Académique Documents
Professionnel Documents
Culture Documents
6430B
Planning for Windows Server
2008 Servers
Volume 1
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront,
Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight,
SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media,
Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Released: 11/2009
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i. Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,
de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Welcome!
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
1
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
Planning for Windows Server 2008 Servers xiii
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Contents
Volume 1
Module 1: Planning Windows Server 2008 Deployment
Lesson 1: Overview of Change Management 1-3
Lesson 2: Planning a Single-Server Installation 1-23
Lesson 3: Performing a Single-Server Installation 1-38
Lesson 4: Automating Windows Server Deployment 1-49
Lab: Planning Windows Server 2008 Deployment 1-60
Volume 2
Module 6: Planning File and Print Services
Lesson 1: Planning and Deploying the File Services Role 6-3
Lesson 2: Managing Storage 6-24
Lesson 3: Planning and Implementing the Distributed File System 6-44
Lesson 4: Planning and Implementing Shared Printing 6-56
Lab: Planning File and Print Services 6-66
Course Description
This three-day instructor-led course is intended for IT pros who are interested in
the knowledge and skills necessary to plan a Windows Server 2008 operating
system infrastructure. This course is aimed at server administrators and is not a
how-to course; therefore, it has a significant number of planning exercises with
less focus on hands-on exercises than some courses.
The course content and exercises direct you toward making decisions and
providing guidance to others. This course reflects the decision-making tasks that a
server administrator undertakes.
Server administrators often act as an escalation point and sit between the technical
specialist role and architect role.
Audience
This course is intended for a server administrator who:
Is moving from a technical-specialist role to a decision-making role.
Wants to acquire the necessary knowledge to be able to plan for Windows
Server 2008 servers.
Student Prerequisites
You should have up to one year of experience with implementing server plans,
although you have probably not yet had full responsibility for planning.
This course requires that you meet the following prerequisites:
Skills equivalent to course 6418A (deployment)Installation and
configuration of Windows Server 2008, Windows Deployment Services,
Active Directory directory service upgrades
Skills equivalent to course 6420A (networking fundamentals)TCP/IP
configuration, server administration, network and data security
About This Course ii
Course Objectives
After completing this course, students will be able to:
Plan for both Windows Server 2008 installation and upgrade from a previous
version of Windows Server to Windows Server 2008.
Plan and implement network connectivity in Windows Server 2008 by using
IPv4-related technologies and plan a migration strategy to IPv6.
Plan the deployment of Active Directoryrelated services in Windows Server
2008.
Apply the design considerations for implementing group policy.
Plan the configuration of different applications services in Windows Server
2008.
Create a plan for file and print services to meet an organizations printing, file
storage, and access needs.
Create a plan to secure the Windows Server 2008 environment.
Create local and remote administration strategies for administering a Windows
Server 2008 environment.
Create a monitoring plan for the Windows Server 2008 environment.
Create a plan that will help mitigate the effects of various disaster scenarios on
the IT infrastructure.
Create a plan for using virtualization in a Windows Server 2008 environment.
About This Course iii
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
Software required for Module 11 lab but not included in the Training Materials, is:
This software can be sourced from the Microsoft Partner Program via the Partner
Program Action Pack, detailed information on which is available at
https://partner.microsoft.com.
This optional lab is based on Microsoft Hyper-V.
Important: When shutting down the virtual machines in Lab Launcher, the default
setting is Shut Down The Virtual Machine And Save Changes. You should inform
students not to take the default setting but rather to take their time when shutting
down the virtual machines and make sure they select the bottom option in the list,
Turn Off Machines And Discard Changes, at the end of each lab.
To close a virtual machine without saving the changes on Hyper-V, perform the
following steps: 1. On the host computer, start Hyper-V Manager. 2. Right-click the
virtual machine name in the Virtual Machines list, and click Revert. 3. In the Revert
Virtual Machine dialog box, click Revert.
About This Course vi
Important: The Hardware Level in this course has been modified to run by default
under the assumption that 4 gigabytes (GB) RAM is available in the host machine
rather than 2 GB RAM, which is the normal amount of memory required, defined by
Hardware Level 5.5. So the default configuration on installation and boot-up is
configured to run where there is 4 GB RAM available in the host machine. For
detailed steps on how to set up this environment, please follow the steps outlined in
the Classroom Configuration Hardware Level 5.5 with 4 GB RAM section in the
classroom setup guide.
If you do not have 4 GB RAM available in the student machines, you will need to
follow alternative setup steps. An alternative LauncherSettings.config file is provided
with the course, which will redefine the RAM values for each of the virtual machines
to allow them to boot up and run at the normal, Hardware Level 5.5 definition,
allocation of 2 GB RAM being available in the host machine. For details on how to
set up the classroom where only 2 GB is available in the student machines, please
see the Classroom Configuration Hardware Level 5.5 with 4 GB RAM section in the
classroom setup guide.
It is also highly recommended that you read the MSL Lab Launcher Getting Started
Guide, which is available in the MCT Download Center. This contains information
about how to install and customize the MSL Lab Launcher in general terms and will
be complementary to what is contained in this course-specific setup guide.
About This Course vii
Each classroom computer will serve as the host for four virtual machines that will
run in Virtual Server 2005 R2 SP1.
The following are the virtual machines, brief descriptions, and the RAM allocation
to each of them for the default installation, that is, 4 GB RAM available on the host
machine.
RAM
Virtual machine Description (MB)
Note: All virtual machines in this course were developed with a resolution of 1024 x
768.
Hardware Level 6
Pentium IV 2.4 GHz processor *
PCI 2.1 bus
4 GB of RAM
At least two 40 GB hard disks, 7,200 RPM
DVD drive
NonISA network adapter: 10/100 Mbps-required full duplex
About This Course ix
Objectives
After completing this module, you will be able to:
Describe how change management affects a deployment project.
Plan the deployment of a single computer running Windows Server 2008.
Describe how to perform a single-server installation.
