile. For this reason, most organizations use Group Policy to configure user environments
instead of modifying the default profile.
Lesson 3
Troubleshooting File Access Issues
One of the most common tasks that users perform is to access and modify documents, which requires that
users have access to those documents.
Most users access documents over the network by using mapped drives. You can configure mapped
drives manually, by using logon scripts, and by using Group Policy Preferences. When users disconnect
from the network, they can use offline files and folders to continue working on cached copies of network
documents. You need to understand and be able to troubleshoot all of these methods for accessing files.
Objectives
Discuss issues with file access.
Describe how you can configure drive mappings manually.
Describe how you can use logon scripts for drive mappings.
Create a drive mapping by using Group Policy Preferences.
Describe offline files and folders.
Describe how to troubleshoot offline files and folders.
Describe folder redirection.

Discussion: Issues with File Access
Most organizations store files centrally on a file share. Users can access files shares by using a Universal
Naming Convention (UNC) path, but that is too complex for most users. Typically, users are given a drive
mapping that connects them to a file share. Windows 7 also provides the option to redirect folders and
use offline files and folders.
Question: What are some of the issues that can occur with file access?
Configuring Drive Mappings Manually
Drive mapping provide an easy way for users to access network files. It is common for organizations to
have standardized drive mappings for access to network files. For example, drive S maps to a shared
folder with shared files, and drive H maps to a users home folder.
You can create drive mappings manually for users on their computer. However, Windows does not retain
drive mappings that you create manually for multiple logon sessions, unless you check the Reconnect at
logon option during creation, which makes the drive mapping persistent. Windows stores persistent drive
mappings in the user profile.
Configuring drive mappings manually typically is beneficial and prudent only for very small organizations.
It is time-consuming and not efficient to create drive mappings manually in each user profile, because
changing drive mappings requires you to visit each users computer.
Note Creating a drive mapping does not configure the necessary permissions so that a user
can access and modify files. You must configure permissions in a separate step.
Using Logon Scripts to Configure Drive Mappings
One common way to implement drive mappings is by using logon scripts. You can configure a logon
script in the properties of a user or in a Group Policy object (GPO). Logon scripts that reference user
properties are in the Netlogon share of each domain controller. Logon scripts that are configured in a
Group Policy object are stored as part of the Group Policy object on the Sysvol folder of domain
controllers.
The main benefits of using logon scripts for drive mappings are:
Cross-computer application. A logon script runs on each computer to which a user logs on. This
ensures that the drive mapping appears on each computer to which the user logs on, without having
to use roaming profiles.
Simplified updates. When you need to update drive mapping, you only have to update a single,
central logon script, rather than having to update multiple user profiles individually and manually.
Increased flexibility. You can configure scripts to perform drive mappings that are specific to users,
groups, and computers.
The syntax for creating drive mappings varies depending on the type of logon script that you are using.
Two of the most common types of logon scripts are batch files (.bat) and Visual Basic Scripting Edition
(VBScript) (.vbs). Windows Server 2008 R2 and Windows 7 add the ability to user Windows PowerShell for
logon scripts. The following examples map drive S to \\Server1\SharedData.
The syntax for mapping a drive in a batch file is:
net use S: \\Server1\SharedData
The syntax for mapping a drive in VBScript is:
Set objNetwork = CreateObject("WScript.Network")

objNetwork.MapNetworkDrive "S:",\\Server1\SharedData
The syntax for mapping a drive in PowerShell is:
$network = $(New-Object -Com WScript.Network)

$network.MapNetworkDrive("S:", "\\Server1\SharedData")
Demonstration: Using Group Policy Preferences for Drive Mappings
Windows Server 2008 introduced Group Policy Preferences that you can use to map network drives.
Mapping drives with Group Policy Preferences provides all of the benefits of centralized control that
logon scripts provide, but are simpler to implement because you do not need to memorize the correct
syntax.
In this demonstration, you will see how to use a Group Policy preference to map a drive letter for the
Marketing group.
Demonstration Steps
1. On NYC-DC1, open Group Policy Management.
2. Create a new GPO linked to the domain.
3. Edit the GPO, and then browse to \User Configuration\Preferences\Windows Settings

\Drive Maps.
4. Create a new Mapped Drive for \\NYC-DC1\Marketing that uses the letter M.
5. On the Common tab of the Drive Map, enable Item-level targeting.
6. Target the Drive Map to the Marketing security group.

What Are Offline Files?
Offline files are a Windows 7 feature that caches copies of network files on the local computer. When the
network is available, users work on the network version of the file, and then update the local version
automatically.
When the network is unavailable, users work automatically on the local version of the file. To the user, it
appears that they are working on the network version of the file. When the network becomes available
again, Window 7 updates the network version of the file.
Each time that users connect to a shared folder that is enabled for offline files, Windows 7 scans for
changes to files that are cached locally, and then updates the cached copies, as necessary. If the network
version of a file and the locally cached version of a file are both modified, a sync conflict occurs.
When a sync conflict occurs, users receive an error symbol on the Sync Center icon in the notification area.
Many users may not notice this icon, and even if they notice it, they may not know how to respond to it.
When a sync conflict occurs, users must view sync conflicts in Sync Center to resolve them. If users do not
resolve sync conflicts, Windows 7 does not upload the local computers cached document to the network,
and the network version of the document never downloads to that computer. This creates a situation in
which there are two versions of the document. However, users typically are unaware of this.
In Sync Center, users can choose which version of a file to keep when a sync conflict occurs. Alternatively,
users can choose to keep both versions of a file. You must teach users how to use Sync Center to select
which version to keep. In many cases, the users should keep both versions of the file, and then
synchronize the content between them manually.
Sync Center also may show you sync errors. Sync errors occur when Windows cannot sync with a particular
location. This typically occurs when the location, such as a file share, is unavailable to the user. Review the
specific error message to determine the course of action necessary to correct a sync error.
Troubleshooting Offline Files
Synchronization errors are the main problem that occurs related to offline files. However, there may also
be situations where offline files are not available. If offline files are not available, you should verify the
following:
Offline files are enabled in Windows 7. By default, offline files are enabled in Windows 7, but may
have been disabled manually by the user or by a Group Policy object.
Offline files are enabled on the share. It is possible that the share is not configured to allow offline
files. In such as case, users cannot use the files offline. A shared volume for many users may have
offline files disabled to avoid conflicts.
The user cached the file. The default configuration for a file share specifies that only files specifically
selected for offline use are cached. If the user did not manually select that the file should be made
available offline, then it is not. A file share can be configured so that all files that are accessed are
cached.
The user is logged on with a domain account. A user must be logged on by using the same
credentials as were used when the files were made available offline for the files to be available offline.
If the user is logged on by using a local user account when not connected to the domain then files
are not available offline. Cached credentials should be used when disconnected from the domain.
What Is Folder Redirection?
Folder redirection centralizes storage of some user profile folders on a network file share instead of in the
local profile. Unlike roaming profiles, the folders are not synchronized between the network file share and
the local computer. The content for redirected folders exists only on a network file share. This means that
large amounts of data can exist in a redirected folder without affecting logon times.
Some reasons to use folder redirection include:
Ensuring My Documents is backed up. Many users save documents in My Documents by default. If
this is on the local hard drive, Windows 7 may never back up these files. However, you can redirect
the contents of My Documents to a home folder or a shared network drive.
Minimizing the size of roaming profiles. Redirecting folders takes them out of a roaming profile. This
reduces the size of roaming profiles, which results in better logon performance.
You can configure folder redirection manually or by using a GPO. For example, for the My Documents
folder, you can configure redirection on the Location tab in the properties of My Documents, or by using
a GPO.
When you redirect a folder, you have the option to copy the files from the current location to the new
location. If you forget to copy the files, they are not available to the user. The files continue to exist in the
old location, and users can copy them at a later time.
Troubleshooting Folder Redirection

The most common issue that occurs when you configure folder redirection manually is that you forget to
reconfigure it when you assign a user to a new computer, or when you disable folder redirection by
accident.
If you configure folder redirection by using Group Policy, the most common issue that occurs is that the
Group Policy object does not apply to the user properly. This typically occurs because the user account is
not in the correct organizational unit (OU).
Lesson 4
Troubleshooting File Permissions Issues
Objectives
Describe shares and share permissions.

Describe permissions for NTFS file systems.
Describe permission inheritance for NTFS.
Describe the interaction between NTFS and share permissions.

Calculate effective permissions.
Troubleshoot permissions for file access.

Shares and Share Permissions
When you share a folder, the files in that folder and its subfolders are accessible over a network. You can
use share permissions to control access to a shares contents and control what actions users can take with
them. Share permissions apply when users go through the share to access files over the network. The
share permissions also are consistent for all share contents. Share permissions cannot vary by file or folder.
The share permissions are:
Full control. Allows all permissions, including the ability to change permissions.
Read. Allows users to read existing files, but not modify them or create new files.
Change. Allows users to create new files or delete, modify, and read existing files.
When you assign permissions, you can set each permission to Allow, or to Deny. For example, you can
assign a read permission of Allow to a group, while assigning a single user in the group a read permission
of Deny, which denies that user read permissions.
You can configure file shares on Windows 7 computers or on network servers.
Note Most organizations store all files on a network server that a network administrator
manages.
The default share permissions on a file share vary, depending on the version of Windows that is sharing
the folder, and by how you create the shared folder. Incorrectly configured share permissions are most
likely to occur when you create a new share or when you move a share to a new server.
NTFS Permissions
You can use NTFS permissions to control which users or groups can access or modify files and folders on
partitions that you format with NTFS. These permissions are much more flexible than share permissions,
because you can assign them individually for each file or folder, as necessary. NTFS permissions apply
when users access files locally or over the network.
In most cases, the default NTFS permissions that you configure on a Windows 7 computer are sufficient
and require no modification. For example, NTFS permissions define a user profile as a users private
workspace, which is the configuration that most users desire. However, you typically configure custom
permissions for a network file share to allow only users that you specify to access specific files.
To modify NTFS permissions, you must assign the full control NTFS permission to a folder or file. The one
exception is for file and folder owners: the owner of a file or folder can modify NTFS permissions even if
they do not have any current NTFS permissions. Administrators are able to take ownership of files and
folders to make modifications to NTFS permissions.
There are both basic and advanced NTFS permissions. You most commonly use the basic permissions.
With advanced NTFS permissions, you have very fine control over access to files and folders, but they are
complex to manage.
The following table lists the basic NTFS permissions.
Permission Parameters
Full control Allows all permissions, including the ability to modify NTFS permissions and take
ownership.
Modify Allows all file and folder modification activities, except modification of NTFS
permissions and taking ownership.
Read and Execute Allows execution of a file. When applied to folders, it also allows the listing of
folder contents.
List folder contents Allows the listing of a folders contents. This applies only to folders.
Read Allows the reading of file contents and attributes.
Write Allows the modification of file contents and attributes, but not NTFS permissions
or ownership. This does not allow file deletion. For a folder, this allows the
creation of new files in the folder.
NTFS Permission Inheritance
By using permissions inheritance, you can set NTFS permissions on a folder, and NTFS applies those
permissions to that folders files and subfolders automatically. This means that you can set NTFS
permissions for an entire folder structure at a single point, and when you need to modify them, you can
modify them at a single point.
You can block permissions inheritance if you want to restrict access to a subdirectory. For example, say
you assign change permissions to all accounting users for the ACCT folder. On the subfolder WAGES, you
can block the inherited permissions from the ACCT folder, so that only a few specific users have access to
the WAGES folder.
When you block permissions inheritance, you have the option to copy existing permissions or begin with
blank permissions. If you want to restrict a particular group or user, then copying existing permissions
simplifies the configuration process.
You also can add permissions to files and folders below the initial point of inheritance, without modifying
the original permissions assignment. You do this to grant a specific user or group a different file access
than its inherited permissions.
Interaction of Share and NTFS Permissions
When you combine NTFS and share permissions, whichever permission is most restrictive applies. For
example, if you assign a user Full Control NTFS permissions to a file, but that user is accessing the file
through a share with Read permission, the user has read access only to the file.
To simplify permission assignment, you can grant the Everyone group Full control share permission to all
shares, and use only NTFS permissions to control access. Restrict share permissions to the minimum
necessary to provide an extra security layer in case you configure NTFS permissions incorrectly.
Demonstration: Calculating Effective Permissions
Effective permissions are the permissions any user actually has to a file or folder, which may be different
from the permissions that you assign or grant to a specific user. User and group permissions combine to
determine effective permissions. For example, you assign a user Read permission, and then you assign
Change permission to a group of which the user is a member. The effective permissions of the user are
Change.
When you combine permissions, Deny permission overrides Allow permission. For example, if you assign a
group Change permission to a folder, and you deny a user that is a member of that group Change
permission for the same folder, the user is ultimately denied the Change permission for the folder.
Note Calculations for effective permissions include only NTFS permissions. If effective
permissions are correct, but a user still does not have the necessary access to a file, verify the
share permissions are correct.
In this demonstration, you will see how to calculate effective permissions.
Demonstration Steps
1. On NYC-CL1, open the Properties of C:\Program Files.
2. On the Security tab, open the Advanced security settings.
3. On the Effective Permissions tab, select Contoso\Adam, and then read the effective permissions.
4. Select Contoso\Administrator, and then read the effective permissions.

Troubleshooting File Access Permissions
If you connect a client computer properly to a network, then most network file access problems are due
to permissions that you configure incorrectly. This is most likely to occur for new users or during the
creation of new file shares.
The first troubleshooting step that you should perform is checking the users effective NTFS permissions. If
the effective permissions are not what you expect them to be, you must identify how to assign the correct
permissions to that user. In most cases, you assign a group the appropriate NTFS permissions, so your first
step is to verify that the user is a member of the correct group(s).
When you are evaluating NTFS permissions, be aware that the Deny permission overrides the Allow
permission. For example, if your group has the Modify permission set to Allow, and a user in that group
has the Modify permission set to Deny, the user is denied the Modify permission.
If the effective NTFS permissions are correct, then you should verify that the share permissions are
configured correctly. Share permission can limit the ability of users to access and modify files, even if the
appropriate NTFS permissions are assigned. For example, if you assign a group Read share permission and
Modify NTFS permission, the members of the group are limited to Read permission.
To simplify the interaction of share and NTFS permissions, many organizations assign the Everyone group
Full Control share permission. This means that NTFS permissions control access to files.
Lesson 5
Troubleshooting Printer Access Issues
When users finish working with documents, they often print them. If users cannot print their documents,
they may become frustrated.
To ensure that printing is available to users, and that it functions correctly, you must understand the
Windows 7 printing architecture and how to install printers. You also need to understand how to install
printer drivers and how location-aware printing works.
Objectives
Discuss issues related to printer access.
Describe the Windows 7 printing architecture.
Describe methods to install printers.
Describe the installation of printer drivers on clients.
Add a printer driver to a network printer.
Describe how location-aware printing works.