Determine how to automatically deploy Windows Server 2008.
Planning Windows Server 2008 Deployment 1-3
Objectives
After completing this lesson, you will be able to:
Describe change management and its benefits.
Describe the considerations for change management.
1-4 Planning for Windows Server 2008 Servers
Key Points
Change management is the process by which changes are approved, implemented,
and monitored. Some additional steps in formal processes might include a request
for change and change classification as part of the approval process. The change
management process varies widely for different organizations. In larger
organizations, change management is a formal process and can require that a
change-approval board approve all system changes. The board documents all
changes and when they are to occur. In smaller organizations, the process is often
less formal, only requiring the verbal approval of the manager responsible for
information systems.
Question: Are there situations in which the normal change process cannot be
followed?
Planning Windows Server 2008 Deployment 1-7
Key Points
Changes to any information system should be made in an organized and
controlled manner. The details of the change management process that you use are
less important than defining a process and using it consistently. A consistent
process ensures that all the necessary approvals are gathered before the change is
implemented and that impact on other systems is avoided.
Successful Change Management
For a change management process to be successful, it must be supported by the
organization. Using the change management process cannot be optional. All staff
must follow the change management procedures. If the change management
process is not enforced and communicated properly, most of the staff will stop
using it over time.
When a change management process is first implemented, many of the
information technology staff will complain about the level of bureaucracy involved.
However, after the initial adjustment in expectations has been made, information
technology staff frustration will be reduced.
1-8 Planning for Windows Server 2008 Servers
Question: Do you see the value in using change management procedures in your
organization?
Planning Windows Server 2008 Deployment 1-9
Key Points
ITIL was originally a set of about 60 books developed in the late 1980s by a
consortium of industry leaders as a set of best practices for IT. These books
described IT processes defined by ITIL and the interdependencies among them.
The development of the library was sponsored by the government of the United
Kingdoms Office of Government Commerce (OGC). ITIL version 3 was released
in 2007.
ITIL is a de facto standard for IT service management. It is widely implemented by
large and medium-sized organizations. In addition to the ITIL books, ITIL
certification is also available.
1-10 Planning for Windows Server 2008 Servers
For more details about ITIL, talk to your local training center. You can
also find more information at the official ITIL Web site at
http://go.microsoft.com/fwlink/?LinkID=160967&clcid=0x409.
Key Points
ITIL is a large set of documentation describing best practices for IT service
management. ITIL version 3 was released in 2007 and contains five core books.
Each book covers a different stage of the service life cycle. Additional books
providing more detail are provided for specialized topics related to the five core
books. The five core books are:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
1-12 Planning for Windows Server 2008 Servers
Service Transition
Service Transition explains the service design and implements it in a way that
meets all requirements of the service design. This includes not only requirements
during normal operational use, but also requirements for disaster recovery. One of
the key challenges and processes that must be defined for service transition is
change management. Testing of the services as they are implemented must be
performed.
Service Operation
From the customer perspective, service operation is when value is delivered.
Processes for ongoing maintenance of the applications and infrastructure are
defined. Also, processes for incident management and service desk must be in
place. Effective management of ongoing incidents is essential for customer
satisfaction.
Planning Windows Server 2008 Deployment 1-13
Key Points
The Microsoft Operations Framework (MOF) process model describes a life cycle
that can be applied to systems of any size and related to any service solution. The
model groups similar information technology management functions called service
management functions (SMFs) into four quadrants.
Planning Windows Server 2008 Deployment 1-15
Note: MOF extends the best practices found in ITIL by including guidance and best
practices derived from the experience of Microsoft operations groups, partners, and
customers.
Key Points
Project management is a set of techniques used to achieve a desired result on time,
within budget, and according to specification. The project management process
includes planning, estimating, and controlling all of the activities required to attain
the required end result. A key aspect of projects is that they have a limited scope
that is to be completed within a defined timeframe, meaning that they are
temporary and not ongoing.
The idea of project management is that, regardless of the project being completed,
there are a consistent set of procedures that help to ensure that the project is
completed successfully. The same set of procedures can be used to ensure success
for the building of a bridge as for the building of a new information system.
Planning Windows Server 2008 Deployment 1-17
Initiation
During initiation, you must identify the deliverables that define when the
project has been completed. At this stage, you also obtain approval from senior
management for the project based on the benefits to the organization. High-level
planning for resources is also performed.
Planning and Design
During planning and design, you create a detailed plan of what needs to be
performed and when. The overall project is broken down into tasks. Then, based
on the tasks, you can define the required resources and schedule when activities
need to occur. As part of this process, a critical path is defined. The critical path
determines the shortest time frame in which the project can be completed.
Executing
During execution, the tasks determined in the plan are performed. The project
manager is responsible for assuring that the necessary resources are available and
that each task is assigned to an appropriate resource. Gantt charts are typically
used to show what tasks are being performed at a given time.
Monitoring and Controlling
Monitoring and controlling is processes used to supervise the completion of tasks
performed during execution. These processes are essential to identify any potential
problems as early as possible so that they can be corrected. One example of
monitoring is regular progress meetings to identify any tasks that are not being
completed on time or require additional resources.
1-18 Planning for Windows Server 2008 Servers
Key Points
An SLA is an agreement between an IT group and an organization. It is important
to define an SLA early, because it documents the service expectations and
requirements that an organization expects the IT service provider to deliver. An
SLA might be written for the availability of a specific system component, a specific
service, or an entire system.
SLA Agreements and Change Management
An SLA should include a regular time that maintenance can be performed. During
the scheduled maintenance time, the system is not expected to be available. This is
typically when changes are implemented. The maintenance window may be daily,
weekly, or monthly, and may range from only a few minutes to a few hours.
When a major change such as a server migration is implemented, an additional
service outage may need to be negotiated as part of the change. For example, if a
file server has a one-hour daily maintenance window, and migrating data to a new
file server will take several hours, an additional outage must be negotiated.