Discussion: Printer Access Issues
Printing is one of the core network services that your organization provides to users. When users cannot
print properly, they typically become frustrated and often call the help desk.
Question: What are some the issues that can arise that relate to printing?
Windows 7 Printing Architecture
Windows Vista and Windows Server 2008 introduced a new printing process based on XLM Paper
Specification (XPS). This printing process included a number of improvements in print quality and color
management, and it lowered processing requirements. Windows Server 2008 R2 and Windows 7 continue
to use XPS-based printing, which is used only by newer applications that are using the Windows
Presentation Foundation (WPF) Application Programming Interface (API).
Windows 7 is backward compatible with printing based on Graphics Device Interface (GDI) that Win32
applications use. Windows 7 also supports using GDI-based printer drivers. If necessary, Windows 7
converts a print job from GDI to XPS, or from XPS to GDI.
Some older printer drivers written for Windows XP were written to function in Kernel mode, and do not
work with Windows 7, which does not allow applications to run in Kernel mode. Many older print drivers
written for Windows XP work with Windows 7. However, you should obtain a printer driver specifically
written for Windows 7 if one is available.
Methods for Installing Network Printers
One of the most important tasks when you are configuring network printing is the installation of printers
on client computers. There are several ways to install printers on Windows 7 client computers, which the
following table details.
Installation method Description

Manually browse to a Users or administrators can install network printers on a Windows 7 client
server computer by browsing to a print server, and then double-clicking the icon for
the shared printer.
The drawback to this method is that it relies on users knowing which server is
sharing the printer, which is not the case in most organizations.
Manually search Active When a printer is shared, the print administrator has the option to list the
Directory printer in AD DS.
Users that run the Add Printer Wizard can search AD DS to locate the printer.
The printer can also be configured with a location property that makes it
easier to locate an appropriate printer.
GPO configured by Print You can use the Print Management administrative tool that is available on
Management Windows Server 2008 print servers, Windows Vista, and Windows 7 to add
printers to a GPO for distribution to computers or users.
The GPO applies to users and computers based on the Active Directory OU to
which the GPO is linked.
(continued)
Installation method Description

Group Policy Preferences You can use Group Policy Preferences to distribute printers to users and
computers by using a GPO.
Group Policy Preferences are more flexible than a GPO that you configure by
using Print Management because you can target printers that you distribute
as Group Policy Preferences based on criteria such as security groups,
Lightweight Directory Access Protocol (LDAP) queries, IP address range,
and OU.
Manual methods for printer installation generally are not scalable in even mediums-sized organizations. It
is too time-consuming to add and remove the required printers manually to users computers.
Installing Printer Drivers on Clients
Installation of printer drivers, and the permissions required to install printer drivers, vary depending on
how you install the printer. Standard users have the necessary permissions to install both local and
network printers, but not to add new printer drivers.
When you add a new local printer, Windows 7 searches for an appropriate printer driver in the driver
cache. If Windows 7 does not find an appropriate driver in the driver cache, standard users are unable to
install the printer. To allow a standard user to install the printer, you may add an appropriate printer
driver to the driver cache by using pnputil.exe. Alternatively, you can edit the local security policy to allow
standard users to load and unload device drivers.
Using a print server makes the installation of printer drivers much easier to manage. When you install
network printers from a print server, Windows 7 downloads the printer driver from the print server, and
then installs it. This is true even if a standard user is adding the printer manually.
Demonstration: Adding a Printer Driver to a Network Printer
Windows 7 computers download printer drivers from the print server during the printer installation
process. You must ensure that a print server has appropriate drivers available for various types of client
computers. For example, the 64-bit version of Windows 7 requires a different driver than the 32-bit
version.
If the print server is an older version of Windows, such as Windows Server 2003, you may need to use the
Print Management administrative tool on a newer version of Windows, such as Windows 7, to add the
appropriate driver to the print server.
In this demonstration, you will see how to add a printer driver for a network printer.
Demonstration Steps
1. On NYC-DC1, open Server Manager.
2. Add the Print and Document Services role with the Print Server role service.
3. Open the Print Management administrative tool.
4. Create a new printer using an existing printer port with all default settings.
5. Open the Properties of the new printer.
6. On the Sharing tab open the Additional Drivers.
7. Start the installation of an x86 driver for the printer, and then Cancel the installation.
Location-Aware Printing
Location-aware printing helps roaming users move between locations, while maintaining access to the
correctly configured default printer.
As users connect to a new network, they can set the default printer for that network. The next time they
reconnect to that network, the default print setting changes automatically to the default printer that they
defined previously for that specific network.
When a Windows 7 computer connects to a new network, it identifies the media access control (MAC)
address of the default gateway. Windows 7 uses this address as a unique identifier for the network.
If your organizations network equipment changes, and the MAC address of the default gateway changes,
Windows 7 identifies the network as a new network. This may cause the default printer to be set
incorrectly for the network. You should make users aware of this possibility when changing a networks
default gateway.
Lab: Troubleshooting Logon and Resource Access Issues
Lab Setup
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 2 and 3 for 6293A-NYC-CL1 and 6293A-NYC-CL2. Do not log on until directed to do so.
Lab Scenario
The help desk has received a number of trouble tickets that relate to file access. Because you are the
desktop support technician that is the most experienced with file access, the tickets have been assigned to
you.
Exercise 1: Troubleshooting Offline Files

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported offline files problem that Tier 1
help-desk staff could not resolve.

Incident Record

Time of Call 14:45
Status OPEN
Incident Details
A user with a laptop computer reports that offline files are not synchronizing properly when he
disconnects from the network.
User reports that when he roams in the office and reconnects to the wired network, his updated files
are not synchronizing properly. This is a problem, because other users also have access to these files,
and if the files are not synchronized, users have to look through the files and merge changes
manually, which is time-consuming.
Steps to recreate the problem:
1. On NYC-CL1, create and open a file on the research share at \\NYC-DC1\Research.
2. Modify the contents of the file, and then save it.
3. Keep the file open, and then disconnect from the network.
5. Reconnect the computer to the network and close the file.
6. On NYC-CL2, open the file on the research share, and then verify that the latest changes are not
synchronized.
Plan of Action
Resolution



1. Using your knowledge of offline files issues and troubleshooting, attempt to resolve the problem.
To perform your troubleshooting, you first need to recreate the issues, and then verify the
problem.
To simulate disconnecting from the network, you can disable the network adapter in NYC-CL1.

exercise.

Repeat these steps for 6293A-NYC-CL1 and NYC-CL2.
Log on by using the following credentials:
Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have resolved a problem with offline files not synchronizing properly
Exercise 2: Troubleshooting a Missing Drive Mapping

Scenario
In this exercise, you will resolve the reported missing drive mapping problem that Tier 1 help-desk staff
could not resolve.

Incident Record

Time of Call 15:03
User Max Stevens (Research)
Status OPEN
Incident Details
User reports that he does not have access to the research share.
User reports that he started his job last week, and does not have access to the research share, which is
at \\NYC-DC1\Research. He is logging on to NYC-CL1.
I walked the user through accessing the share by using the UNC path. This is an acceptable short-term
solution. However, this user should have the drive letter R mapped to the research share like other
users.
Drive mappings have been converted to Group Policy Preferences. Ive confirmed that the user
account is in the correct OU.
Other research users like Alan Brewer have no problems with the drive mapping.
Plan of Action
Resolution



1. Log on to the NYC-CL1 computer as Contoso\Administrator with the password of Pa$$w0rd.
3. Click OK to close the window, indicating that the script is complete.

4. Log off NYC-CL1.

1. Using your knowledge of drive mapping issues and troubleshooting, attempt to resolve the problem.

exercise.

Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have resolved a problem with a missing drive mapping.
Exercise 3: Troubleshooting Missing Files in My Documents

Scenario
In this exercise, you will resolve the reported missing files problem that Tier 1 help-desk staff could not
resolve.

Incident Record

Time of Call 09:00
User Preeda Ola (Research)
Status OPEN
Incident Details
User reports that files are missing from the My Documents folder after being given a new computer
with our standard operating system configuration.
The user has a new workstation configured with our default image. We have trained users not to save
information into My Documents, and have warned them that the files in My Documents are not
backed up.
I logged onto the users old computer, and no files were in his My Documents folder. Eventually, we
found the files in his home folder, which was mapped to drive H.
I dont know how it was configured before, but this user wants My Documents to include the files in
his home drive instead of accessing them through drive H. Because this user is a department head, we
need to do this.
Plan of Action
Resolution



1. Using your knowledge of folder redirection issues and troubleshooting, attempt to resolve the
problem.
exercise.

Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have resolved a problem with missing files in My Documents.
Exercise 4: Troubleshooting a File Access Issue

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported security issue in Windows
Internet Explorer 8 that Tier 1 help-desk staff could not resolve.
Incident Record

Time of Call 12:20
Status OPEN
Incident Details
New peer-based application for research is not working properly.
The research department is semiautonomous for Information Technology (IT). Department members
install and run many of their own applications, and they store data on their local workstations.
Additionally, they back up their workstations daily to prevent data loss.
They have a new application, which they installed on all workstations, that is not functioning properly.
The installation instructions indicate that there must be a file share to which all computers have
read/write permissions.
All computers are configured to use \\NYC-CL1\Modeling as the file share. The file share is created,
but users do not appear to have the proper permissions. The application generates the error Shared
data access error.
I connected to \\NYC-CL1\Modeling and verified that I could not create or modify files from my
computer.
Plan of Action
Resolution



2. Run the D:\Labfiles\Mod07\Scenario4.bat script.

1. Using your knowledge of file security, attempt to resolve the problem.
2. Update the Resolution Section of the Incident Record.


Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have configured a share successfully with read/write permissions for
users in the Research group.


Review Questions
1. A user has called the help desk and complained about not being able to access some files. After the
call was passed to you, you determined that the user was not added to the correct group. After
adding the user to the correct group, the user is still unable to access the files. What other step is
required?
2. You are distributing new laptop computers to executives in your organization. Is any additional
configuration required to allow them to log on by using their domain user account and password
when they are out of the office?
3. Your organization has recently introduced roaming user profiles to support users who move between
computers that are in cubicles. Some users report very slow logon and logoff times. Where would you
start the troubleshooting process?
4. You are distributing new laptop computers to executives in your organization. You have redirected
the My Documents folder to each users home folder to ensure that the information is backed up.
What feature do you need to implement to allow the executives to access these files when they are
travelling without access to the network?
5. A colleague has configured a new network printer with an IP address. He wants users to print directly
to the printer over the network rather than print by using a print server. Users will add this printer
manually, only if it is required. Why is the configuration a concern?
6. One department in your organization is using a new application that creates two folders in the root of
the drive C. One folder is for the program executables, the other folder is for program data. What files
permissions do you need to configure for these folders?
Tools

Effective Permissions Determining effective NTFS Advanced Security Settings
permission for a user
8-1
Module 8
Troubleshooting Security Issues
Contents:
Lesson 1: Recovering Files Encrypted by EFS 8-3
Lesson 2: Recovering BitLocker-Protected Drives 8-15
Lesson 3: Troubleshooting Internet Explorer and Content Access Issues 8-23

Lab: Troubleshooting Security Issues 8-32
Module Overview
Windows 7 uses a wide range of security functions to secure data, including both Encrypting File System
(EFS) and BitLocker Drive Encryption. Windows Internet Explorer also has a large number of security
configuration options. You also use file permissions to limit file access, usually on file servers, to
authorized users. In this module, you will learn how to work with all of these features.
Objectives
Recover files encrypted by using EFS.
Recover BitLocker-protected drives.
Troubleshoot Internet Explorer and content access issues.

Troubleshooting Security Issues 8-3
Lesson 1
Recovering Files Encrypted by EFS
You can use EFS to encrypt files on portable computers. If your organization uses EFS, you must be aware
of how to recover EFS-encrypted files in case the person who encrypted the files originally cannot recover
them.
Objectives
Describe how EFS encrypts files and stores encryption keys.

Describe how you can generate user certificates for EFS.
Describe how you can back up EFS certificates.
Describe how data recovery works for EFS-encrypted files.
Describe how to resolve common EFS issues.
Configure a data recovery agent and recover an EFS-encrypted file.

How EFS Works
EFS is a feature that you can use to encrypt files stored on a partition that you format with NTFS file
system. After a file is encrypted by using EFS, only authorized users can access it. An authorized user can
open the file as if it were unencrypted. Users who do not have the authorization to access it will receive an
access denied message when they try to open the file.
To protect your files, EFS uses a combination of two encryption methods, which Windows 7 applies
sequentially:
1. Symmetric key encryption, which encrypts the file.
2. Public key encryption, which then protects the symmetric key.
Symmetric Encryption
Symmetric encryption is the typical method of encrypting large amounts of data, and uses the same key
to encrypt and decrypt a file. This type of encryption is faster and stronger than public key encryption.
However, the difficulty of securing the key during a cross-network transfer requires additional security for
the symmetric key.
Public Key Encryption

EFS uses public key encryption to protect the symmetric key that is required to decrypt the file contents.
Each user certificate contains a public key that encrypts the symmetric key, so that only the user with the
private key can access the symmetric key.
The File Encryption Process

The following section describes the file encryption process:
When a user encrypts a file, EFS generates a file encryption key (FEK) to encrypt the data. EFS encrypts
the FEK with the users public key, and then stores it with the file. This ensures that only the user who
holds the matching private key can decrypt the file. After a user encrypts a file, the file remains
encrypted for as long as you store it on the disk.
To decrypt files, the user can open the file, remove the encryption attribute, or decrypt the file by
using the cipher tool. When this occurs, EFS decrypts the FEK by using the users private key, and
then decrypts the data by using the FEK.
You can use the cipher command-line tool to perform various EFS actions, such as encrypting and
decrypting files. Use the /? option with the cipher tool to view detailed information about the available
options. The syntax for decrypting a file is:
Cipher /D filename
Note In addition to the user that encrypted the file, EFS encrypts additional copies of the
symmetric key with the public key of the recovery agent and any other authorized users.
Obtaining Certificates for EFS
EFS uses public key encryption to secure the FEK that encrypts file contents. Public key encryption uses
digital certificates that contain a public key and a private key. To use EFS, users must obtain a digital
certificate.
Self-Signed Certificates
By default, EFS generates a user certificate with a key pair automatically for a user if one does not exist
already. Because of this, users can encrypt files with no administrative setup.
When you encrypt a file on the local computer, EFS stores the self-signed certificate in the local user
profile.
When EFS encrypts a file on a file server, it stores the self-signed certificate in a user profile on the
server.
Using self-signed certificates is very easy to implement, but difficult to manage, because certificates are
stored in many locations, and there is no centralized control.
CA-Issued Certificates
Windows Server 2008 includes the Active Directory Certificate Services (AD CS) role that you can use to
issue EFS certificates to users, or you can use a third-party certification authority (CA) to issue EFS
certificates to users.
The primary benefit of issuing certificates from an internal CA is manageability: administrators have the
ability to control which users have certificates and the length of time that certificates remain valid.
Additionally, with an internal CA, you can issue as many certificates as necessary with no incremental cost.
A third-party CA offers the same manageability benefits as an internal CA. However, you pay a fee for
each certificate that a CA issues, which is a significant disadvantage. Unlike some other certificate-related
security, the trusted nature of a certificate that a third-party CA issues is not relevant for EFS.
Backing Up EFS Certificates
You should back up the user certificate that EFS uses to secure a file, because if you do not back up the
certificate and it is lost, access to the file is lost. Another advantage to backing up the user certificate is
that you can import it on a different computer. Once you import the certificate, you can use it to access
encrypted files.
The most common scenario for using EFS is the default configuration where you use a self-signed
certificate. In this scenario, the EFS certificate that is required to decrypt the file exists only in the local
user profile. The user receives a prompt to back up the certificate, but EFS does not enforce backing up.
Users also can back up the certificate manually by using the Certificates Microsoft Management Console
(MMC) snap-in.
In the default configuration, when you store an EFS-encrypted file on a server, the certificate exists only
on the server, and you must include it in the server backup.
When you use AD CS as an internal CA, user certificates publish automatically to Active Directory Domain
Services (AD DS). The certificate becomes a property of the user object, but does not include the private
key. Since the private key is required to recover the certificate and decrypt files, on its own, the certificate
published in AD DS does not allow you to recover the certificate and decrypt files. You must perform
another step.
When a network administrator wants to recover the entire certificate, including the private key, the
administrator must enable a key recovery agent. This agent then enables recovery of the certificate from
the CA. The key recovery agent is able to recover the entire certificate, including the private key.
If a user works from multiple computers, you must ensure that the certificate imports to every computer.
Because certificates are stored in user profiles, you can use roaming user profiles to move the certificates
between computers. As an alternative, network administrators can implement a system called credential
roaming to allow certificates to move between computers when a user logs on.
Using a Data Recovery Agent to Recover EFS-Encrypted Files
Backing up a user certificate is one method you can use to recover EFS-encrypted files. First back up the
user certificate, import it into another profile, and then use it to decrypt the file. This method is difficult to
implement if your organization has many users. A better method to use in that case is to implement a
recovery agent.
A recovery agent is an individual who is authorized to decrypt all files that are encrypted with EFS. The
default recovery agent is the domain administrator, though you can delegate this responsibility to any
user.
When you add a new recovery agent through Group Policy, Windows 7 adds the recovery agent
automatically to all newly encrypted files. However, it does not add the recovery agent to existing
encrypted files. The recovery agent for a file is set at the time that you encrypt the file. Therefore, you
must access the encrypted file, and then save it to update the recovery agent. You also can use the cipher
command to force an update of the recovery agent.
Note To update the recovery agent on a file, run cipher /u filename. This command also
updates user encryption keys if necessary.
You should ensure that the certificate for a recovery agent always exports with the private key, and you
should keep it in a secure location that you can back up. There are two reasons to back up the recovery
key:
1. To secure against system failure. The domain administrator private key that Windows uses by default
for EFS recovery is stored only on the domains first controller. If anything were to happen to this
domain controller, then EFS recovery would be impossible.
2. To make the recovery key portable. The recovery key may not be available to the recovery agent on
all computers. You must install the recovery key in the recovery agents profile. If you do not use
roaming profiles, then you can export and import the recovery key to update the recovery agents
profile on a specific computer.
Resolving Common EFS Issues
Most EFS issues relate to the inability of users to encrypt or decrypt files. The following table lists common
issues and resolutions related to using EFS.
Issue Resolution
A user is unable to open a file that he has This is most common when a user roams between computers
encrypted. and the private key is not present on all computers. To
resolve this, use roaming profiles or import the certificate and
private key manually on the new computer.
A user is unable to open a file that was This is expected behavior unless the user that encrypted the
encrypted by another user. file explicitly shared the file with the second user. To resolve
this issue, have the original user share the file with the second
user or use a recovery agent to decrypt the file.
A user is unable to encrypt a file that has This is expected behavior. If you need to encrypt the file, then
been compressed by using NTFS you must decompress it.
compression.
After you configure a new recovery The recovery agent for a file is not updated unless you
agent, you cannot access older files with modify it. Use the cipher /u command to update batches of
the new recovery agent. files. However, you must be capable of decrypting the file to
update the recovery agent information.
Users are unable to encrypt files on a file If you are not using certificates from a certification authority
share, but can encrypt files locally. and you want to allow EFS to be used on a file share, then
you must configure the file server computer account to be
trusted for delegation in the computer accounts properties.
Users are unable to encrypt files on FAT This is by design. You can use EFS only for files that you store
formatted partitions. on NTFS-formatted drives.
Practice: Encrypting and Recovering a File
You can configure a recovery agent by using a Group Policy object (GPO). First, you import a certificate
into the GPO, and then the user with the private key corresponding to that certificate is able to decrypt
EFS encrypted files. The certificates in the GPO do not contain the private key.
In this practice, you will identify an EFS recovery agent, and then use the recovery agent certificate to
recover an encrypted file.
Instructions
Password: Pa$$w0rd
Domain: Contoso
5. Repeat steps 1-3 for 6293A-NYC-CL1. Do not log on until directed to do so.
Detailed Steps
X Identify a recovery agent

1. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the Group Policy Management window, expand Forest: Contoso.com, expand Domains, expand
Contoso.com, and then click Group Policy Objects.
3. In the right-pane, right-click Default Domain Policy, and then click Edit.
4. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click
Encrypting File System. Notice that a recovery agent exists, by default, for EFS.
X Encrypt a file
1. On NYC-CL1, logon as Adam with a password of Pa$$w0rd.
2. Right-click the desktop, point to New, and then click Microsoft Office Word Document.
3. Type MySecureFile, and then press Enter to rename the file.