1-20 Planning for Windows Server 2008 Servers
Key Points
Microsoft Solution Accelerators are free tools and guidance from Microsoft on how
to implement Microsoft technologies. If you are planning the implementation of
any new Microsoft technology, you should review the Microsoft Solution
Accelerators for content relevant to the new technology.
Some of the Microsoft Solution Accelerators relevant to Windows Server 2008 are:
Microsoft Assessment and Planning Toolkit
Infrastructure Planning and Design Guides for Windows Server
Microsoft Deployment Toolkit 2008
Windows Server 2008 Security Compliance Management Toolkit
Hyper-V Security Guide
1-22 Planning for Windows Server 2008 Servers
When you introduce Windows Server 2008 into your organization, you need to
determine which edition of Windows Server 2008 meets your needs. You also need
to consider the licensing requirement for Windows Server 2008. Some of the other
topics you need to consider are activation, virtualization, and consolidation of
server roles.
Objectives
After completing this lesson, you will be able to:
Select an appropriate edition of Windows Server 2008.
Describe the Microsoft licensing programs.
Describe the considerations for client access licenses.
Describe the considerations for virtualization.
Describe the considerations for server activation.
Describe the considerations for consolidating server roles.
Describe the Microsoft Planning and Assessment Toolkit.
1-24 Planning for Windows Server 2008 Servers
Key Points
Windows Server 2008 is available in several different editions to meet the unique
needs of different organizations. Each edition is priced differently, has different
support for hardware, and supports different features. You select the edition based
on your requirements for hardware support and features.
The most common editions of Windows Server 2008 are:
Windows Web Server 2008. This low-cost edition is meant to be used as a
Web application server. It supports up to four processors and 32 GB of RAM
(4 GB on 32-bit systems). It cannot be used as a domain controller.
Windows Server 2008 Foundation. This low-cost edition is meant to be used
in small offices with limited requirements. It is sold only by original equipment
manufacturers (OEMs), not at retail outlets or through volume licensing. It
supports only a single 64-bit processor and 8 GB of RAM. Infrastructure roles
are supported.
Planning Windows Server 2008 Deployment 1-25
Key Points
There are three main ways that you can obtain licenses for Windows Server 2008:
Retail. These licenses are purchased from an online or physical retailer. This
type of licensing is typically used by small organizations that are purchasing a
limited number of licenses.
OEM. These licenses are purchased with new hardware. The cost of these
licenses is typically less than retail, but the licenses cannot be moved from one
computer to another.
Volume license. Microsoft has a variety of volume license programs for
purchasing multiple copies of Microsoft software. The cost of these licenses is
typically less than retail but more than OEM licensing. Some volume licensing
options are subscription based rather purchased outright. Software Assurance
is also available. For larger organizations, one key benefit of volume licensing
is simplifying the licensing process.
Planning Windows Server 2008 Deployment 1-27
For more information about licensing, see the Windows Server 2008
Licensing Overview on the Microsoft Web site at http://go.microsoft.com
/fwlink/?LinkID=160956&clcid=0x409.
Key Points
Client access licenses (CALs) are required for all devices and computers that
communicate with the Standard, Enterprise, and Datacenter editions of Windows
Server 2008. When you introduce Windows Server 2008 to your organization, you
must also update the CALs.
CALs are not required in the following circumstances:
When access is through the Internet and is anonymous or unauthenticated
for example, when access is through a Web site that does not have a user
logon.
When access is to Windows Web Server 2008. Not requiring CALs in this
instance allows you to run Web sites requiring authentication to the local Web
server.
When access is to Windows Server 2008 Foundation. An alternative licensing
scheme is used for Windows Server 2008 Foundation that does not use CALs.
Planning Windows Server 2008 Deployment 1-29
Key Points
Hyper-V is a server role available in the Standard, Enterprise, and Datacenter
editions of Windows Server 2008. It allows Windows Server 2008 to act as a
virtualization host for virtual machines. It is possible to purchase these editions of
Windows Server 2008 without Hyper-V included. However, the price discount is
very small. Hyper-V is only available for 64-bit versions of Windows Server 2008.
When you purchase a single-server license for the Standard, Enterprise, or
Datacenter edition of Windows Server 2008, your license includes virtual image
use rights:
Windows Server 2008 Standard includes one virtual image license. This means
that you can install one physical and one virtual version of Windows Server
2008 Standard on the same physical server.
Windows Server 2008 Enterprise includes four virtual image licenses. This
means that you can install one physical and four virtual versions of Windows
Server 2008 standard on the same physical server.
Planning Windows Server 2008 Deployment 1-31
Note: The virtual image use rights include downgrade rights to run previous versions of
Windows Server. For example, a Hyper-V host running Windows Server 2008 Enterprise
could have a Windows Server 2003 virtual machine as one of the virtual machines
included in the virtual image use rights.
CALs are also a concern when you implement Hyper-V for virtualization. If you are
hosting a virtual machine on a Hyper-V host running Windows Server 2008, any
user accessing the virtual machine must have a Windows Server 2008 CAL. For
example, if a Windows Server 2003 virtual machine is hosted on a Hyper-V host,
all users or devices accessing the Windows Server 2003 virtual machine must have
a Windows Server 2008 CAL.
1-32 Planning for Windows Server 2008 Servers
Key Points
Product activation is used by Microsoft to prevent casual copying of software.
Windows Server 2008 is one software product that must be activated. This is a
separate process from product registration.
Activation associates a specific set of hardware to a product key to ensure that the
product key is not reused on an unauthorized computer. However, no identifying
information is included as part of the activation process.
Initial activation can be performed over the Internet or by phone. If your server has
access to the Internet, that is the preferred method, because activation over the
Internet takes only a few moments. If your server does not have access to the
Internet, you must activate by telephone, which takes about ten minutes in most
cases.
Planning Windows Server 2008 Deployment 1-33
Key Points
There are no specific guidelines for which server roles can be combined on the
same server. The details of what is appropriate vary widely depending on how a
server role is being used in a specific organization. The key is to ensure that a
server resource does not become a bottleneck. For example, a file server with ten
users may generate almost no disk I/O, while a file server with 500 users may
experience disk I/O as a bottleneck.
Some rules of thumb for combining server roles are listed here:
Avoid combining server roles that place a significant load on the same resource
such as memory, disk I/O, the processor, or the network. For example, the
Streaming Media Services role can place a significant load on all server
resources and will not be combined with other roles in most circumstances.
Avoid combining server roles with different security requirements, such as a
domain controller and an external-facing Web server.
Planning Windows Server 2008 Deployment 1-35
The only way to accurately determine whether server roles can be combined is by
monitoring performance. Monitor the servers performing the role for a period of
time, and then determine whether combination will be a problem.
1-36 Planning for Windows Server 2008 Servers
Key Points
The Microsoft Assessment and Planning Toolkit (MAP) is a solution accelerator
that is available for download from Microsoft at no change. It performs hardware
inventory, compatibility analysis, and readiness reports. The tool makes it easy for
you to assess your current IT infrastructure and determine the right Microsoft
technologies for your IT needs.
The Windows Server 2008 Deployment scenarios for MAP are:
Windows Server 2008 Hardware Assessment. This scenario identifies which
servers are capable of running Windows Server 2008 and prescribes the
necessary hardware upgrades for those that are not. It also reports on the
availability of device drivers from Microsoft. Current roles and applications are
also identified.
Security Assessment. This scenario performs an inventory of network clients
and identifies security issues reported by Windows Security Center. It also
reports on Network Access Protection readiness.
Planning Windows Server 2008 Deployment 1-37
When you install Windows Server 2008 onto your organization, you need to
consider whether you will be upgrading existing servers or installing new
servers and migrating services and applications to the new servers. If you are
implementing BitLocker Drive Encryption, you need to ensure that the server is
properly configured to support it. You also need to consider driver compatibility
and application compatibility with Windows Server 2008.
Objectives
After completing this lesson, you will be able to:
Describe considerations for server upgrades.
Describe considerations for server migrations.
Describe the requirement for BitLocker.
Describe the considerations for device drivers.
Describe the considerations for application compatibility.
Planning Windows Server 2008 Deployment 1-39
Key Points
Windows Server 2008 performs upgrades differently from previous versions of
Windows Server. When you perform an in-place upgrade to Windows Server 2008,
the new operating system is installed in parallel to the existing operating system.
Then, the existing operating system is parsed for recognized settings, which are
migrated into the new installation of Windows Server 2008.
After the upgrade to Windows Server 2008 is complete, it is not possible to roll
back to the original operating system. However, if an error occurs during the
upgrade, the operating system can be rolled back.
The main benefits of performing an upgrade are:
Preservation of existing operating system settings when recognized. Any
settings that are unrecognized will not be moved to the new installation.
1-40 Planning for Windows Server 2008 Servers
Key Points
A migration occurs when you install Windows Server 2008 on new hardware and
then move the services, applications, and data from an existing server to the new
server. There is no downtime for services during the installation of Windows
Server 2008, but there may be downtime for services when they are being migrated
to the new server.
The main benefits of performing a migration are:
A clean installation of a new operating system is typically more reliable than an
upgrade of an existing operating system. Microsoft recommends using a clean
installation whenever possible.
The source server can be maintained for rollback even after the new server is
in place. If the new server is not performing properly after implementation,
you can go back to using the original server until the problem is resolved.
You can perform testing on the new server before putting it into production.
You can test applications and new configurations if required.
1-42 Planning for Windows Server 2008 Servers
Key Points
BitLocker Drive Encryption is a feature in Windows Server 2008 that is used to
encrypt the boot volume of the server (the volume with the operating system).
Additional volumes, other than the system volume (the volume with ntldr), can
also be encrypted.
In addition to providing basic file security, BitLocker ensures the integrity of the
operating system. The operating system files on the boot volume are protected
because they are encrypted when the server is not running. The files on the system
partition are protected because a hash value is stored to ensure that there have
been no unauthorized modifications. This hash value is verified during startup.
1-44 Planning for Windows Server 2008 Servers
Key Points
Whenever you update an existing server to a new operating system, you must
ensure that device drivers are available for the new operating system to support the
existing hardware. Before performing an upgrade, you should check with your
hardware manufacturer to obtain drivers that are certified for Windows Server
2008. However, in many cases, a driver that worked in Windows Server 2003 will
also work for Windows Server 2008.
Many organizations are implementing 64-bit versions of Windows Server 2008 to
obtain the benefits of greater memory capacity. When you install a 64-bit operating
system, you must have 64-bit device drivers for your hardware. In some cases, 64-
bit device drivers will not be available for older hardware.
1-46 Planning for Windows Server 2008 Servers
Key Points
Many applications that were designed to run on Windows Server 2003 are capable
of running on Windows Server 2008. However, the User Account Control (UAC)
feature in Windows Server 2008 may prevent some applications from running
properly. Before you implement a new application server, check with the
application vendor to ensure that it is supported on Windows Server 2008.
Windows Server 2008 stores some data in a different location than Windows
Server 2003. Windows Server 2008 has directory junctions at the old directory
names that redirect file requests to the new directory locations. For example,
C:\Documents and Settings is now a junction point that points to C:\Users.
Junction points work for most applications but not all, so ensure that your
application functions properly before beginning an upgrade or migration.
1-48 Planning for Windows Server 2008 Servers
Key Points
An automated deployment is an installation in which user input is limited or not
required during the installation of Windows Server 2008. An automated
deployment can be performed in several different ways. The method you select will
be based on your needs and your existing infrastructure. Methods available for
automated deployment include answer files, Windows Deployment Services, and
the Microsoft Deployment Toolkit.
The main benefits of automated deployment are:
Consistent configuration. When the deployment process is automated, you
know that the operating system on each new server is configured in exactly the
same way. This helps avoid configuration problems and is very useful for
larger organizations with multiple servers.