4. Right-click MySecureFile, and then click Properties.
5. In the MySecureFile Properties window, on the General tab, click Advanced.
6. In the Advanced Attributes window, select the Encrypt contents to secure data check box, and then
click OK.
7. In the MySecureFile Properties window, click OK.
8. In the Encryption Warning window, click Encrypt the file only, and then click OK. Wait a few
moments for the file to encrypt.
Note Encrypted files have a green filename in Windows Explorer, but not on the desktop.
X Back up a user certificate

1. On NYC-CL1, click Start, type mmc, and then press Enter.
2. In the Console1 window, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, click Certificates, and then click Add.
4. In the Add or Remove Snap-ins window, click OK.

5. In the Console1 window, expand Certificates Current User, expand Personal, and then click
Certificates.
6. Double-click the Adam Carter certificate, and then read the information. Notice that the certificate
was just created, and that you have a private key for this certificate.
7. In the Certificate window, click OK.
8. Right-click the Adam Carter certificate, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export file format page, click Next to accept the default selections.
Note In step 11, if you select the option to Delete the private key if the export is
successful, then you cannot decrypt files after the export.
12. On the Password page, type Pa$$w0rd in both boxes, and then click Next.
13. On the File to Export page, type D:\EFSCertificateBackup.pfx, and then click Next.
14. On the Completing the Certificate Export Wizard page, click Finish.
15. Click OK to clear the success message.
16. Close Console1, and do not save the settings.
17. Log off NYC-CL1.
X Attempt to view an encrypted file

1. On NYC-CL1, logon as Contoso\Administrator with a password of Pa$$w0rd.
2. Click Start and click Computer.
3. In Windows Explorer, browse to C:\Users\Adam\Desktop, and then double-click

MySecureFile.docx.
4. Click OK to clear the message indicating you do have access privileges to the file.
5. Close Microsoft Office Word.
Note Administrator is unable to open the file even though Administrator is the recovery
agent because the necessary private key is not present on NYC-CL1. The private key is
located only on NYC-DC1.
X Export the recovery agent certificate

1. On NYC-DC1, click Start, type mmc, and then press Enter.
4. In the Certificates snap-in window, verify that My user account is selected, and then click Finish.

6. In the Console1 window, expand Certificates Current User, expand Personal, and then click
Certificates.
7. Right-click the Administrator certificate, point to All Tasks, and then click Export.
8. In the Certificate Export Wizard, click Next.
9. On the Export Private Key page, click Yes, export the private key, and then click Next.
10. On the Export file format page, click Next to accept the default selections.
11. On the Password page, type Pa$$w0rd in both boxes, and then click Next.
12. On the File to Export page, type C:\AdminCert.pfx, and then click Next.
13. On the Completing the Certificate Export Wizard page, click Finish.
X Import the recovery agent certificate

1. On NYC-CL1, click Start, type mmc, and then press Enter.
4. In the Certificates snap-in window, verify that My user account is selected, and then click Finish.
6. In the Console1 window, expand Certificates Current User, and then click Personal.
7. Right-click Personal, point to All Tasks, and then click Import.
8. In the Certificate Import Wizard window, click Next.
9. On the File to Import page, in the File name box, type \\NYC-DC1\C$\AdminCert.pfx, and then
click Next.
10. On the Password page, in the Password box, type Pa$$w0rd.
11. Select the Mark this key as exportable check box, and then click Next.
12. On the Certificate Store page, click Next.
13. On the Completing the Certificate Import Wizard page, click Finish.
X Recover an encrypted file

1. On NYC-CL1, in Windows Explorer, double-click MySecureFile.docx. Notice that you can open the
file.
2. Close Microsoft Word.

3. Right-click MySecureFile.docx, and then click Properties.
4. In the MySecureFile.docx Properties window, on the General tab, click Advanced.
5. In the Advanced Attributes window, clear the Encrypt contents to secure data check box, and then
click OK.
6. In the MySecureFile.docx Properties window, click OK.
7. Notice that the filename is black instead of green because it no longer is encrypted.
8. Close all open windows on both computers.

Lesson 2
Recovering BitLocker-Protected Drives
You can use BitLocker to encrypt entire partitions, and you typically use it on portable computers where
there is a risk of the computer being lost. You cannot access data on a drive that users encrypt with
BitLocker by using utilities, by resetting the local Administrator password, or by placing the encrypted
drive in an alternate computer. You must understand how to recover drives that users encrypt with
BitLocker in case the encryption keys become inaccessible after a hardware failure.
Objectives
Describe how BitLocker stores encryption keys and protects data.
Describe how BitLocker uses a Trusted Platform Module (TPM).
Describe how data recovery works for BitLocker.
Encrypt a partition by using BitLocker.
Describe how to use BitLocker To Go.

The BitLocker Encryption Process
BitLocker is a feature in Windows 7 that encrypts entire partitions. The primary purpose of BitLocker is to
protect the data on a hard drive that you remove from a computer, but it also protects the integrity of
boot files. You typically use BitLocker for portable computers, which users are most likely to lose.
To enable BitLocker, a Windows 7 computer must have at least two partitions. The system volume
contains the boot files for Windows 7, and the boot volume contains the operating system files. Windows
7 creates this type of partition structure automatically during installation, unless an unattended
installation file provides alternate instructions.
BitLocker uses several encryption keys to protect the partitions on which it is enabled. When you enable
BitLocker, the following process is performed:
1. BitLocker creates a Full Volume Encryption Key (FVEK) for each volume and uses it to encrypt each
volume. This key never changes because it would take too long to re-encrypt the partition.
2. BitLocker encrypts each FVEK and stores it on the system partition. It reads each FVEK during startup,
and uses them to decrypt the volumes and allow Windows to start.
3. BitLocker generates a Volume Master Key (VMK) which is used to encrypt the FVEKs. This key is read
during startup, and is required to access the FVEKs.
For additional security, you can require a password during startup, which provides a second layer of
security to the logon process.
Note BitLocker typically has less than a 10 percent performance impact on disk activity.
BitLocker and TPMs
A TPM is a chip on a computer system board for storing encryption keys and certificates, and it is a
trusted location for that computer.
The preferred configuration for BitLocker is to store the VMK in a TPM. During startup, BitLocker retrieves
the VMK from the TPM and uses it to decrypt the FVEKs for encrypted volumes.
Not all computers have a TPM. Some vendors only implement a TPM on their business-class computers. If
you use BitLocker on a computer without a TPM, the VMK is stored on a Universal Serial Bus (USB) flash
drive instead of stored on the computer. This USB drive must be present during Windows 7 startup. This is
somewhat risky because a lost flash drive means that you cannot start the computer.
Recovering a BitLocker-Protected Drive
BitLocker encrypted drives become inaccessible if the VMK for a computer system cannot be accessed.
This can occur if:
The TPM in a computer fails.
You move the drives to a different computer.

Removable media that contains the VMK is lost.
When you enable BitLocker, it generates a 256-bit recovery key and a 48-digit recovery password.
BitLocker provides you with the options to print the recovery password key, save the recovery password to
a file, or save both to a USB flash drive. You can use either the recovery key or the recovery password to
decrypt the drive when the VMK is no longer available.
You also can store the recovery password in AD DS, also. To do this, you must enable the option by using
Group Policy. This is a scalable solution, and much better than requiring administrators to store the
recovery password during the encryption process. BitLocker stores BitLocker recovery passwords in the
properties of the computer account. You can view them by using the BitLocker Recovery Password Viewer,
which the Remote Server Administration Toolkit for Windows Server 2008 R2 includes, and which you can
install on Windows 7. It extends the functionality of Active Directory Users and Computers so that you can
view the BitLocker recovery password in the properties of a computer account.
Note The Group Policy setting to store BitLocker recovery passwords in Active Directory is
\Computer Configuration\Policies\Administrative Templates\Windows Components
\BitLocker Drive Encryption\Store BitLocker recovery information in Active Directory Domain
Services (Windows Server 2008 and Windows Vista).
To recover an encrypted operating system drive, you must use the Windows recovery console that is
accessible during startup or by booting from the Windows 7 installation DVD. In the recovery console, you
can provide the USB flash drive with the recovery key or type the recovery password. Drives that do not
contain the operating system prompt you for the recovery information when you attempt to use them
from within the operating system.
Note If you are typing the recovery password, you typically need to use the function keys.
For example, pressing F1 is equivalent to pressing 1.
Your final option for recovering BitLocker encrypted drives is to use a data recovery agent. Similar to a
recovery agent in EFS, a data recovery agent for BitLocker has a certificate that BitLocker uses to access
encrypted drives. You configure a data recovery agent by importing its certificate into a GPO.
To configure a data recovery agent by using Group Policy you must configure two settings:
Enable Allow data recovery agent in \Computer Configuration\Policies

\Administrative Templates\Windows Components\BitLocker Drive Encryption
\drivetype Drives\Choose how BitLocker-protected drivetype drives can be recovered.
Import a data recovery agent in \\Computer Configuration\Policies\Windows Settings

\Security Settings\Public Key Policies\BitLocker Drive Encryption.
Demonstration: Encrypting a Partition by Using BitLocker
You can use BitLocker to encrypt entire disk volumes. In most cases, a TPM is used to store the encryption
keys for BitLocker. However, not all computers have a TPM. In such a case, you can store the encryption
keys on a USB flash drive or a floppy disk.
In this demonstration, you will see how to configure BitLocker when a TPM is not available.
Demonstration Steps
1. On the virtual host, verify that BitLocker.vfd is attached to the floppy drive of NYC-CL1.
2. On NYC-CL1, open the local Group Policy by using gpedit.msc.

3. Browse to Computer Configuration\Administrative Templates\Windows Components
\BitLocker Drive Encryption\Operating System Drives.
4. Configure Require additional authentication at startup.
Enabled
Allow BitLocker without a compatible TPM
5. Open BitLocker Drive Encryption in Control Panel.
6. Attempt to Turn On BitLocker for C:.
7. At a command prompt, enable BitLocker by entering manage-bde.exe -on

C: -rp -sk A:.
8. Read the recovery key at the command prompt.
9. Restart NYC-CL1, and log on as Contoso\Administrator.
10. Open Windows Explorer, and then open Manage BitLocker for Local Disk (C:).
11. Save the recovery key to A:.
12. Open the BitLocker Recovery Key text file stored on A:, and then read the recovery key.
BitLocker To Go
BitLocker To Go is a new feature in Windows 7. You can use it to encrypt removable storage that you want
to use on other computers. It safeguards the data while it is in transport, which ensures that if the
removable storage is lost, the person who finds it cannot access the data.
When you enable BitLocker To Go for removable media, you are prompted to use either a password or a
smart card to unlock the drive. Using a password makes it simple to unlock the removable storage on
other computers because anyone with the password can unlock it. Requiring a smart card is more
complicated because you must have a smart card, and then the computer that you use to unlock the
removable storage also requires a smart-card reader.
Windows 7 computers can read and modify removable storage that you encrypt by using BitLocker To Go.
Windows XP and Windows Vista computer can read data from removable storage that you encrypt by
using BitLocker To Go if users use the BitLocker To Go Reader. All removable storage that you encrypt by
using BitLocker To Go includes the reader, which is accessible before you decrypt the content.
The recovery options for BitLocker To Go are the same as for standard drives. You can save recovery keys
to a file, publish recovery keys to AD DS, or use a data recovery agent.
Lesson 3
Troubleshooting Internet Explorer and Content
Access Issues
Internet Explorer is commonly used to access web-based applications, many of which are business critical.
You must understand how to troubleshoot issues with Internet Explorer and content access to ensure that
users are able to continue using these web-based applications.
Objectives
Describe authentication for web-based applications hosted on Internet Information Services (IIS).
Describe Internet Explorer security zones.
Describe what add-ons do for Internet Explorer.
Describe how to troubleshoot common Internet Explorer issues.
Configure Internet Explorer.

Authentication to IIS
Many organizations use web-based intranets and applications as an important part of their business.
These websites are not just collections of webpages, but rather they are components of an organizations
critical business infrastructure. Windows Server hosts many websites Windows Server by using IIS.
When you troubleshoot issues with access to web-based applications, you must know which
authentication methods are available to you.
The following authentication methods are commonly used:
Basic. This type of authentication sends the username and password in cleartext over the network,
and it provides the best compatibility through firewalls, and between various browser and web
servers. You always should secure Basic authentication by using Secure Sockets Layer (SSL), which you
configure on the server. You can identify SSL-secured websites by the lock icon that displays in
Internet Explorer. Additionally, the address for SSL secured websites start with https://.
Windows. This type of authentication uses either Windows Challenge/Response, also known as NT
Local Area Network Manager (NTLM), or Kerberos authentication. In either case, Internet Explorer
automatically encrypts the username and password as they pass over the network. In some cases,
Windows authentication does not pass properly through firewalls.
The primary benefit of using Windows authentication is the ability for workstation credentials to pass
automatically to the web server. However, this is possible only when you are using a single label name for
the server that you are accessing. For example: http://webserver.
Digest. This type of authentication is an Internet standard that secures credentials automatically
during the authentication process. You typically use it for external users.
Certificate mapping. This type of authentication maps a certificate to a user, and enables the user to
authenticate by presenting that certificate. This is more secure than the process of requiring a
username and password, however, it is more difficult to implement and rarely used.
Internet Explorer Security Zones
Internet Explorer includes security zones that allow you to control security settings for groups of websites.
Depending on the security zone in which a website is included, Internet Explorer enables you to use
different security settings. For example, some zones enable Protected Mode or do not allow ActiveX
controls.
Note Protected Mode in Internet Explorer prevents code on websites from affecting the
operating system by isolating Internet Explorer processes and limiting their permissions.
The security zones are:
Internet. This zone is the default zone for all websites. It has medium-high security settings, which
enables users to perform most tasks. However, users may receive prompts to accept some riskier
behaviors.
Intranet. This zone is only for websites that have a single label name. It has medium-low security
settings that allow most websites to run without any end-user prompts, because it assumes the sites
are trustworthy. Additionally, it does not use Protected Mode.
Trusted sites. This zone has no websites, by default. You must add sites manually to the Trusted sites
zone, and it has medium security settings, which enables users to run most web-based applications. It
does not use Protected Mode. Typically, you use this zone for web-based applications that are hosted
externally.
Restricted sites. This zone has no websites, by default. You must add sites manually to the Restricted
sites zone. This zone has high security settings, and is suitable for browsing websites that you are
concerned may contain malware (malicious software).
Other Internet Explorer settings that may be a concern for web-based applications include:
Privacy settings. The privacy settings in Internet Explorer control the use of cookies, which some web-
based applications use to track user states. You can allow cookies specifically from a website that
hosts a web-based application, so that the application performs properly.
Pop-up Blocker. The purpose of the Pop-up Blocker in Internet Explorer is to prevent annoying
advertisements from displaying. However, some web-based applications use these pop-ups, so you
may need to allow them for websites that are hosting a web-based application.
Advanced settings. Individual web-based applications may require unusual security settings that you
can adjust only in Advanced settings. For example, an externally hosted website may require the use
of an older version of SSL.
Internet Explorer Add-Ons
You can extend the functionality of Internet Explorer by installing add-ons. One of the most important
uses of add-ons is displaying content on webpages that Internet Explorer does not understand natively.
For example, add-ons may help display non-HTML document formats or video within a webpage.
You can use the Manage Add-ons function in Internet Explorer to view the installed add-ons so that you
can disable them. If Internet Explorer is experiencing performance problems, you can disable add-ons that
you think may be responsible.
One of the most common causes of Internet Explorer performance issues is users installing toolbars.
Removing third-party toolbars often improves performance. However, some toolbars do not uninstall
properly. As a final option, you can reset Internet Explorer settings, which reverts Internet Explorer to its
default state.
Troubleshooting Common Internet Explorer Issues
Most issues related to Internet Explorer and security are easy to resolve. A key part of the troubleshooting
process for accessing websites is identifying the following:
Which computers are affected? One computer or all computers?
Which users are affected? One user or all users?