Faster deployment. After the deployment process has been developed, it is
very fast to deploy new servers. The time required varies depending on the
deployment process, but in some cases, deployment may take only 15
minutes.
Planning Windows Server 2008 Deployment 1-51
Key Points
The Windows Automated Installation Kit (WAIK) includes a number of tools to
simplify the deployment of Windows Vista SP1 and Windows Server 2008 through
automation. The two main tools included with WAIK are:
Windows System Image Manager (WSIM). This tool is used to create answer
files that are used to perform unattended installations. The answer file
contains instructions used during the installation process. Any information
that is normally provided interactively during the installation can be placed in
the answer file instead.
ImageX. This tool is used to perform imaging of the operating system. After an
initial installation is performed, the operating system is configured as you
would like it with appropriate applications and updates. Then you use sysprep
to generalize the operating system before using ImageX to create an image of
the operating system. To save disk space, the Windows Imaging (WIM) images
created by ImageX can contain multiple images, and files that are common
between the images are only stored once in the WIM file. Images can also be
mounted and modified offline.
Planning Windows Server 2008 Deployment 1-53
High-level steps:
1. Open Windows System Image Manager.
2. Select a catalog file.
3. Create a new answer file.
4. Add the desired settings to the answer file.
5. Save the answer file.
1-56 Planning for Windows Server 2008 Servers
Key Points
Windows Deployment Services (WDS) is a Windows Server 2008 tool that is used
to automate the deployment of Windows operating systems. Deployment can be
done with image files or by using an unattended installation.
When using WDS, keep the following considerations in mind:
By using WDS, you gain centralized administration over operating system
installations. You can trigger imaging operations from a single central location
rather than at each computer. When a large number of servers or client
computers are being installed, WDS helps simplify the process.
In most cases, you will use Pre-Boot Execution Environment (PXE) to connect
the computers with the WDS server. This requires that your computers
support PXE booting. PXE booting is a common feature in current computers,
but it must be enabled in the BIOS. DHCP is used during the PXE boot
process and must be properly configured.
Planning Windows Server 2008 Deployment 1-57
Key Points
Microsoft Deployment Toolkit (MDT) provides technology for deploying Windows
operating systems, the 2007 Microsoft Office system, and Microsoft Office 2003.
Microsoft Deployment is the next version of Business Desktop Deployment (BDD)
2007. However, the larger focus of Microsoft Deployment is on methodology and
best practices. By following the guidance in Microsoft Deployment, teams are
putting into action proven best practices that Microsoft uses in its own
development projects and that are based on the Microsoft Solutions Framework
(MSF).
MDT shows you how to use the new deployment tools together as part of an end-
to-end deployment process. MDT also provides tools and scripts to increase
automation and lower costs, as well as leveraging and enhancing other Microsoft
tools and products.
Planning Windows Server 2008 Deployment 1-59
A. Datum Corporation has a single head office with a single datacenter that hosts
all servers. The servers in the datacenter are running a mix of Windows 2000
Server, Windows Server 2003, and Windows Server 2003 R2. The organization has
entered into a new volume licensing agreement with Microsoft that allows all
servers to be updated to Windows Server 2008.
Planning Windows Server 2008 Deployment 1-61
The best way to approach this project is to generate a list of relevant criteria for the
decision-making process. Then you can arrange them into a flowchart that
represents the decision-making process.
In some cases, well have new hardware. In some cases, we wont have new
hardware. Your flowchart will need to take into account both situations.
Regards,
Sara.
Planning Windows Server 2008 Deployment 1-63
Results: After this exercise, you should have created flowcharts to help to determine
how to upgrade or migrate an existing server to Windows Server 2008.
1-64 Planning for Windows Server 2008 Servers
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take advantage of
the more efficient file-sharing protocols in Windows Server 2008.
The archive file server is used to store older data that is accessed only occasionally.
Extended outages are possible with notification.
It is used only as a file server. It has no other functions.
The hardware is relatively new, and no new hardware has been allocated for this server.
Additional Information
This server is currently running a 32-bit version of Windows Server 2003 R2.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new hardware?
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take advantage of
the more efficient file-sharing protocols in Windows Server 2008.
The main file server is mission critical and cannot be taken out of production during
business hours. Downtime must be limited to less than one day.
It is used only as a file server. It has no other functions.
This server should support cross-file replication for DFS. This may be implemented in
the future to support remote offices, and the cross-file replication will reduce
synchronization traffic on the WAN.
Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).
New hardware has been allocated for this server if required.
Additional Information
Clients access this file server through mapped drive letters that are created by a logon
script.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new hardware?
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to standardize the
server operating systems.
The antivirus server can experience an outage of 24 hours without impacting clients.
New hardware has been allocated for this server.
Additional Information
The antivirus application has not been tested by the vendor in 64-bit environments and
is not supported in 64-bit environments.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new hardware?
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take advantage of
the performance improvements in IIS 7.
The existing server is consistently short on memory, and a new server with 8 GB of
memory has been allocated to address this.
The application data is also stored on this server and must be taken into account.
There can be no downtime during business hours.
The new server should support failover clustering, as it is being considered for the
future.
Additional Information
None
Proposals
1. Will this server be upgraded on existing hardware or migrated to new hardware?
Results: After this exercise, you should have created a deployment plan for the archive
file server, the main file servers, the antivirus server, and the human resources
application server.
Planning Windows Server 2008 Deployment 1-71
Review Questions
1. Why is change management important when deploying Windows Server
2008?
2. When selecting a version of Windows Server 2008, which factors should you
take into account?
3. You are deploying Windows Server 2008 on ten servers in three locations. To
simplify documentation and management, you would like all ten servers to
have the same configuration. How does automating server deployment help to
ensure that the configuration is the same for all ten servers?
Tools
Key Points
A subnet is a networks physical segment, which a router or routers separate from
the rest of the network. When your Internet service provider (ISP) assigns your
network a Class A, B, or C address range, you often must subdivide the range to
match your networks physical layout. You subdivide a large network into logical
subnets.