Which are affected users located? Internal, external, or both?
Which versions of Internet Explorer are experiencing the problem?
These questions help you isolate what is causing the problem: a firewall, server configuration, or Internet
Explorer configuration.
The following table lists some common ways that you can resolve problems related to accessing websites
and web-based applications.
Issue Resolution
Users are unable to access a Verify that there is proper network connectivity, and that a firewall
website. or proxy is not blocking the website.
Users are being prompted for Verify that users are accessing the website by using a single label
credentials when accessing an domain name. Also, verify that users are accessing the website
internal website configured to from an internal domain joined computer.
use Windows authentication.
Users are unable to use a web- If the web-based application is from a trusted source, then add the
based application because website to Trusted sites. This disables protected mode and allows
Internet Explorer security or many web-based applications to function properly.
Protected Mode is blocking
required functionality.
(continued)
Issue Resolution
A web-based application is not Ensure that privacy settings allow the web-based application to set
retaining settings properly cookies.
between screens or between
sessions.
A web-based application is not Ensure that pop-up blocker allows the necessary windows to open
opening new windows that are by adding the website to the list of allowed sites.
required for proper operation.
Internet Explorer is running more Disable any unauthorized add-ons that may be malware.
slowly than normal and may be
displaying unusual information
on webpages.
Users are unable to view Install the necessary add-on for Internet Explorer that is required to
embedded contentsuch as view the content.
audio or videoin a website.
Internet Explorer is experiencing Clear the Internet Explorer browsing history, including temporary
unusual problems authenticating Internet files, cookies, and passwords.
to a website or accessing website
content.
Internet Explorer is not displaying Clear the temporary Internet files and then press F5 to refresh, or
updated website content that you press Ctrl+F5 to force a refresh of a single website in the cache.
know has been updated.
An older website is not displaying Enable Compatibility View for the website. This may also be
properly in Internet Explorer 8. required for some web-based applications. Compatibility View
renders the website as though you are using an older version of
Internet Explorer.
When accessing a secure website If the website is trusted, users can choose Continue to this
with https, users get the error website (not recommended). This error occurs because the
There is a problem with the certificate installed on the server is not trusted. This may result
websites security certificate. from expired certificates, users accessing websites by using the
wrong DNS name, or by using self-signed certificates. You can
import a self-signed certificate on the client computer to remove
this error.
Malware is installed as an add-on Reset Internet Explorer settings. This can resolve unexplained
that you cannot remove. problems with Internet Explorer, but causes the loss of all
customizations such as Favorites and changes to other
configuration settings. If other malware continues to exist on the
computer, Internet Explorer may be infected again.
Practice: Configuring Internet Explorer
The two most common problems that users experience with Internet Explorer are poor performance and
the inability to access web-based content. To resolve performance problems, you can manage Internet
Explorer add-ons, and reset Internet Explorer settings. To resolve issues accessing content, you can
configure the Pop-up blocker and privacy settings. In some cases, clearing the Internet Explorer history
can also resolve content access issues.
In this practice, you will configure various Internet Explorer options and features.
Instructions
Detailed Steps
X Manage Pop-up Blocker

1. On NYC-CL1, on the taskbar, click Internet Explorer.
2. In Internet Explorer, click Tools, point to Pop-up Blocker, and then click Pop-up Blocker Settings.
3. In the Pop-up Blocker Settings window, in the Address of website to allow box, type
webapp.contoso.com, and then click Add.
4. Click Close.
X Manage Internet Explorer add-ons

1. On NYC-CL1, in Internet Explorer, click Tools, and then click Manage Add-ons.
2. In the Show box, verify that Currently loaded add-ons is selected.
3. Click the Research add-on, and then click Disable.

4. In the Show box, select Run without permission. Take note of the large list installed by default.
5. Click Close.
X Clear Internet Explorer history

1. On NYC-CL1, in Internet Explorer, click Tools, and then click Internet Options.
2. In the Internet Options window, on the General tab, in the Browsing history area, click Delete.
3. In the Delete Browsing History window, read the default selections, and then click Delete.
X Manage Privacy settings

1. On NYC-CL1, in Internet Explorer, in the Internet Options window, click the Privacy tab.
2. In the Settings area, click Sites.
3. In the Per Site Privacy Actions window, in the Address of website box, type webapp.contoso.com
and click Allow.
4. Click OK.
X Reset Internet Explorer settings

1. On NYC-CL1, in Internet Explorer, in the Internet Options window, click the Advanced tab.
2. In the Reset Internet Explorer settings area, click Reset.
3. In the Reset Internet Explorer Settings window, read the information, and then click Reset.
4. In the Reset Internet Explorer Settings window, click Close.

5. In the Internet Explorer window, read the message, and then click OK.
6. Close Internet Explorer.

following steps:
4. Repeat steps 1-3 for 6293A-NYC-CL1.

Lab: Troubleshooting Security Issues
Lab Setup
Password: Pa$$w0rd
Domain: Contoso
Lab Scenario
The help desk has received a number of trouble tickets that relate to security. Because you are the
desktop support technician that has the most experience with security, the tickets have been assigned to
you.
Exercise 1: Recovering a BitLocker-Protected Drive

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported BitLocker problem that Tier 1
help-desk staff could not resolve.

3. Attach the encrypted drive to NYC-CL1.
Incident Record

Time of Call 09:34
User Susanna Stubberod (Production)
Status OPEN
Incident Details
Executive user is reporting that she has data that is encrypted with BitLocker Drive Encryption that she needs to
recover from a failed laptop.
The user uses her personal laptop to work on company documents. The laptop had a secondary hard
drive on which she stored the documents. She encrypted all drives with BitLocker to secure them.
Internal laptops are configured with a recovery agent to simplify data recovery. Because this is a personal
laptop, using a recovery agent is not an option.
She has given us the encrypted drive, and a printout she made after the drive was encrypted.
She has requested that we configure the drive so that she can attach it to another computer easily by
placing the drive in an external USB enclosure. Preferably, it should require only a password to unlock.
Plan of Action
Resolution
Printed Document from Susanna

BitLocker Drive Encryption Recovery Key: The recovery key is used to recover the data on a BitLocker
protected drive.
To verify that this is the correct recovery key, compare the identification with what appears on the
recovery screen:
Recovery key identification: AE409B77-DCD9-49
Full recovery key identification: AE409B77-DCD9-49EB-AE01-69A2283F845F
BitLocker Recovery Key:

622732-532620-653312-417406-161304-327305-677292-111034

2. Read the printed document from Susanna.

X Task 3: Attach the encrypted drive to NYC-CL1

1. On the host computer, ensure that 6293A-NYC-CL1 is shut down.
2. Click Start, point to Administrative Tools, and then click Hyper-V Manager.
3. In Hyper-V Manager, right-click 6293A-NYC-CL1, and then click Settings.
4. In the Settings for 6293A-NYC-CL1 window, click IDE Controller 1.

5. In the right-pane, ensure that Hard Drive is selected, and then click Add.
6. In the Media area, click Browse.
7. Browse to C:\Program Files\Microsoft Learning\6293\Drives, click BitLockerRecovery.vhd, and

then click Open.
8. Click OK.
9. Start the 6293A-NYC-CL1 virtual machine, and then log on as NYC-CL1\WSAdmin with the
password of Pa$$w0rd. If you are prompted to restart NYC-CL1, click Restart Now.

1. Using your knowledge of BitLocker, attempt to resolve the problem.

exercise.

Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have recovered a BitLocker-protected drive.
Exercise 2: Troubleshooting an Internet Explorer Security Issue

Scenario
In this exercise, you will troubleshoot and attempt to resolve the reported security issue in Internet
Explorer that Tier 1 help-desk staff could not resolve.

Incident Record

Time of Call 12:20
User Sten Faerch (Marketing)
Status OPEN
Incident Details
User is being prompted for security credentials when accessing the intranet site.
When the user attempts to access the corporate intranet by using http://nyc-dc1.contoso.com, he is
prompted for credentials.
I coached him through the process of entering his credentials as Contoso\Sten and his password. This
authenticates him successfully, and he can use this as a short-term workaround, but he does not want
to be prompted.
I asked him to check if other users in his department were having the same issue, and he told me that
they said No. He is the only user having this issue. After he authenticates, everything is fine.
When the issue is resolved, please configure the corporate intranet as his home page.
Plan of Action
Resolution


X Task 3: Simulate the problem.

Password: Pa$$w0rd
Domain: Contoso
4. Log off NYC-CL1.

1. Using your knowledge of Internet Explorer security, attempt to resolve the problem.
exercise.

Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have authenticated successfully to the intranet website, without
requiring the user to enter credentials.


Review Questions
1. An employee that the organization recently dismissed had used EFS to encrypt files on a domain-
joined portable computer. The user account is deleted from the domain, and no backup of the user
account exists. No specific configuration of EFS has been performed. Can you recover the EFS
encrypted files?
2. You just received a new batch of 10 laptop computers that do not have a TPM. Is it still possible to
protect the hard drive contents by using BitLocker?
3. One of the users in your organization wants to use BitLocker To Go when transporting files between
work and home on a USB flash drive. The user has Windows XP on his computer at home. Is it
practical to use BitLocker To Go when one of the computers is running Windows XP?
4. A user in purchasing accesses various websites to order supplies. She is concerned that her actions on
these sites may be insecure. What two ways can she identify a website as using Secure Sockets Layout
(SSL) to encrypt data communications?
Tools

Certificates snap-in Exporting certificates for backup MMC
cipher.exe Performing EFS functions on command-line

batches of files
manage-bde.exe Managing BitLocker functions, command-line

including some not available in
the graphical interface
9-1
Module 9
Troubleshooting Operating System and Application Issues
Contents:
Lesson 1: Troubleshooting Application Installation Issues 9-3
Lesson 2: Troubleshooting Application Operations Issues 9-14
Lesson 3: Applying Application and Windows Updates 9-23

Lab: Troubleshooting Operating System and Application Issues 9-32
Module Overview
Computer users require applications for every task they perform, including editing documents, querying
databases, and generating reports. Supporting the installation and operations of applications is a critical
part of desktop support. To ensure that applications continue to function correctly, and to prevent
security issues, you must also apply updates in a timely way.
Objectives
Troubleshoot application installation issues.
Troubleshoot application operation issues.
Apply application and Microsoft Windows updates.

Troubleshooting Operating System and Application Issues 9-3
Lesson 1
Troubleshooting Application Installation Issues
Most large organizations automate application installation from a central location. However, desktop-
support personnel are involved in application deployment during initial development of the deployment
process and when troubleshooting failed installations. You must know how to identify the reasons why an
application installation fails, and know how to resolve any issues that prevent application installation.
Objectives
Describe application deployment methods.
Describe application deployment issues.
Describe methods to identify application dependencies.

Describe methods for resolving deployment issues.
Describe methods for troubleshooting Windows installer issues.
Control application installation with Windows 7 AppLocker policies.

Methods for Deploying Applications
Deploying applications is a critical part of supporting users. Generally, you should automate the
application deployment process. This simplifies the process from the users perspective.
Methods for deploying applications include:
Manual installation. This method requires that the person installing the applicationa user or support
personknow the location of the application setup files, and then initiate the installation. This
method of installation is suitable only when you are installing applications on a small number of
computers.
Group Policy. This method uses a Group Policy object (GPO) to automate application installation from
a network share. You can make applications available for users to select, or you can configure
applications so they install automatically for specific users or on specific computers. To automate the
installation process completely, some applications require you to create a transform file (.mst) to
automate the installation process.
Microsoft System Center Configuration Manager 2007. This method uses the application deployment
capabilities of Configuration Manager 2007 to automate application installation from a network
share. The main benefits of Center Configuration Manager 2007, versus deployment by using Group
Policy, are increased flexibility and detailed reporting. You also can use Center Configuration
Manager 2007 to distribute application updates.
Virtualized applications. With the RemoteApp feature in Windows Server 2008 R2, you can avoid
having applications installed on desktop computers. An icon on the user desktop opens a Remote
Desktop Protocol (RDP) session to a server that hosts the application. The application is remote-
controlled in a Window. This simplifies application updates because you must update only a single
central copy of the application. This method works best with applications that need to access data in
a central location.
Note In Windows Server 2008, the RemoteApp feature was named Terminal Services
RemoteApp (TS RemoteApp).
Inclusion in operating system image. Many organizations include common applications in the base
operating-system image that they deploy on desktop computers. With this method, you can avoid
having a specific deployment process for the application. However, it does result in increased image
maintenance over time as your organization releases application updates and new application
versions.
Discussion: Application Deployment Issues
Application deployment may fail for a variety of reasons, including the configuration of the deployment
process or of the computer on which you deploy the application. Understanding the reasons why
applications fail to deploy helps you resolve the issues preventing installation.
Question: What are some reasons that application deployment or installation may fail?
Identifying Application Dependencies
Many applications require specific operating-system features to function properly. For example, many
applications require a specific version of the .NET Framework. Additionally, some applications use the
functionality of other applications to function properly. For example, some financial applications use
Microsoft Excel to perform calculations.
There are several ways to identify application dependencies, including:
Documentation. Most vendors provide installation documentation that clearly defines the application
requirements. By reading the documentation before attempting to perform an installation, you can
ensure that all application dependencies are in place.
Contact the vendor. If the vendor does not provide installation documentation that defines the
application requirements, you can request them from the vendors application support department.
Errors during installation. Most software performs checks during installation to verify that the
computer on which the software is installed meets all application requirements. If an application
dependency is not in place, then the application generates an error to indicate which dependency is
missing.
In most cases, software does not install at all if the application dependencies are not in place. Setup stops,
and the software-installation program generates an error that requests installation of all prerequisites
before another installation attempt occurs. However, some applications install even if the application
dependencies are not met. In those cases, the user encounters errors while operating the software, rather
than during installation.
Resolving Application Deployment Issues
The ability to resolve application deployment issues depends on your understanding of the issues cause.
Once you understand why an application is not deploying properly, you can determine the correct
methods to resolve the issue.
Methods for Resolving Application Deployment Issues

The following are methods for resolving application deployment issues:
Run as Administrator. For application installations that do not properly elevate permissions to
perform installation, you can elevate permissions manually by right-clicking the installation file, and
then selecting Run as Administrator.
Install the necessary dependencies. If you cannot install an application because of missing
dependencies, then you must install the necessary dependencies. If the missing dependency affects
multiple computers, you need to determine the best way to deploy the missing dependency to all
computers. You may need to update the base image, which deploys with the dependency.
Note You can enable features by using the Programs and Features in Control Panel, or by
typing dism.exe at a command prompt. This command also enables features in images.
Application Compatibility Toolkit (ACT). ACT is a suite of tools that Microsoft provides that simplify
the installation and execution of older applications on newer versions of Windows. One use for ACT is
to generate an inventory of installed applications, and then evaluate whether those applications
experience issues when running on Windows 7. You typically would use ACT during migration to a
new operating system.
Correct configuration of AppLocker. If AppLocker is blocking the installation of legitimate

applications, then you need to adjust the configuration of AppLocker rules.
Troubleshooting Windows Installer Issues
Windows Installer is the service in Windows 7 that performs application installations. During application
installation, you may receive error messages, such as:
The Windows Installer Service could not be accessed.
Windows Installer Service could not be started.

Could not start the Windows Installer service on the Local Computer.
One source of Windows Installer issues is applications that do not complete installing or uninstalling. In
some cases, restarting the computer may force the operation to proceed. However, you may need to
reinstall or repair the application before you are able to remove it. In a worst-case scenario, you may need
to remove an application manually, including its registry entries.
To troubleshoot Windows Installer issues:
1. Verify that Windows Installer is functioning by running msiexec at a command prompt.
2. Verify that the Windows Installer service is configured to start manually, and that it starts without
errors.
3. Update to the latest version of Windows Installer.
4. Reregister Windows Installer by using the following commands:
Msiexec /unregister
Msiexec /register
In rare cases, it is possible that another application that is running is preventing the softwares installation
or removal. You can disable services and applications that start automatically to attempt to identify a
problem application.
Practice: Controlling Application Installation by Using AppLocker
AppLocker is one way to control application installation. By using AppLocker you can control the
installation of applications based on file path, publisher, or file hash.
If you choose to create the default rules, they:
Allow members of the Everyone group to install all digitally signed Windows Installer files.
Allow members of the Everyone group to install All Windows installer files in
%systemroot%\Windows\Installer.
Allow members of the Administrators group to install all Windows Installer files.
In this practice, you will use Group Policy to deploy an application and configure AppLocker rules for
Windows Installer.
Instructions
Password: Pa$$w0rd
Domain: Contoso

Detailed Steps
X Configure an application for deployment by using Group Policy

1. On NYC-DC1, click Start, type cmd, and press Enter.
2. At the command prompt, type net share software=D:\Labfiles\Mod09\Software and press Enter.
3. Close the command prompt.
4. Click Start, point to Administrative Tools, and then click Group Policy Management.
5. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand

Contoso.com, and then click Contoso.com.
7. In the New GPO window, in the Name box, type Software, and then click OK.
8. Right-click Software, and then click Edit.
9. In the Group Policy Management Editor window, under User Configuration, expand Policies, and
then expand Software Settings.
10. Right-click Software installation, point to New, and then click Package.
11. In the Open window, browse to \\NYC-DC1\Software, click XmlNotepad.msi, and then click Open.
12. In the Deploy Software window, click Assigned, and then click OK.
Note You have assigned the application to all of the organizations users. You can trigger
installation by linking it to the opening of a file with a specific extension, or users can trigger
it manually.
X Enable the Application Identity Service

expand Windows Settings, expand Security Settings, and then click System Services.
2. Double-click Application Identity.
3. In the Application Identity Properties window, select the Define this policy setting check box, click
Note The Application Identity Service is required to evaluate AppLocker rules. If this service
is not running, then AppLocker rules have no effect.
X Configure Default AppLocker Rules for Windows Installer

1. In the Group Policy Management Editor window, under Computer Configuration, under Security
Settings, expand Application Control Policies, and then click AppLocker.
2. Read the information that displays.
3. In the Overview area, click Windows Installer Rules. Notice that no rules are configured
automatically.
4. Right-click Windows Installer Rules, and then click Create Default Rules.
5. Review the default rules.
X Install an Application from Group Policy

1. On NYC-CL1, click Start, type cmd, and then press Enter.
2. At the command prompt, type gpupdate /force, and then press Enter.
3. Close the command prompt.

4. Log off and then log on as Adam with a password of Pa$$w0rd.
5. Click Start, type Programs, and then click Programs and Features.
6. In the Programs and Features window, click Install a program from the network.
7. Right-click XML Notepad 2007, and then click Install. Notice that the installation process begins.
8. In the XML Notepad 2007 Setup window, click Cancel, and then click Yes.
9. Click Finish and then close the Control Panel window.

10. Log off NYC-CL1.

Lesson 2
Troubleshooting Application Operations Issues
An application operation issue is any instance in which an application is not operating as a user expects.
Desktop-support personnel should identify the source of an application operation issue, and then resolve
it.
Objectives
Describe application operation issues.

Describe how to identify application errors.
Describe methods of resolving application operation issues.
Describe the ACT.
Resolve an application compatibility issue by using ACT.

Issues Related to Application Operations
An application operation issue is any situation in which an application does not perform properly from the
users perspective. Some of the issues that you or your users may encounter include:
Missing features. You can use many applications to select which features to install. An applications
default installation options may not include the features that all users require.
Incorrect configuration. An applications post-installation default settings may not be appropriate, so

you can customize the applications settings, such as the default locations for saving files and folders,
to fit your needs.
Poor performance. Applications may run slower than users expect. This can happen either when users
perform a specific task or during regular application use.
Errors. Any error that the application displays on-screen is an application operation issue.
Incorrect database connection settings. Some applications use a backend database as a data store. If
you do not configure the connection to the database correctly, the application cannot function
correctly.
Application blocking by AppLocker. You can configure AppLocker to allow or block applications on
Windows 7 computers. If AppLocker is blocking a legitimate application, then you must try to resolve
the issue.
Identifying Application Operations Issues
Issues with application operations impact users ability to perform their jobs. You must identify and
troubleshoot these issues as quickly and as accurately as possible.
Before you deploy an application widely, you should put it through a testing process that includes
common user activities. Desktop-support staff often performs this testing. During testing, the application
may not function as you expect, which triggers the need for further troubleshooting.
After you deploy an application, users are the most common source for information about issues with
application operations, because they report their computer-related issues to the help desk.
When you investigate issues with application operations, you can use both on-screen error messages and
event logs. In some cases, these provide enough information to resolve the issue. In other cases, you may
need to perform more research.
Additional research may include:
Searching the vendor website.
Searching the Internet.
Contacting vendor support.

Resolving Application Operations Issues
Your success in resolving an issue with application operations depends on your accuracy in defining the
issue, and then determining how to resolve it. Some ways to resolve issues with application operations
include:
Install a needed feature. If an application feature that a user requires is missing, then you can install it.
Ultimately, you must determine if other users require that feature, and determine the best way to
accommodate them. You might need to update the applications installation process or update an
operating-system image that contains the application.
Reconfigure an application. If you configure an application incorrectly, you can reconfigure it so that
it meets the defined specifications. If multiple users require the reconfiguration, you need to
determine the best way to update multiple computers. You may decide to update Group Policy,
update the application deployment process, or update an operating-system image that contains the
application.
Repair or reinstall an application. If an application is experiencing errors or is unable to start, repairing

the application may resolve the issue. Repairing an application updates the application files to the
correct version, and rewrites required computer-specific registry entries, but does not affect user-
specific registry entries. If an application repair does not resolve the problem, try reinstalling the
application.
Apply application updates. Application updates resolve application operation issues that the
applications vendor identifies. Installing application updates in a timely way may prevent some issues
with application operations from occurring in your environment, and may also resolve performance
issues.
Upgrade the application to a newer version. Some issues with application operations require you to
upgrade to a newer version of the application. For example, to increase performance and access more
memory, you may need to upgrade an application to a 64-bit version. New features also are available
in newer versions. Depending on how you license the application, there often is a fee associated with
obtaining a newer version of an application.
Identify performance issues and bottlenecks. Performance issues that users report reported typically
are very vague. You need to define the source of a performance issue accurately by using tools such
as Performance Monitor. Improving performance may require hardware upgrades or by
recommending that users run few applications simultaneously on the computer. You also may need
to adjust users performance expectations.
Reconfigure AppLocker rules. If AppLocker rules are preventing a legitimate application from running,
you must reconfigure those rules to allow the application to run, by allowing the application path, the
publisher, or the hash value.
What Is the Application Compatibility Toolkit?
The ACT is a set of tools that you can use to inventory applications, analyze compatibility of applications,
and mitigate compatibility issues. Organizations typically use ACT when planning a new operating-system
deployment, to ensure that all application function properly.
ACT includes features such as:
A database of known application compatibility issues and resolutions.
The Compatibility Administrator, which provides compatibility fixes (previously known as shims) that
enable older applications to run on newer Windows versions.
The Setup Analysis Tool, which monitors an applications installation process and identifies issues that
relate to installation.
The Internet Explorer Compatibility Test, which monitors web-based applications, and then identifies
issues that newer versions of Windows Internet Explorer experience.
The Standard User Analyzer (SUA) identifies any issues that relate to running an application as a
standard user.
The Update Compatibility Evaluator identifies any issues that relate to implementing new Windows
updates.
Practice: Resolving an Application Compatibility Issue by Using ACT
ACT includes the Standard User Analyzer Wizard that you can use to determine whether applications run
correctly for a standard Windows 7 user. The Standard User Analyzer Wizard monitors an application
when you run it. If the application experiences errors, then the Standard User Analyzer Wizard creates
mitigations that allow the application to run properly. You then can distribute the mitigations to all
computers that will use that application.
In this practice, you will capture and test mitigations for the Stock Viewer application.
Instructions
Detailed Steps
Note Stock Viewer is a demonstration application that ACT includes. However, this
demonstration uses the same process that you would use to resolve issues with any
application.
X Verify the application issue

1. On NYC-CL1, log on as Adam with a password of Pa$$w0rd.
2. Click Start, point to All Programs, click Microsoft Application Compatibility Toolkit, click Demo
Application, and then click Stock Viewer.
3. In the Permission denied window, click OK.
4. Close Stock Viewer.

X Capture mitigations for Stock Viewer

1. Click Start, point to All Programs, click Microsoft Application Compatibility Toolkit, click
Developer and Tester Tools, and then click Standard User Analyzer Wizard.
2. In the Standard User Analyzer Wizard window, click Browse for Application, browse to
C:\Program Files\Microsoft Application Compatibility Toolkit
\Compatibility Administrator (32-bit)\Demo Application\StockViewer, click StockViewer, and
then click Open.
3. Click Launch.
4. In the User Account Control window, provide the credentials NYC-CL1\WSAdmin with a password of
Pa$$w0rd. Click Yes.
5. In the Permission denied window, click OK.
6. Click the Trends button, and then click OK to clear the error message.
7. Click the Tools menu, and then click Options.
8. Click Continue to clear the error message.

10. In Standard User Analyzer, click No to indicate that the application encountered errors.
X Test mitigations for Stock Viewer

1. In Standard User Analyzer, click Launch.
2. Click the Trends button.

3. Click the Tools menu, and then click Options.
4. Click OK to clear the dialog box.

6. In Standard User Analyzer, click Yes to indicate that the application encountered no errors.
X Export mitigations as an MSI file

1. In Standard User Analyzer, click Export.
2. In the Save Mitigations As msi package window, in the left pane, click Desktop and then click Save.
3. Click OK to close the message about saving the MSI file.
4. In Standard User Analyzer Wizard, click Exit.
5. Review the files on the desktop. StockViewer.exe.msi is on the desktop. This file contains the
mitigations that allow StockViewer.exe to run.

following steps:

Lesson 3
Applying Application and Windows Updates
Deploying updates is an important part of application and operating-system maintenance. Most

organizations automate deployment of updates to ensure that they occur in a timely way. Windows Server
Updates Services (WSUS) is a tool that enables you to manage deployment of updates to Windows 7
computers. You must configure clients to use WSUS to ensure that they receive updates.
Objectives
Discuss why application updates are important.
Describe methods of applying application updates.
Describe how WSUS works.

Describe the process of configuring clients to use WSUS.
Describe how to manage WSUS.
Describe how to use Windows Update.
Describe the process of troubleshooting Windows Update issues.

Discussion: Why Are Application Updates Important?
Question: Why are application updates important?

Methods of Applying Application Updates
All organizations have a wide variety of applications. You must be aware of how your organization
provides software updates to both applications and operating systems.
Applying Application Updates

You can apply application updates:
Manually. You can download and apply updates manually. However, this is not an efficient method
for larger organizations. You should automate a process to ensure that it occurs consistently.
By using Automatic Updates. Automatic Updates downloads updates for Windows 7 and some
common Windows applications such as Microsoft Office 2010. Using Automatic Updates enables you
to ensure that updates are downloaded and applied automatically, on a specific schedule. The
drawback of Automatic Updates is that there is no approval process to ensure that an update does
not negatively impact applications in your organization.
By using WSUS. WSUS is an automated solution that downloads updates from Microsoft Update, but
does not deliver them to computers until an administrator approves the updates. This gives you the
opportunity to test updates before they are applied.
By using Configuration Manager 2007 or other third-party tools. Configuration Manager 2007 and
other third-party tools provide an automated way to deploy updates that are available from
Microsoft Update and other vendors.
By using application specific update tools. Many vendors include update functionality in their
applications. These tools help the update process by prompting users to install updates. However, in
many cases, standard users do not have the necessary permissions to install updates. Also, users may
decline updates if they do not understand the prompts.
How WSUS Works
WSUS is a scalable solution for distributing Windows Updates and application updates. Depending on
your organizations needs, you can install WSUS on a single server, or you can configure it in a hierarchy
of WSUS servers.
The general process for how WSUS works is:
1. WSUS downloads updates from Microsoft Update.
2. Updates are approved for a pilot group of computers.
3. The pilot group of computers downloads and applies updates from WSUS.
4. Updates are approved for all computers.
5. The remaining computers download and apply updates from WSUS.
Controlling the Update Process

When you use WSUS to distribute updates, WSUS downloads the updates from Microsoft Update only
once. When you compare using WSUS with downloading updates individually for many computers, WSUS
reduces Internet traffic significantly.
The approval requirement for updates provides administrators with an opportunity to test updates, and to
ensure that a new update does not have a negative impact on existing applications. Microsoft rigorously
tests the updates available on Microsoft Update, but is not able to replicate and test all environments. You
should pay special attention to negative impacts from updates on any custom software and unique
software that your organization develops internally.
Another method that you can use to control the update process is to organize computers into multiple
computer groups, which is useful for controlling the distribution of updates to specific workgroups or
computer types. For example, you could create a computer group for servers, and then create another
group for Windows client computers. You then could approve the update either separately for each
computer group, or for all computers.
Configuring Clients to Use WSUS
Windows 7 includes Automatic Updates, which is a built-in tool that allows computers to download and
apply software updates automatically. In the default configuration, Automatic Updates obtains the
updates from Microsoft Update, which provides Windows and application updates from Microsofts
website.
After you implement WSUS, clients do not automatically begin using the WSUS server for updates. You
must configure clients to use the WSUS server as a source for updates, rather than Microsoft Update. To
configure clients to use the WSUS server, use a GPO in Computer Configuration\Policies
\Administrative Templates\Windows Components\Windows Update. You can use a GPO to configure:
The source for automatic updates.
Whether new WSUS clients are added automatically to a computer group.

How often automatic updates are detected.
What time of day updates are applied.

WSUS Administration
You use the Update Services administrative tool to administer WSUS. This tool is installed on the WSUS
server as part of the WSUS installation process.
The nodes in Update Services let you configure various aspects of WSUS, including:
Updates. This node allows you to view and manage the updates that WSUS identifies. You can control
whether WSUS downloads updates, identify where WSUS applies updates, and approve updates for
installation.
Computers. Computers that contact the WSUS server appear in this node. After a computer is visible
in this node, you can place the computer into a computer group.
Downstream Servers. This node is useful for larger organizations that want to configure
synchronization of updates between WSUS servers. This enables you to have a central point to which
WSUS downloads all updates and then distributes them to other WSUS servers.
Synchronizations. This node provides status information about synchronization attempts with
Microsoft Update. You should check this node if new updates are not appearing in the updates node.
Reports. This node provides a variety of reports containing installation location for updates.
Options. This node enables you to configure various WSUS settings, including for which products you
want to download updates, and how often synchronization occurs.
Working with Windows Update
You can use Windows Update in Control Panel to manage the updates that are applied to a computer
running Windows 7. In most organizations, the configuration of Windows Update is managed by using
Group Policy. However, there may be some cases where mobile computers or computers in remote sites
are configured manually.
Windows Update includes the following options:
Check for updates. In most cases, updates are downloaded daily on a schedule, but you can force
Windows Update to check for updates if you believe a new update is available and you want to
download it immediately.
Change settings. The settings for Windows Update define the download and install schedule. In most
cases the updates install after-hours when no users are working on the computers.
View update history. This option allows you to view all of the updates that successfully installed on
the computer, and those that failed to install properly. For each update listed, you can view details
about it and a brief description of the installed update. The details contain a link to a more detailed
description on Microsofts website that you can use during troubleshooting.
Restore hidden updates. You can choose not to install an update, as long as the update is available
and is not set to automatically install. After you do this, the update becomes hidden and no longer
appears in the list of available updates. If you decide later that the update should be installed, you
can use the restore hidden updates option to make it visible and available for installation.
Installed Updates. You can use this option to display a list of all updates that you installed on the
computer, including the installation date for each update. Installed Updates also gives you the option
to uninstall each update installation. Typically, you should only uninstall updates when you believe a
recently installed update is causing issues with Windows 7 or an application.
You typically use the options in Windows Update during troubleshooting, or use them for computers that
are not using WSUS for updates. Updates that are installed by WSUS can also be uninstalled by WSUS.
Troubleshooting Windows Update Issues
When Windows Update is not working properly new updates are not applied to computers running
Windows 7. This can result in security issues and prevent stability issues from being resolved.
To troubleshoot Windows Update, use the following steps:
1. Verify that Windows Update is enabled. Windows Update must be enabled for updates to be
downloaded and applied. If your organization is using a GPO to configure Windows Update and it is
not enabled, then you must determine why the GPO is not being applied properly.
2. Verify that updates are being installed automatically. To ensure that users do not need to manually
choose when to install updates, they should be configured to install automatically.
3. Verify that recommended updates are being installed. If recommended updates are not configured to
be installed then only critical updates are installed. This means that many updates are missed.
If you are using WSUS to distribute updates, you should also perform the following steps:
1. Verify that the client is registered on the WSUS server. A WSUS server can only distribute updates to
registered clients. Clients are registered the first time they communicate with the WSUS server. If the
client is not registered, then it is likely not configured correctly for communication with the WSUS
server.
2. Verify that the client is configured in the appropriate computer group. WSUS updates are approved
for specific computer groups. If a client computer is in the wrong computer group, then it will not
obtain the appropriate updates.
3. Verify that an update has been approved for the appropriate computer group. If the update has not
been approved for the correct computer group then it will not be installed on client computers.
4. Verify that the WSUS server is reachable over the network. If the WSUS configuration appears to be
correct, there may be a network problem that is preventing Windows 7 from communicating with the
WSUS server.
To verify connectivity to Windows Update or a WSUS server, you can use the command wuauclt.exe
/detectnow which forces the immediate detection of available updates. Also, you can use
wuauclt.exe /resetauthorization to force a client to detect group-membership changes
immediately on the WSUS server rather than waiting for WSUS to detect the changes, which can take
up to one hour.
Lab: Troubleshooting Operating System and

Application Issues
4. Repeat steps 2 and 3 for 6293A-NYC-CL1 and 6293A-NYC-CL2.
Lab Scenario
The help desk has received a number of trouble tickets that relate to applications. Because you are the
desktop-support technician that has the most experience with application issues, the tickets have been
assigned to you.
Exercise 1: Troubleshooting Windows Updates

Scenario
In this exercise, you will troubleshoot and attempt to resolve a Windows update problem that Tier 1 help-
desk staff could not resolve.