When you subdivide a network into subnets, you create a unique ID for each
subnet, which you derive from the main network ID. To create subnets, you must
allocate some of the bits in the host ID to the network ID, which enables you to
create more networks.
Planning Network Infrastructure for Windows Server 2008 2-5
Number of
Default subnet Number of hosts per
Class First octet mask networks network
A 1-127 255.0.0.0 126 16,777,214
A subnet mask specifies which part of an IPv4 address is the network ID and
which is the host ID. A subnet mask has four octets, similar to an IPv4 address.
In simple IPv4 networks, the subnet mask defines full octets as part of the network
ID and host ID. A 255 represents an octet that is part of the network ID, and a 0
represents an octet that is part of the host ID.
In complex networks, you might subdivide one octet with some bits that are for
the network ID and some for the host ID. Classless addressing, or Classless Inter-
Domain Routing (CIDR), is when you use more or less than a whole octet for
subnetting. This type of subnetting uses a different notation, which the following
example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4
addressing:
172.16.16.1/20
The /20 represents how many subnet bits are in the mask, and this notation is
Variable Length Subnet Masking (VLSM).
2-6 Planning for Windows Server 2008 Servers
A 10.0.0.0/8 10.0.0.0-10.255.255.255
B 172.16.0.0/12 172.16.0.0-172.31.255.255
C 192.168.0.0/16 192.168.0.0-192.168.255.255
Additional Reading
For more information see Address Allocation for Private Internets:
http://go.microsoft.com/fwlink/?LinkID=163880&clcid=0x409
Planning Network Infrastructure for Windows Server 2008 2-7
Key Points
In order to select an appropriate addressing scheme for your organization, you
must:
Choose whether to use public or private IPv4 addresses.
Calculate the number of subnets required. You can calculate the number of
subnet bits by determining how many you need in your network. Use the
formula 2^n, where n is the number of bits. The result must be at least the
number of subnets that your network requires.
Calculate the number of hosts in each subnet. You can calculate the number of
host bits required by using the formula 2^n-2, where n is the number of bits.
Select an appropriate subnet mask(s).
2-8 Planning for Windows Server 2008 Servers
Key Points
Question: Analysis of the network traffic at the existing head office shows that the
maximum number of hosts per subnet should be around 100. How many subnets
are required, and assuming a network address for the whole site of 172.16.0.0,
what mask should you use to ensure sufficient support for the required subnets?
2-10 Planning for Windows Server 2008 Servers
Question: How many hosts can you have in each subnet based on your selected
mask?
Question: Assuming you implement the mask you determined for each subnet,
what would the first subnet address be?
Question: What are the first and last host addresses for the first subnet?
Planning Network Infrastructure for Windows Server 2008 2-11
Key Points
You can configure static IPv4 configuration manually for each of your networks
computers. IPv4 configuration includes:
IPv4 address
Subnet mask
Default gateway
DNS server
Static configuration requires that you visit each computer and input the IPv4
configuration. This method of computer management becomes very time-
consuming if your network has more than 20 users. Additionally, making a large
number of manual configurations increases the risk that mistakes will occur.
2-12 Planning for Windows Server 2008 Servers
Key Points
Deploy an additional DHCP server in the adatum.com domain.
Authorize the server in Active Directory.
Create the necessary scopes to support the 80/20 role for two subnets.
High-level steps:
Deploy the DHCP server role on the SEA-SVR1 server.
Create an IPv4 scope on SEA-SVR1 that provides 80 percent of the IPv4
addresses for subnet 1; the remainder is excluded from allocation.
Create a second IPv4 scope that provides 20 percent of the IPv4 addresses for
subnet 2; the remainder is excluded from allocation.
Name resolution provides the foundation for many network services. The Domain
Name System (DNS) has been widely adopted as the standard for name resolution
in IP networks. To ensure that network services can function optimally, you must
plan your DNS implementation carefully.
Objectives
After completing this lesson, you will be able to:
Describe the name resolution process.
Plan your DNS name space.
Plan DNS zones.
Describe DNS forwarding and when to use forwarding.
List the considerations for deploying the DNS role.
Deploy the DNS server role.
Planning Network Infrastructure for Windows Server 2008 2-15
Key Points
When DNS names are resolved on the Internet, an entire system of computers is
used rather than just a single server. There are 13 root servers on the Internet that
are responsible for managing the overall structure of DNS resolution.
For example, the name resolution process for the name www.microsoft.com is:
A workstation queries the local DNS server for the IP address of
www.microsoft.com.
If the local DNS server does not have the information, then it queries a root
DNS server for the location of the .com DNS servers.
The local DNS server queries a .com DNS server for the location of the
Microsoft.com DNS servers.
The local DNS server queries the Microsoft.com DNS server for the IP address
of www.microsoft.com.
The IP address of www.microsoft.com is returned to the workstation.
2-16 Planning for Windows Server 2008 Servers
Key Points
When you begin planning your DNS name space, you must consider both the
internal name space as well as the external name space. There is no requirement
for you to implement the same DNS domain name internally that you have
externally. When implementing a domain name for your internal DNS name space,
there are three possible strategies:
Select a matching domain name internally, for example adatum.com. This
provides simplicity, which is why it is often a suitable choice for smaller
organizations.
Choose a different domain name, for example adatum.priv. This provides for
obvious separation in the name space. In complex networks with many
Internet-facing applications, use of a different name introduces some clarity
when configuring these applications. For example, edge servers, placed in your
perimeter network, often require multiple network interface cards, one
connected to the private network, and one servicing requests from the public
network. If they each have different domain names, it is often easier to
complete the configuration of that server.
2-18 Planning for Windows Server 2008 Servers
Key Points
In essence, a zone is a database that stores the information about a part of the DNS
name space. Often, the zone maps on a one-to-one basis with the DNS domains. If
you create a subdomain, for example south.adatum.com, then you must consider
how to implement the domain name into your DNS infrastructure.