Incident Record

Time of Call 08:20
User All computers
Status OPEN
Incident Details
Client computers and servers are not obtaining Windows updates from the new WSUS server.
The new WSUS server is implemented, and it is successfully downloading updates from Microsoft
update. However, the updates are not being delivered to client computers.
We recently blocked access to Microsoft update for client computers to ensure that they were using
the WSUS server for updates.
You can force connectivity to the WSUS server by running wuauclt.exe /detectnow on the client
computer.
You can verify that the client connected to the WSUS server by checking the WindowsUpdateClient
event log for Event ID 26. You also can verify that the computer is listed in the Windows Automatic
Updates Services administrative tool on NYC-DC1.
Plan of Action
Resolution



1. Using your knowledge of WSUS configuration, attempt to resolve the problem.

Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have resolved the issue with Windows updates.
Exercise 2: Troubleshooting AppLocker Policy Application

Scenario
In this exercise, you will troubleshoot and attempt to resolve a reported problem with an AppLocker
policy application that Tier 1 help-desk staff could not resolve.

Incident Record

Time of Call 11:33
User Marketing Manager
Status OPEN
Incident Details
Unauthorized applications are being used on computers.
We have recently implemented AppLocker policies to control the use of applications. In testing, the
default rules were configured, which prevented most unauthorized applications from running.
A manager has reported that several of his staff are playing games that are not authorized. It appears
that the users have brought in the games on USB flash drives.
I browsed Adam Carters profile on NYC-CL1, and he has a game stored in the Downloads folder.
Please identify why these are not being blocked in production like they were in testing.
Plan of Action
Resolution



2. Run the D:\Labfiles\Mod09\Scenario3.vbs script. NYC-CL1 will reboot when you run this script.

1. Using your knowledge of AppLocker configuration, attempt to resolve the problem.

Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have prevented unauthorized applications from starting.
Exercise 3: Troubleshooting Application Startup

Scenario
In this exercise, you will troubleshoot and attempt to resolve a reported problem with an AppLocker
policy application that Tier 1 help-desk staff could not resolve.
Note Some of the tasks that you perform to complete this exercise may not typically be
the responsibility of Tier 2 support staff. However, it is useful to see the completed scenario.

Incident Record

Time of Call 13:15
Status OPEN
Incident Details
An authorized application is not able to run.
After resolving incident 603220, it appears that a legitimate application is being blocked. The
Marketing Manager is reporting that Adam is no longer able to run his game on NYC-CL1, but now
also cannot run an XML editing application. The executable for this application is located in
C:\XMLNotepad.
Please identify why the application is not running, and then resolve the issue.
Plan of Action
Resolution



1. Using your knowledge of AppLocker configuration, attempt to resolve the problem.
Password: Pa$$w0rd
Domain: Contoso
Results: After this exercise, you will have resolved the problem with application startup.


Review Questions
1. Your manager has provided you with a new application that you need to install for users in the
Production department. To ensure that you can install it on all the computers, you need a list of
installation prerequisites. Where can you find the prerequisites?
2. A colleague is concerned that because standard users cannot install applications, you then cannot
automate installation. Why is this not a concern?
3. A new application has been deployed for Marketing department users. For several users, the
application is not starting, and then it closes silently. What sources will you use to determine the
problems source?
4. Before deploying Windows 7 computers to the Marketing department, you find during testing that an
older application experiences errors. What can you use to help identify the problems source and
mitigate it?
5. Your organization implements many non-Microsoft applications. A colleague has proposed using
WSUS to deploy application and operating-system updates. Are there any potential issues that may
arise if you use WSUS?
Tools

System Center Deploying applications and You must install additional software
Configuration application updates
Manager 2007
TS RemoteApp Deploying applications without You must install additional software on a

installing them on a client server
Application Identifying and mitigating older You must install additional software
Compatibility Toolkit applications that do not run
properly on Windows 7
Msiexec.exe To interact directly with Windows Command-line

Installer
Windows Server Deploying updates to computers Role installed on Windows Server 2008
Update Services
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L2-1
Module 2: Troubleshooting Startup Issues

Lab: Troubleshooting Startup Issues

Incident Record

Time of Call 10:45
User Adam Carter (Production Department)
Status OPEN
Incident Details
Adam Carter has reported that his computer will not start properly.
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partly through
the process. Since then, his computer displays the following error message when it starts:
Windows Boot Manager.

File: \Boot\BCD
Status: 0xc0000034
Info: The Windows Boot Configuration Data (BCD) file is missing required information.
Plan of Action
1. Visit with the user, and view the error on his computer.
2. Insert product DVD, and restart the computer.
3. Use Microsoft Windows Recovery Environment (RE) to recover the startup environment
automatically.


User name: Contoso\Administrator
Password: Pa$$w0rd

L2-2 Module 2: Troubleshooting Startup Issues

2. On your host computer, in the 6293A-NYC-CL1 on localhost Virtual Machine Connection dialog
box, on the Media menu, point to DVD Drive, and then click Insert Disk.
3. In the Open dialog box, in the File name box, type C:\Program Files\Microsoft Learning
\6293\Drives\Windows7.iso, and then click Open.
4. On the Action menu, click Turn Off. In the dialog box, click Turn Off.
5. On the Action menu, click Start.
6. When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads.
9. In the System Recovery Options dialog box, click Repair and restart.
Password: Pa$$w0rd
Resolution
1. Corrupted BCD resulted in failure to start correctly.
2. Used DVD to repair BCD automatically.
solution.
Lab: Troubleshooting Startup Issues L2-3


Incident Record

Time of Call 13:30
User Martin Berka (Marketing Department)
Status OPEN
Incident Details
Martin contacted the help desk after attempting to install a new hard disk driver.
Since the attempt, his computer does not start correctly.
Help-desk staff recorded the following message:
A problem has been detected, and Windows has been shut down to prevent damage to your
computer.
Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers.
Technical information:
*** STOP: 0x0000007B (0x8078BB58,0xC0000034,0x0000000,0x00000000)
Plan of Action
1. Visit the user, and attempt to recreate the problem on his computer.
2. Based on the error, use one of the following tools to recover the system: Safe Mode, Windows RE,
Last Known Good, and similar tools.

2. Run the D:\Labfiles\Mod02\Scenario2.vbs script. If necessary, in the User Account Control window,
click Yes.

1. On your host computer, in the 6293A-NYC-CL1 on localhost Virtual Machine Connection dialog
box, on the Media menu, point to DVD Drive, and then click Eject Windows7.iso.
2. On the Action menu, click Turn Off.
3. On the Action menu, click Start.

L2-4 Module 2: Troubleshooting Startup Issues
4. Immediately press F8. The Advanced Boot Options menu loads.
Note If the Advanced Boot Options menu does not display, ask your instructor for
assistance.
5. Select Last Known Good Configuration (advanced), and then press Enter.
Resolution
1. Used Last Known Good Configuration to recover.
2. Safe mode and Windows RE were unsuccessful.
solution.



L3-5
Module 3: Using Group Policy to Centralize Configuration

Lab: Using Group Policy to Centralize
Configuration

Incident Record
Date of Call Feb 25

Time of Call 14:45
Status OPEN
Incident Details
User reports that research lab configuration is not being applied properly to a new computer named
NYC-CL1.
User reports that a new computer being used in the research computer lab is not configured properly.
All other computers in the lab, such as NYC-LAB1, have the standardize settings applied properly.
I have verified that the computer is properly joined to the domain.
Looking at NYC-LAB1, I can see that there is a desktop shortcut for the Analysis application. If this icon
appears on the desktop, then we know that the settings are being applied properly. This setting should
apply regardless of the user that logs on.
Plan of Action
1. Verify configuration for NYC-LAB1, and ensure that NYC-CL1 has the same configuration.
2. Resultant Set of Policy (RSoP) from Group Policy Modeling will provide configuration information
for NYC-LAB1.

1. Switch to the NYC-DC1 computer.

Password: Pa$$w0rd
Domain: Contoso
3. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
4. In Active Directory Users and Computers, expand Contoso.com, and then click Computers.
5. Right-click NYC-CL1, and then click Move.

L3-6 Module 3: Using Group Policy to Centralize Configuration
6. In the Move window, expand Research, click Lab, and then click OK.
7. Close Active Directory Users and Computers.
8. Restart NYC-CL1.

Password: Pa$$w0rd
Domain: Contoso
10. Verify that the desktop shortcut for the Analysis application exists.
Resolution
1. RSoP from Group Policy Modeling indicates that NYC-LAB1 has a Group Policy object (GPO) named
ResearchLab applied. ResearchLab GPO is linked to Contoso.com/Research/Lab.
2. NYC-CL1 is located in the Computers container, and will not apply the ResearchLab GPO.
3. Moved NYC-CL1 computer account to the Contoso.com/Research/Lab, and then rebooted the
computer.
Lab: Using Group Policy to Centralize Configuration L3-7


Incident Record
Date of Call Feb 26

Time of Call 9:07
Status OPEN
Incident Details
User reports that his drive mapping has not been updated with the new file share for his department.
The user (Alan) is not receiving the drive mapping (R:) for the new research department share on his
computer NYC-CL2.
Other people in his department are not experiencing any issues. I have checked with the Active
Directory administrators, and his computer account is in the correct OU. So the location of the
computer account is not an issue.
I also verified that he can manually access the files by using the UNC path at \\NYC-DC1\Research.
We rebooted the computer with no improvement.
Plan of Action
1. Visit the users computer and attempt to determine why the new policy is not being applied.
2. First, run gpupdate.exe to see the error.

2. Run the D:\Labfiles\Mod03\Scenario2.vbs script. This script causes NYC-CL2 to restart.
3. Close all open windows on NYC-CL1.


Password: Pa$$w0rd
Domain: Contoso
4. In the System window, in the Computer name, domain, and workgroup settings area, click Change
settings.
L3-8 Module 3: Using Group Policy to Centralize Configuration
5. In the System Properties window, on the Computer Name tab, click Change.
6. In the Computer Name/Domain Changes window, click Workgroup.
7. In the Workgroup box, type TEMP, and then click OK.
8. Click OK to acknowledge the warning.
9. Click OK to clear the welcome message.
10. Click OK to clear the message about restarting.
11. In the System Properties window, on the Computer Name tab, click Change.
12. In the Computer Name/Domain Changes window, click Domain.

13. In the Domain box, type Contoso.com, and then click OK.
14. In the Windows Security window, log on as Administrator with a password of Pa$$w0rd.
15. Click OK to clear the welcome message.
16. Click OK to clear the message about restarting.
17. In the System Properties window, click Close.
18. Click Restart Now.

User name: Alan

Password: Pa$$w0rd
Domain: Contoso
21. Verify that the drive letter R: is mapped to the research share.
Resolution
1. Ran GPUpdate, and saw error related to processing for computer account.
2. Group Policy event log indicated that account information could not be retrieved.
3. The System event log had a NETLOGON error indicating that the computer password may a problem.
4. Rejoined the domain and problem is resolved, the user was logging on with cached credentials.


L4-9
Module 4: Troubleshooting Hardware Device, Device Driver,

and Performance Issues
Lab A: Resolving Hardware Device and
Device Driver Issues
Exercise 1: Resolving Hardware Issues

Incident Record

Time of Call 10:03
User Bobby Moore (Production Department)
Status OPEN
Incident Details
User reports that his computer mouse is nonfunctional.
User reports that he attempted to install a new mouse, but abandoned the installation midway through
the process.
I visited the users computer and was unable to resolve the problem, as the mouse was totally
nonfunctional.
System Restore unavailable as currently disabled.
Plan of Action
Visit users computer, and attempt to resolve the problem by trying driver rollback, if necessary, with
Safe Mode.


3. Wait while the NYC-CL1 computer restarts.

Note On your host, in the 6293A-NYC-CL1 on localhost Virtual Machine Connection

windows, in the View menu, click Full Screen Mode.
L4-10 Module 4: Troubleshooting Hardware Device, Device Driver, and Performance Issues

Password: Pa$$w0rd
3. Press the Windows key, and in the Search box, type Device Manager, and then press Enter.
4. Press Tab.
5. Use the cursor keys to navigate to Microsoft PS/2 Mouse.
6. Press Alt+Enter.
7. In the Microsoft PS/2 Mouse Properties dialog box, press Tab until the General tab is highlighted.
8. Use the cursor key to select the Driver tab.
9. Press Alt+U.
10. In the Confirm Device Uninstall dialog box, press Enter.

11. Repeat steps 5 through 10 for the HID-compliant mouse.
12. Press the Windows key, and in the Search box, type shutdown /r, and then press Enter. Wait while
the NYC-CL1 computer restarts

Password: Pa$$w0rd
14. Open Device Manager, and then verify that the mouse is now functioning.
Resolution
1. Last Known Good, Safe Mode unsuccessful.
2. Driver roll back and System Restore both unavailable.
3. Manually uninstalled mouse and restarted computer resolved issue.
4. Suggest we enable System Restore on all computers, and control driver installation for users.
Results: At the end of this exercise, you will have resolved the hardware problem.
Lab A: Resolving Hardware Device and Device Driver Issues L4-11
Exercise 2: Configuring Group Policy to Control Device Installation

(Optional)
X Task 1: Read the email from Ed Meadows
1. Read the email in the supporting documentation section.
2. Determine a course of action.
3. Answer the questions in the Group Policy object (GPO) Planning Document.
4. If necessary, discuss your plans with the class.
GPO Planning Document

Reference: CW050511/1
Date March 5
Details
Update GPO settings to:
Restrict all users to be able to install only printer drivers.
Enable Research Department users to install printers, mice, and keyboard device drivers.
Do not restrict administrators from installing any drivers.
Use as few GPOs as possible
Plan of Action
1. How many GPOs do you envision using?
Answers will vary, but two could be used. The Default Domain Policy could support the all users
restriction and the administrator nonrestriction. A new GPO could be used to support the Research
Department requirements.
2. To which containers will you link these GPOs?
The Default Domain Policy is linked to the Contoso.com domain. The new GPO could be linked to
the Research Department organization unit (OU).
3. How do you plan to configure the restriction for all users?
Configure the Default Domain Policy to enable installation of printers by using the Allow non-
administrators to install drivers for the setting for device setup classes.
4. How will you accommodate the requirement to support the Research Departments needs?
Either install the drivers into the driver store on each Research department computer, or configure
the Research GPO with permissions to install drivers of the globally unique identifier (GUID) of the
specified setup class for mouse, printer, and keyboard. Use this setting: Allow installation of devices
using drivers that match these device setup classes.
5. How will you accommodate the administrator requirement?
Configure the Allow administrators to override Device Installation Restrictions policies setting in the
Default Domain Policy.
X Task 2: Configure the administrators setting
Note Some of the tasks you perform to complete this exercise may not be part of a Tier 2
support persons responsibilities; however, it is useful to see the completed scenario.
3. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, right-click Default Domain
Policy, and then click Edit.
4. In the Group Policy Management Editor, under Computer Configuration, expand Policies,
Restrictions.
5. In the right-pane, double-click Allow administrators to override Device Installation Restriction

policies.
6. In the Allow administrators to override Device Installation Restriction policies dialog box, click
Enabled, and then click OK.
X Task 3: Configure the ability for users to install printer devices

1. In the right-pane, double-click Allow installation of devices using drivers that match these
device setup classes.
2. In the Allow installation of devices using drivers that match these device setup classes dialog
box, click Enabled, and then click Show.
3. Leave the window open.
4. Click Start, and in the Search box, type \\NYC-CL1\d$\Labfiles\Mod04\fax, and then press Enter.
5. In Fax, double-click faxca003.inf.