There are essentially two approaches:
You can create a new zone for the new DNS domain name. This zone will have
its own DNS name servers, and you must configure a relationship between the
new child DNS domain name and its parent, adatum.com.
The alternative method is to create a subdomain in the existing adatum.com
zone. In this scenario, no name servers exist within the south.adatum.com
child domain; rather, the DNS servers in the parent domain, adatum.com,
service name query requests for hosts assigned a south.adatum.com DNS
name.
2-20 Planning for Windows Server 2008 Servers
Best Practice
Use Active Directory integrated zones to simplify zone transfers.
Planning Network Infrastructure for Windows Server 2008 2-21
Key Points
A forwarder is a network DNS server that forwards DNS queries for external DNS
names to DNS servers outside that network. You also can use conditional
forwarders to forward queries according to specific domain names.
A network DNS server is designated a forwarder when other DNS servers in the
network forward to it the queries that they cannot resolve locally. By using a
forwarder, you can manage name resolution for names outside your network, such
as names on the Internet, and improve the efficiency of name resolution for your
networks computers.
The server that is forwarding requests in the network must be able to communicate
with the DNS server located on the Internet. This means either you configure it to
forward requests to another DNS server or it uses root hints to communicate.
2-22 Planning for Windows Server 2008 Servers
Key Points
When planning to deploy DNS, there are several considerations that you must
review. These considerations include:
How many DNS zones will you configure on the server?
How many DNS records will each zone contain?
How many DNS clients will be communicating with the server on which you
configure the DNS role?
Where will you place DNS servers?
Will you place the servers centrally or does it make more sense to locate DNS
servers in branch offices?
2-24 Planning for Windows Server 2008 Servers
Storage
Method Description
Text File The DNS server role stores the DNS entries in a text file, which you
can edit with a text editor.
Active The DNS server role stores the DNS entries in the Active Directory
Directory database; this database can be replicated to other domain
controllers, even if they do not run the Windows Server 2008 DNS
role. You cannot use a text editor to edit DNS data that Active
Directory stores.
Active Directory integrated zones are easier to manage than traditional text-based
zones, and are more secure. The replication of zone data occurs as part of Active
Directory replication.
Key Points
Deploy an additional DNS server in the adatum.com domain.
Configure delegation for a subdomain.
Configure a DNS zone on the new server.
High-level steps:
1. Deploy the DNS server role to the SEA-SVR1 server.
2. On SEA-DC1, create a DNS delegation for the south.adatum.com subdomain.
3. Reconfigure the DNS suffix of the SEA-SVR1 server to south.adatum.com.
4. On SEA-SVR1, create the south.adatum.com zone.
2-26 Planning for Windows Server 2008 Servers
Key Points
WINS resolves NetBIOS names to IP addresses, which can reduce NetBIOS
broadcast traffic and enable clients to resolve the NetBIOS names of computers
that are on different network segments (subnets).
There are several reasons WINS remains necessary on many networks. The main
reason is because some applications still use NetBIOS to provide functionality to
users.
WINS is required for the following reasons:
Older versions of Microsoft operating systems rely on WINS for name
resolution.
Some applications, typically older ones, rely on NetBIOS names.
You may need dynamic registration of single-label names.
2-30 Planning for Windows Server 2008 Servers
You must deploy the WINS feature before a computer running Windows Server
2008 can become a WINS server. It is recommended that you configure a WINS
server with a static IP address because client computers contact the WINS server
by using an IP address.
Note: WINS is an IPv4-only service, and it will not work in an IPv6 environment.
Key Points
The complete Windows Server 2008 WINS system includes the following
components:
WINS server. This computer processes name registration requests from WINS
clients, registers client names and IP addresses, and responds to NetBIOS
name queries that clients submit. The WINS server then returns the IP address
of a queried name if the name is listed in the server database.
WINS database. This database stores and replicates the NetBIOS name-to-IP
address mappings for a network.
WINS clients. These computers are configured to query a WINS server
directly. WINS clients dynamically register their NetBIOS names with a WINS
server.
2-32 Planning for Windows Server 2008 Servers
When you configure multiple WINS servers, it is important that you configure
replication between them. This ensures that the integrity of the NetBIOS names
database is maintained. WINS servers that are replication partners can implement
replication in one of three ways:
Push replication. With push replication, after a threshold of changes has
occurred, the WINS server pushes the changes to its replication partners. You
can configure the threshold value.
Pull replication. With pull replication, a WINS server periodically pulls
changes down from its replication partners. You can configure the interval
value.
Push/Pull replication. Both push and pull replication is configured between
replication partners.
Planning Network Infrastructure for Windows Server 2008 2-33
Key Points
Deploy the WINS feature to the SEA-DC1 computer.
Use the NBTSTAT utility to register records.
Examine records with the WINS management console.
High-level steps:
1. Deploy the WINS server feature on the SEA-DC1 server.
2. Reconfigure the network settings on SEA-DC1 to use WINS for name
resolution.
3. Register NetBIOS records with the WINS server and examine these records.
Question: What NetBIOS records does a typical Windows computer register with
its WINS server?
2-34 Planning for Windows Server 2008 Servers
Key Points
The GlobalNames Zone (GNZ) is a new feature of Windows Server 2008. The GNZ
provides single-label name resolution for large enterprise networks that do not
deploy WINS. Some networks may require the ability to have static, global records
with single-label names that WINS currently provides. These single-label names
refer to well-known and widely used servers with statically assigned IP addresses. A
GNZ is manually created and is not available for dynamic registration of records.
GNZ is intended to help customers migrate to DNS for all name resolution; the
DNS Server role in Windows Server 2008 supports the GNZ feature.
GNZ is intended to assist in the migration from WINS; however, it is not a
replacement for WINS. GNZ is not intended to support the single-label name
resolution of records that are registered in WINS dynamically and those that are
not managed by IT administrators typically. Support for these dynamically
registered records is not scalable, especially for larger customers with multiple
domains and/or forests.