6. In Notepad, locate the line that starts ClassGUID.
7. Select the GUID including the {} brackets, and then copy it.
8. Close Notepad.
9. Switch back to the Group Policy Management Editor.
10. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID.
11. Click OK twice.
X Task 4: Configure the device settings for the Research Department

2. In Group Policy Management, click Research.
3. Right-click Research, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, in the Name box, type Research Department device settings, and
then click OK.
5. Expand Research, right-click Research Department device settings, and then click Edit.
6. In Group Policy Management Editor, under Computer Configuration, expand Policies,

Restrictions.
7. In the right-pane, double-click Allow installation of devices using drivers that match these
device setup classes.
8. In the Allow installation of devices using drivers that match these device setup classes dialog
box, click Enabled, and then click Show.
9. Leave the window open.
10. Switch to Windows Explorer, and in the address bar, click Mod04.
11. In Windows Explorer, double-click mouse driver.
12. Double-click point32, and then double-click point32.inf.
15. Close Notepad.
16. Switch back to the Group Policy Management Editor.
17. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID
into it.
18. Switch to Windows Explorer, and in the address bar, click Mod04.
19. In Windows Explorer, double-click keyboard driver.

20. Double-click type32, and then double-click type32.inf.
23. Close Notepad.
24. Switch back to Group Policy Management Editor.
25. In the Show Contents dialog box, click the cursor into the Value text box, and then paste the GUID
into it. Notice that this is the same setup class GUID.
26. Click OK twice.
28. Close the Group Policy Management console.
Note Due to restrictions within the virtual machine environment, you cannot properly test
these restrictions.
Results: At the end of this exercise, you will have planned and implemented GPO to support the device
installation requirements.
X To prepare for the next lab


Lab B: Troubleshooting Performance-Related

Issues (Optional)
Exercise: Troubleshooting a Performance Problem
X Task 1: Establish a performance baseline
2. Click Start, and in the Search box, type Performance, and then press Enter.
3. In Performance Monitor, in the navigation pane, expand Data Collector Sets.
4. Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
5. In the Create new Data Collector Set wizard, on the How would you like to create this new data
collector set? page, in the Name box, type Contoso Baseline.
6. Click Create manually (Advanced), and then click Next.
7. On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
8. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and then click Add.
9. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
10. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
11. In the Available counters list, expand Physical Disk, select % Disk Time, and then click Add.
12. Under Physical Disk, select Avg. Disk Queue Length, and then click Add.
13. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
14. In the Available counters list, expand System, select Processor Queue Length, click Add, and then
click OK.
15. On the Which performance counters would you like to log? page, click Next.
16. On the Where would you like the data to be saved? page, click Next.
17. On the Create the data collector set page, click Finish.
18. In Performance Monitor, in the navigation pane, right-click Contoso Baseline, and then click Start.
19. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word
2007.
20. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Excel
2007.
21. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office
PowerPoint 2007.
22. Close all open Microsoft Office applications, and then switch to Performance Monitor.
23. In the navigation pane, right-click Contoso Baseline, and then click Stop.
X Task 2: View the baseline report

1. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Contoso Baseline, and click on the report that has a name that begins with NYC-CL1_.
2. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
3. Record the component details below:



Incident Record
Date of Call July 27

Time of Call 10:41
User Dylan Miller (Research Department)
Status OPEN
Incident Details
Dylan contacted the help desk to report problems with his computer. It has been running slowly, and
application processes that used to take a few seconds now take much longer.
We must determine which components are affected in Dylans computer, and then make
recommendations about how to solve or mitigate these performance bottlenecks.
Plan of Action
Visit the computer, and run performance-monitoring tools to ascertain which components (memory,
disk, CPU, and network) are bottlenecked. Gathering statistics by using the existing Contoso Baseline
data collector set enables us to compare current data to that collected previously.
Tools to use:
Resource Monitor to gain a quick insight into whats going on.
Performance Monitor data collector sets and reports.
X Task 5: Create load on the computer

2. Switch to Performance Monitor. In the navigation pane, right click Contoso Baseline, and then click
Start.
X Task 6: Identify performance bottlenecks in the computer

1. Click Start, and in the Search box, type Resource Monitor, and then press Enter.
2. In Resource Monitor, which components are under strain?
Answer: CPU and Disk are heavily used.
3. After a few minutes, close the two instances of C:\Windows\System32\cmd.exe that the script
launched.
4. Switch to Performance Monitor.
5. In the navigation pane, right-click Contoso Baseline, and then click Stop.
6. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Contoso Baseline, and then click on the second report that has a name that begins with NYC-CL1_.
7. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
8. Record the component details below:

In your opinion, which components are affected the most?
Answer: The script is affecting the memory, and the disk. However, no resources are
approaching limits, although paging is becoming excessive.
9. Complete the resolution section of the incident record with your recommendations. If asked to do so,
discuss your results with the class.
Resolution
Add processor capacity to the computer, or run the programs on a more powerful computer. Adding
memory would be beneficial.
Results: At the end of this exercise, you will have determined the components affected on the users
computer, and then discussed solutions and mitigations with the class.
X To revert the virtual machines

following steps:
2. Right-click 6421B-NYC-DC1 in the Virtual Machines list, and then click Revert.

4. Repeat these steps for 6421B-NYC-CL1.
L5-19
Module 5: Troubleshooting Network Connectivity Issues

Lab: Troubleshooting Network Connectivity
Issues

Incident Record

Time of Call 13:32
Status OPEN
Incident Details
Scott cannot log on to his computer.
Error message:
There are currently no logon servers available to service the logon request.
Plan of Action
1. Visit the users computer, and reproduce the problem.
2. Logon as administrator, and attempt to resolve the problem.
3. Things to check:
Basic IP configuration of the workstation and other computers.
Verify whether the issue is affecting other computers.

Note Ignore any error messages in the script.

L5-20 Module 5: Troubleshooting Network Connectivity Issues
User name: Scott

Password: Pa$$w0rd
Domain: Contoso
5. You are unsuccessful. What is the error message?
Answer: There are currently no logon servers available to service the logon request.

Password: Pa$$w0rd
Ipconfig.exe /all
4. From which server has your computer obtained an IPv4 address?

Answer: 10.10.14.1
5. What is your IP address?
Answer: 10.10.14.2
6. What is your subnet mask?
Answer: 255.255.255.0
Note Typically, an Enterprise administrator might perform the following tasks.
Ipconfig.exe /all
10. In which subnet is the domain controller located?
Answer: 10.10.0.0/16
11. Switch to the NYC-SVR1 computer.
Lab: Troubleshooting Network Connectivity Issues L5-21
Ipconfig.exe /all
14. What is the IP address of NYC-SVR1?
Answer: 10.10.14.1
15. Is this server providing Dynamic Host Configuration Protocol (DHCP) services?
Answer: Yes. It is the same IP that you specified on NYC-CL1.
Net stop dhcpserver
Net start dhcpserver
Ipconfig /release
21. Restart the computer. Wait for the NYC-CL1 computer to restart.
User name: Scott

Password: Pa$$w0rd
Domain: Contoso
Resolution
1. NYC-SVR1 had been started and is running a DHCP server in the head office.
2. This conflicted with the head office DHCP server.
3. NYC-CL1 obtained an address from the new server. However, this configuration is appropriate only
for the branch office, not the head office.
4. The problem was resolved by stopping the DHCP server on NYC-SVR1, restarting the DHCP service on
NYC-DC1, and restarting NYC-CL1 so that it could obtain a valid IPv4 configuration.
Other possible solutions include manually configuring NYC-CL1 with a similar configuration to NYC-CL2.
Results: At the end of this exercise, you will have logged on successfully by using the user account.


Incident Record

Time of Call 14:20
Status OPEN
Incident Details
Scott is unable to access the intranet server.
URL required: http://intranet.
IP configuration seems appropriate for subnet location.
Error message:
Internet Explorer cannot display the webpage.
Plan of Action
1. Visit the users workstation.
2. Verify the IP version 4 (IPv4) configuration.
3. Determine connectivity from another workstation.
4. If this issue is affecting only Scotts workstation, then investigate his computers settings.
5. If this issue is affecting multiple workstations, then investigate the intranet server settings.

1. Switch to the NYC-CL1 computer. You are logged on as Scott.
2. On the Taskbar, click Internet Explorer. On the Set Up Windows Internet Explorer 8 prompt, click
Ask me later.

1. Switch to the NYC-CL2 computer. You are logged on as Administrator.
2. On the Taskbar, click Internet Explorer. On the Set Up Windows Internet Explorer 8 prompt, click
Ask me later.
Lab: Troubleshooting Network Connectivity Issues L5-23
Ping intranet
Nslookup d1 intranet > file.txt
Notepad file.txt
8. What is the answer to the question intranet.Contoso.com?
Answer: Ncy-dc1.Contoso.com
9. At the command prompt, type the following command, and then press ENTER:
Ping ncy-dc1.Contoso.com
10. What do you suspect is the likely cause of the problem?
Answer: The Domain Name System (DNS) record on the server is wrong.
Note Typically, an Enterprise administrator might perform the following tasks.
12. Click Start, point to Administrative Tools, and then click DNS.
13. In DNS Manager, expand Forward Lookup Zones, expand Contoso.com, and then in the right-pane,
double-click intranet.
14. In the intranet Properties dialog box, in the Full qualified domain name (FQDN) for target host:
box, type nyc-dc1.contoso.com, and then click OK.

16. In Windows Internet Explorer, press F5.
Resolution
An incorrect Alias record was created in the DNS zone for Contoso. Clients could not connect to the
Intranet on NYC-DC1.
Editing the record corrected the problem.
Results: At the end of this exercise, you will have resolved the connectivity problem.

4. Repeat these steps for 6293A-NYC-SVR1, 6293A-NYC-CL1, and 6293A-NYC-CL2.

L6-25
Module 6: Troubleshooting Remote Connectivity Issues

Lab: Resolving Remote Connectivity Issues
Exercise: Resolving a Remote Connectivity Problem

Incident Record
Date of Call May 5

Time of Call 08:05
User Max Stevens (Research Department)
Status OPEN
Incident Details
Max reports that he cannot connect to the corporate intranet site from home. He uses a preconfigured
virtual private network (VPN).
VPN settings for Contoso home users:
Users connecting using VPN must use Extensible Authorization Protocol (EAP) authentication.
The preferred Remote Access Service (RAS) server is NYC-SVR2.
Network Access Protection (NAP) has been implemented in Contoso in recent weeks using VPN
enforcement. IP version 4 (IPv4) filters restrict connectivity to remediation servers.
Plan of Action
1. Visit the users workstation, and attempt to reproduce the problem.
2. Verify that the VPN settings match those of the server.
3. Determine whether the companys NAP policy is affecting the computers ability to connect.

3. Wait while the computer restarts.

Password: Pa$$w0rd
5. Click Start, in the Search box, type Network and Sharing, and then press Enter.
L6-26 Module 6: Troubleshooting Remote Connectivity Issues
6. In Network and Sharing Center, click Change adapter settings.
7. In Network Connections, right-click Contoso VPN, and then click Connect.

Password: Pa$$w0rd
Domain: Contoso
9. What error message do you see?
Answer: Error 812. The connection was prevented because of a policy configured on your
RAS/VPN server.
10. Click Close.
1. Click Start, in the Search box, type services.msc, and then press Enter.
2. In Services, in the Name list, double-click Network Access Protection Agent.

3. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup
type list, click Automatic.
4. Click Apply, click Start, and then click OK.
5. In Services, in the Name list, double-click Windows Firewall.
6. In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click
Automatic.
8. In Services, in the Name list, double-click Security Center.
9. In the Security Center Properties (Local Computer) dialog box, in the Startup type list, click
Automatic.
11. Close Services.
12. Switch to Network Connections.
13. In Network Connections, right-click Contoso VPN, and then click Connect.

Password: Pa$$w0rd
Domain: Contoso
15. On the Taskbar, click Internet Explorer.
Lab: Resolving Remote Connectivity Issues L6-27
16. In the Address bar, type http://nyc-dc1, and then press Enter.
17. Do you see the Website?
Answer: Yes
Resolution
1. The client settings did not match those that NAP requires.
2. Start the Security Center.
3. Start the NAP Agent.
4. Start Microsoft Windows Firewall.
Results: At the end of this exercise, you will have resolved the remote connectivity problem.

4. Repeat these steps for 6293A-NYC-SVR2 and 6293A-NYC-CL1.

L7-29
Module 7: Troubleshooting Logon and Resource Access

Issues
Lab: Troubleshooting Logon and Resource
Access Issues
Exercise 1: Troubleshooting Offline Files

Incident Record

Time of Call 14:45
Status OPEN
Incident Details
A user with a laptop computer reports that offline files are not synchronizing properly when he
disconnects from the network.
User reports that when he roams in the office and reconnects to the wired network, his updated files
are not synchronizing properly. This is a problem, because other users also have access to these files,
and if the files are not synchronized, users have to look through the files and merge changes manually,
which is time-consuming.
Steps to recreate the problem:
1. On NYC-CL1, create and open a file on the research share at \\NYC-DC1\Research.
3. Keep the file open, and then disconnect from the network.
5. Reconnect the computer to the network and close the file.
6. On NYC-CL2, open the file on the research share, and then verify that the latest changes are not
synchronized.
Plan of Action
1. Recreate the problem to verify the steps.
2. Open Sync Center to view any potential synchronization issues.
L7-30 Module 7: Troubleshooting Logon and Resource Access Issues

User name: Alan

Password: Pa$$w0rd
Domain: Contoso
3. Click Start, type \\NYC-DC1\Research, and then press Enter.
4. In Windows Explorer, right-click an open area, point to New, and then click Microsoft Office Word
Document.
5. Type TestDocument, and then press Enter to rename the file.
6. Double-click TestDocument to open it.
7. Click OK to close the Microsoft Office Word window with an error.
8. In the User Name box, click OK.
9. In TestDocument, type Changes while online, and then click Save.
10. Click Start, type adapter, and then click View network connections.
11. In the Network Connections window, right-click Local Area Connection 3, and then click Disable.
12. When prompted, provide the credentials of Administrator with a password of Pa$$w0rd.
13. In TestDocument, on a new line, type Offline changes, and then click Save.
14. In the Network Connections window, right-click Local Area Connection 3, and then click Enable.
15. When prompted, provide the credentials of Administrator with a password of Pa$$w0rd.
16. Close the network connections window.

17. Close Microsoft Office Word.
User name: Preeda

Password: Pa$$w0rd
Domain: Contoso
20. Click Start, type \\NYC-DC1\Research, and then press Enter.
21. Double-click TestDocument.
22. Click OK to close the Microsoft Office Word window with an error.
23. In the User Name window, click OK. Notice that only the online changes are here, and that the file did
not synchronize.
24. Close Microsoft Word.

26. Click Start, type Sync Center, and then press Enter.
Lab: Troubleshooting Logon and Resource Access Issues L7-31
27. In Sync Center, right-click Offline Files, and then click Sync Offline Files.
29. Double-click TestDocument, and then verify that the offline changes are synchronized.
30. Log off of all virtual machines.
Resolution
1. Forcing synchronization in Sync Center caused the offline file to update. Logging off and then
logging also causes the file to update because there is no conflict with a changed version on the
server.
2. You should inform the user that he must modify his procedures to ensure that his files synchronize.
Results: After this exercise, you will have resolved a problem with offline files not synchronizing properly.
Exercise 2: Troubleshooting a Missing Drive Mapping


Incident Record

Time of Call 15:03
User Max Stevens (Research)
Status OPEN
Incident Details
User reports that he does not have access to the research share.
User reports that he started his job last week, and does not have access to the research share, which
is at \\NYC-DC1\Research. He is logging on to NYC-CL1.
I walked the user through accessing the share by using the Universal Naming Convention (UNC)
path. This is an acceptable short-term solution. However, this user should map drive letter R to the
research share like other users.
Drive mappings have been converted to Group Policy Preferences. I confirmed that the user account
is in the correct organizational unit (OU).
Other research users, like Alan Brewer, have no problems with the drive mapping.
Plan of Action
1. Determine which Group Policy is applying the Group Policy Preferences.
2. Review the configuration of the Group Policy.
3. Review the configuration of the Max Stevens account, and compare it to Alan Brewers.

3. Click OK to close the window indicating that the script is complete.
4. Log off of NYC-CL1.


Password: Pa$$w0rd
Domain: Contoso
3. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
4. In Active Directory Users and Computers, expand Contoso.com, and then click Research.
5. In the right-pane, double-click the Research group.
6. In the Research Properties window, on the Members tab, click Add.
7. In the Select Users, Contacts, Computers, Service Accounts, or Groups window, type Max, and then
click OK.
8. Click OK, and then close Active Directory Users and Computers.

User name: Max

Password: Pa$$w0rd
Domain: Contoso
12. Verify that the drive letter R maps to the research share.
Resolution
The mapping for drive R is being targeted to the Research security group. Max was not a member of the
Research security group. Adding Max as a member of the research security group resolved the problem.
Results: At the end of this exercise, you will have resolved the Group Policy object (GPO) application
problem.
Exercise 3: Troubleshooting Missing Files in My Documents


Incident Record

Time of Call 9:00
User Preeda Ola (Research)
Status OPEN
Incident Details
User reports that files are missing from the My Documents folder after he received a new computer
that has the organizations standard operating-system configuration.
The user has a brand new workstation configured with our default image. We have trained users not to
save information into My Documents, and have warned them that file in My Documents are not
backed up.
I logged onto the users old computer, and no files were in his My Documents folder. Eventually, we
found the files in his home folder, which he had mapped to drive H.
I dont know how it was configured before, but this user wants My Documents to include the files in his
home drive instead of accessing them through drive H. Because this user is a department head, we
need to do this.
Plan of Action
1. Verify that the users files are located in drive H.
2. Redirect My Documents to drive H.

User name: Preeda

Password: Pa$$w0rd
Domain: Contoso
4. In Windows Explorer, under Libraries, expand Documents, and then click My Documents.
5. Right-click My Documents, and then click Properties.

6. In the My Documents Properties window, on the Location tab, type H:\, and then click Apply.
7. In the Move Folder window, click No.
8. Click OK to close the My Documents Properties window.

9. Verify that My Documents is now redirected to Preedas home folder.
Resolution
The users old computer had the My Documents folder redirected to drive H. When the new computer
was deployed, My Documents was not redirected because it is not part of the standard configuration.
Redirecting My Documents to drive H resolved the issue.
Results: After this exercise, you will have resolved a problem with missing files in the My Documents
folder.
Exercise 4: Troubleshooting a File Access Issue


Incident Record

Time of Call 12:20
Status OPEN
Incident Details
New peer-based application for research is not working properly.
The research department is semiautonomous for Information Technology (IT). They install and run a lot
of their own applications. They also store data on their local workstations. The workstations are backed
up daily to ensure that no data is lost.
They have a new application that they have installed on all of the workstations that is not functioning
properly. The installation instructions indicate that there must be a file share to which all computers
have read and write permissions.
All computers are configured to use \\NYC-CL1\Modeling as the file share. The file share is created, but
users do not appear to have the proper permissions. The application generates the error Shared data
access error.
I connected to \\NYC-CL1\Modeling, and then verified that I could not create or modify files from my
computer. Only members of the research group should be able to change these files.
Plan of Action
1. Review NTFS permissions, and verify effective permissions.
2. Review share permissions.

2. Run the D:\Labfiles\Mod07\Scenario4.bat script.

1. If necessary, switch to the NYC-CL1 computer.

Password: Pa$$w0rd
Domain: Contoso

4. In Windows Explorer, browse to C:\.
5. Right-click Modeling, and then click Properties. Click the Sharing tab.
6. In the Modeling Properties window, click Advanced Sharing.
7. In the Advanced Sharing window, click Permissions.
8. In the Permissions for Modeling window, click Remove, and then click Add.
9. In the Select Users, Computers, Service Accounts, or Group window, type Research, and then click
OK.
10. In the Permissions for Modeling window, click Research, select the Allow Full Control permission,
and then click OK.
11. In the Advanced Sharing window, click OK.
12. In the Modeling Properties window, click Close.
13. Start the 6293A-NYC-CL2 computer.
User name: Alan

Password: Pa$$w0rd
Domain: Contoso
15. Click Start, type \\NYC-CL1\Modeling, and then press Enter.
16. In Windows Explorer, right-click an empty area, point to New, and then click Text Document.
17. Type TestDoc, and then press Enter to rename the document.
Resolution
Modify the share permissions to remove the Everyone group, and then give the research group full
control.
OR
1. Modify the share permissions to give the Everyone group full control.
2. Prevent NTFS permissions from being inherited to the Modeling folder, and then copy existing
permissions.
3. Remove Authenticated Users NTFS permissions for the Modeling folder.
4. Add Modify permission for the Research group to the Modeling folder.
Results: At the end of this exercise, you will have successfully configured a share with read and write
permissions for users in the Research group.


L8-39
Module 8: Troubleshooting Security Issues

Lab: Troubleshooting Security Issues
Exercise 1: Recovering a BitLocker-Protected Drive
1. Read the help-desk Incident Record for incident 603012.
2. Read the printed document from Susanna.

Incident Record

Time of Call 09:34
User Susanna Stubberod (Production)
Status OPEN
Incident Details
Executive user is reporting that she has data that is encrypted with BitLocker Drive Encryption that she
needs to recover from a failed laptop.
The user uses her personal laptop to work on company documents. The laptop had a secondary hard
drive on which she stored the documents. She encrypted all drives with BitLocker to secure them.
Internal laptops are configured with a recovery agent to simplify data recovery. Because this is a
personal laptop, using a recovery agent is not an option.
She has given us the encrypted drive and a printout she made after the drive was encrypted.
She has requested that we configure the drive so that she can attach it easily to another computer by
placing the drive in an external Universal Serial Bus (USB) enclosure. Preferably, it should require only a
password to unlock.
Plan of Action
1. Attach the encrypted drive to a Windows 7 computer.
2. Use the recovery key from the printout to decrypt the drive.
3. Configure the use of a password to view drive content.
X Task 3: Attach the encrypted drive to NYC-CL1

1. On the host computer, ensure that 6293A-NYC-CL1 is shut down.
2. Click Start, point to Administrative Tools, and then click Hyper-V Manager.
3. In Hyper-V Manager, right-click 6293A-NYC-CL1, and then click Settings.
4. In the Settings for 6293A-NYC-CL1 window, click IDE Controller 1.

L8-40 Module 8: Troubleshooting Security Issues
5. In the right-pane, ensure that Hard Drive is selected, and then click Add.
6. In the Media area, click Browse.
7. Browse to C:\Program Files\Microsoft Learning\6293\Drives, click BitLockerRecovery.vhd, and

then click Open.
8. Click OK.
9. Start the 6293A-NYC-CL1 virtual machine, and then log on as NYC-CL1\WSAdmin with the
password of Pa$$w0rd. If you are prompted to restart NYC-CL1, click Restart Now.

User name: WSAdmin

Password: Pa$$w0rd
Domain: NYC-CL1
4. Right-click Local Disk (F:), and then click Unlock Drive.
5. On the Unlock this drive using your recovery key page, click Type the recovery key.
6. On the Enter your recovery key page, type 622732-532620-653312-417406-161304-327305-

677292-111034, and then click Next.
7. On the You now have temporary access to this drive page, click Manage BitLocker.
8. On the Select options to manage page, click Add a password to unlock the drive.
9. In the Type your password and Retype your password boxes, type Pa$$w0rd, and then click Next.
10. On the Select options to manage page, click Close.
11. On the You now have temporary access to this drive page, click Finish.
Resolution
1. Attached encrypted drive to a Windows 7 computer.
2. Used the recovery key from the printout to decrypt the drive.
3. Configured use of a password to view the drives content.
Results: At the end of this exercise, you will have recovered a BitLocker-protected drive.
Lab: Troubleshooting Security Issues L8-41
Exercise 2: Troubleshooting an Internet Explorer Security Issue


Incident Record

Time of Call 12:20
User Sten Faerch (Marketing)
Status OPEN
Incident Details
User is being prompted for security credentials when accessing the intranet site.
When the user attempts to access the corporate intranet by using http://nyc-dc1.contoso.com, he is
prompted for credentials.
I coached him through the process of entering his credentials as Contoso\Sten and his password. This
authenticates him successfully, and he can use it as a short-term work-around, but he does not want to
be prompted.
I asked him to check if other users in his department were having the same issue, and he told me that
they said No. He is the only user. After he authenticates, everything is fine.
When the issue is resolved, please configure the corporate intranet as his home page.
Plan of Action
1. Visit the user, and view the problem.
2. Review the Windows Internet Explorer configuration.


Password: Pa$$w0rd
Domain: Contoso

L8-42 Module 8: Troubleshooting Security Issues

User name: Sten

Password: Pa$$w0rd
Domain: Contoso
3. Click the Internet Explorer icon on the taskbar. At the Set Up Windows Internet Explorer 8 prompt,
click Ask me later.
4. In the Internet Explorer window, in the Address bar, type http://nyc-dc1.contoso.com, and then
press Enter.
5. When prompted for credentials, click Cancel.
6. In the Address bar, type http://nyc-dc1, and then press Enter.

7. In the status bar, verify that the site is recognized as the Local intranet.
8. Click the down arrow beside the home page icon, and then click Add or Change Home page.
9. In the Add or Change Home Page window, click Use this webpage as your only home page, and
then click Yes.
10. Close Internet Explorer.
Resolution
1. Instruct the user to use a single label URL to access the intranet site. This allows Internet Explorer to
recognize the site as an intranet site to which it can automatically pass the local workstation
credentials.
2. Configure http://nyc-dc1 as the home page.
OR
1. Manually add http://nyc-dc1.contoso.com to intranet sites list.
2. Configure http://nyc-dc1.contoso.com as home page.
OR
1. Manually add http://nyc-dc1.contoso.com to trusted sites, and then configure trusted sites to allow
automatic logon with current user name and password.
2. Configure http://nyc-dc1.contoso.com as the home page.
Results: After this exercise, you will have authenticated successfully to the intranet website, without
requiring the user to enter credentials.
Lab: Troubleshooting Security Issues L8-43


L9-45
Module 9: Troubleshooting Operating System and

Application Issues
Lab: Troubleshooting Operating System and
Application Issues
Exercise 1: Troubleshooting Windows Updates
X Task 1: Read help-desk Incident Record 603193

Incident Record

Time of Call 08:20
User All computers
Status OPEN
Incident Details
Client computers and servers are not obtaining Windows updates from the new Windows Server
Updates Services (WSUS) server.
The new WSUS server is implemented, and it is successfully downloading updates from Microsoft
update. However, the updates are not being delivered to client computers.
We recently blocked access to Microsoft update for client computers to ensure that they were using
the WSUS server for updates.
You can force connectivity to the WSUS server by running wuauclt.exe /detectnow on the client
computer.
You can verify that the client connected to the WSUS server by checking the WindowsUpdateClient
event log for Event ID 26. You also can verify that the computer is listed in the Windows Automatic
Updates Services administrative tool on NYC-DC1.
Plan of Action
1. Identify if the computer is registered in WSUS.
2. Run wuauclt.exe /detectnow to force contact with the WSUS server.
3. Review the WindowsUpdateClient event log.
4. Verify creation of a GPO to configure Automatic Updates on computers.
L9-46 Module 9: Troubleshooting Operating System and Application Issues


Password: Pa$$w0rd
Domain: Contoso
4. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then expand
Contoso.com.
6. In the New GPO window, in the Name box, type WSUS, and then click OK.
7. Right-click WSUS, and then click Edit.
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
9. In the right-pane, double-click Specify intranet Microsoft update service location.
10. In Specify intranet Microsoft update service location, click Enabled.
11. In the Set the intranet update service for detecting updates and Set the intranet statistics
server boxes, type http://NYC-DC1, and then click OK.
12. Double-click Configure Automatic Updates.
13. In the Configure Automatic Updates window, click Enabled, and then click OK.

User name: WSAdmin
Password: Pa$$w0rd
Domain: Contoso
17. Click Start, type cmd, and then press Enter.
18. At the command prompt, type gpupdate / force, and then press Enter.
19. At the command prompt, type wuauclt.exe /detectnow, and then press Enter.
20. On NYC-DC1, click Start, point to Administrative Tools, and then click Windows Server Update
Services.
21. Expand NYC-DC1, expand Computers, and then click All Computers.
22. In the Status box, select Any, and then click Refresh. The computer NYC-CL1 is listed.
23. Close the Update Services window.

Lab: Troubleshooting Operating System and Application Issues L9-47
Resolution
Set up a GPO to configure Automatic Updates properly so that computers use http://NYC-DC1.
Results: At the end of this exercise, you will have resolved the issue with Windows updates.
Exercise 2: Troubleshooting AppLocker Policy Application

X Task 1: Read help-desk Incident Record 603210

Incident Record

Time of Call 11:33
Status OPEN
Incident Details
Unauthorized applications are being used on computers.
We have recently implemented Windows 7 AppLocker policies to control the use of applications. In
testing, the default rules were configured, which prevented most unauthorized applications from
running.
A manager has reported that several of his staff are playing games that are not authorized. It appears
that the users have brought in the games on Universal Serial Bus (USB) flash drives.
I browsed Adam Carters profile on NYC-CL1, and he has a game stored in the Downloads folder.
Please identify why these are not being blocked in production like they were in testing.
Plan of Action
1. Verify that the game in the Downloads folder will run.
2. Verify that the AppLocker rules for executables block the files in the Downloads folder.
3. Check the Application Identity service to verify that it is running.

2. Run the D:\Labfiles\Mod09\Scenario3.vbs script. NYC-CL1 will reboot when you run this script.


Password: Pa$$w0rd
Domain: Contoso
4. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then click
Contoso.com.
5. Right-click Application Control, and then click Edit.
expand Windows Settings, expand Security Settings, and then click System Services.
7. Right-click Application Identity, and then click Properties.
8. In the Application Identity Properties window, select the Define this policy setting check box, click
9. Close all open Windows.
Resolution
Configure a GPO so that the Application Identity service starts automatically.
Results: At the end of this exercise, you will have prevented unauthorized applications from starting.
Exercise 3: Troubleshooting Application Startup


Incident Record

Time of Call 13:15
Status OPEN
Incident Details
An authorized application is not able to run.
After resolving incident 603220, it appears that a legitimate application is being blocked. The
Marketing Manager is reporting that Adam is no longer able to run his game on NYC-CL1, but now
also cannot run an XML editing application. The executable for this application is located in
C:\XMLNotepad.
Please identify why this application is not able to run, and then resolve the issue.
Plan of Action
1. Verify that XML notepad in C:\XMLNotepad is blocked.
2. Review the AppLocker event log to verify that AppLocker is the issue.
3. Review the AppLocker rules, and then update them as required.


Password: Pa$$w0rd
Domain: Contoso
12. In Group Policy Management, expand Forest: Contoso.com, expand Domains, and then click
Contoso.com.
13. Right-click Application Control, and then click Edit.
expand Windows Settings, expand Security Settings, expand Application Control Policies, expand
AppLocker, and then click Executable Rules.
15. Right-click Executable Rules, and then click Create New Rule.
16. In the Create Executable Rules window, click Next.

17. On the Permissions page, click Next to Allow Everyone to run the application.
18. On the Conditions page, click Path, and then click Next.
19. In the Path box, type C:\XMLNotepad\XmlNotepad.exe, and then click Next.
20. On the Exceptions page, click Next.
21. On the Name and Description page, click Create.
Resolution
Configure an AppLocker rule to allow the application in C:\XMLNotepad to run.
Results: At the end of this exercise, you will have resolved the problem with application startup.



6293A-ENU TrainerHandbook

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

6293A-ENU TrainerHandbook

Transféré par

Droits d'auteur :

Formats disponibles

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

2011 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

Product Number: 6293A

Part Number X17-55452

Andrew J. Warren Author

Byron Wright Author

Tony Northrup Technical Reviewer

Module 2: Troubleshooting Startup Issues

Module 3: Using Group Policy to Centralize Configuration

Module 4: Troubleshooting Hardware Device, Device Driver, and

Module 5: Troubleshooting Network Connectivity Issues

Module 6: Troubleshooting Remote Connectivity Issues

Module 7: Troubleshooting Logon and Resource Access Issues

Module 8: Troubleshooting Security Issues

Module 9: Troubleshooting Operating System and Application Issues

Lab Answer Keys

About This Course

User profile and logon

Active Directory Domain Services (AD DS) principles and management

Windows Server 2008 fundamentals

Windows client fundamentals

Course 6420B: Fundamentals of Windows Server 2008

Troubleshoot startup issues on a Windows 7 computer.

Troubleshoot hardware device and device driver issues.

Troubleshoot network connectivity issues.

Troubleshoot remote connectivity issues.

Troubleshoot logon and resource access issues.

Troubleshoot operating system and applications issues.

Troubleshoot performance issues.

Module 1, Implementing a Troubleshooting Methodology describes the steps involved in establishing

Module 6, Troubleshooting Remote Connectivity Issues describes how to troubleshoot remote

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:

Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the

To provide additional comments or feedback on the course, send e-mail to

Virtual Machine Environment

Virtual Machine Configuration

Virtual machine Role

6293A-NYC-CL1 Windows 7 Client in Contoso domain

6293A-NYC-CL2 Windows 7 Client in Contoso domain

6293A-NYC-CL3 Windows 7 Client in Contoso domain

6293A-NYC-SVR1 Windows Server 2008 domain member

6293A-NYC-SVR2 Windows Server 2008 domain member

Course Hardware Level

Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor

4 GB random access memory (RAM) or better

Super VGA (SVGA) 17-inch monitor

Microsoft Mouse or compatible pointing device

Sound card with amplified speakers

Lesson 2: Overview of Troubleshooting Steps 1-14

Describe the job role of the EDST.

An EDST must be able to:

Gather and interpret information.

Diagnose and resolve problems, or escalate problems.

Describe the EDST job role.

Describe how to interact with end users.

Explain the benefits of a troubleshooting methodology.

What Is the EDSTs Role?

As an EDST, someone may describe you as:

The Position of EDSTs within the Technical Support Structure

Tier Role Description

Tier 2, Operational Provides day-to-day server and software troubleshooting.

Tier 4, architect Strategic Analyzes and designs enterprises.