Planning Network Infrastructure for Windows Server 2008 2-35
Best Practice
If your organization relies heavily on NetBIOS applications, continue to use WINS.
If you plan to migrate from WINS to DNS, implement WINS integration on your
DNS zones. When you have decommissioned most of your NetBIOS applications,
or only have a few NetBIOS applications, use the GNZ to manage static, single-
label names.
2-36 Planning for Windows Server 2008 Servers
Key Points
Enable and configure the GlobalNames zone for the adatum.com forest.
Configure WINS-lookup on the adatum.com zone.
Compare WINS-lookup with the GNZ.
High-level steps:
1. On SEA-DC1, enable support for the GlobalNames zone.
2. Configure DNS/WINS integration on the adatum.com DNS zone.
Key Points
There are a number of different ways that you can configure your perimeter
network, and these include:
Three-legged firewall. A single device or computer with multiple network
interface cards, one of which is Internet facing, another of which is connected
to the perimeter network, and the remaining card being connected to the
intranet. Software installed on the host is used to create the separation
between the networks. The separation is achieved through filtering on the
firewall device so that only specified traffic is passed between the interfaces
designated as public, private, and perimeter. This solution works well for
smaller networks; however, because the firewall device is connected directly to
all three networks, security is compromised compared with other solutions.
Planning Network Infrastructure for Windows Server 2008 2-39
Best Practice
Only deploy services that you specifically need in your perimeter network, and
always publish services where possible, rather than physically deploy servers to the
perimeter.
2-40 Planning for Windows Server 2008 Servers
Key Points
It is rare for an organization to operate without the need to connect its network
infrastructure to the Internet. At the very least, most organizations use e-mail
applications to conduct some elements of their core business.
Conduct an audit of the network services that you have within your organization
and determine which services must be available to users from the Internet. Then
consider how you want to make those services available. For example, if users
require access to their e-mail while they work away from their office, consider the
use of Web-based e-mail solutions because these are often easier to make securely
available.
Note: Applications can be configured to use specific Transmission Control Protocol (TCP)
ports; indeed, many applications are configurable to use only Hypertext Transfer
Protocol (HTTP) or HTTP Secure (HTTPS). This means that you can configure the Internet-
facing firewall to allow only TCP port 80/443 inbound.
Planning Network Infrastructure for Windows Server 2008 2-41
IPv6 is a critical technology that will help ensure that the Internet can support a
growing user base and the increasingly large number of IP-enabled devices. The
current IPv4 has served as the underlying Internet protocol for almost 30 years. Its
robustness, scalability, and limited feature set now is challenged by the growing
need for new IP addresses, due in large part to the rapid growth of new network-
aware devices. IPv6 slowly is becoming more common. While adoption may be
slow, it is important to understand how this technology will affect current
networks and how to integrate IPv6 into those networks.
Objectives
After completing this lesson, you will be able to:
Describe the benefits of IPv6 over IPv4.
Describe IPv6 addressing.
Describe the IPv6 transition technologies.
Planning Network Infrastructure for Windows Server 2008 2-43
Key Points
Support for IPv6, a new suite of standard protocols for the Internets Network
layer, is built into Windows Server 2008.
The IPv6 protocol provides the following benefits:
Large address space. A 32-bit address space allows for 2^32 or 4,294,967,296
possible addresses. A 128-bit address space allows for 2^128 or
340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space
is designed to be more efficient for routers, which means that even though
there are many more addresses, routers can process data much more efficiently
because of address optimization.
2-44 Planning for Windows Server 2008 Servers
Key Points
The most obvious distinguishing feature of IPv6 is its use of much larger addresses.
IPv4 IP addresses are expressed in four groups of decimal numbers, such as
192.168.1.1.
Each grouping of numbers represents a binary octet. In binary, the preceding
number is:
11000000.10101000.00000001.00000001 (4 octets = 32 Bits)
The size of an address in IPv6 is 128 bits, which is four times larger than an IPv4
address. IPv6 addresses also are expressed as hexadecimal addresses in their
readable format. For example, 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A.
This may seem counterintuitive for end users. However, the assumption is that
average users will rely on DNS names to resolve hosts and rarely will type IPv6
addresses manually. The IPv6 address in hex also is easier to convert to binary and
vice versa. This simplifies working with subnets, and calculating hosts and
networks.
2-46 Planning for Windows Server 2008 Servers
Examples
The following table describes the 16-bit binary number portion of a 128-bit IP
address:
[0010][1111][0011][1011]
The following example is a single IPv6 address in binary form. Note that the binary
representation of the IP address is quite long. The following two lines of binary
numbers is one IP address:
0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010
Planning Network Infrastructure for Windows Server 2008 2-47
Binary Hexadecimal
[0010][0000][0000][0001] [2][0][0][1]
[0000][1101][1011][1000] [0][D][B][8]
[0000][0000][0000][0000] [0][0][0][0]
[0010][1111][0011][1011] [2][F][3][B]
[0000][0010][1010][1010] [0][2][A][A]
[0000][0000][1111][1111] [0][0][F][F]
[1111][1110][0010][1000] [F][E][2][8]
[1001][1100][0101][1010] [9][C][5][A]
Each 16-bit block expressed as four hex characters then is delimited with colons.
The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within
each 16-bit block. However, each block must have at least a single digit. With
leading zero suppression, the address representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
2-48 Planning for Windows Server 2008 Servers
Key Points
The migration from IPv4 to IPv6 is expected to take considerable time. This was
taken into consideration when designing IPv6 and as a result, the transition plan
for IPv6 is a multistep process that allows for extended coexistence. To achieve the
goal of a pure IPv6 environment, use the following general guidelines:
Upgrade your applications to be independent of IPv6 or IPv4. Applications
must be changed to use new Windows Sockets application programming
interfaces (APIs) so that name resolution, socket creation, and other functions
are independent regardless of whether you are using IPv4 or IPv6.
Update the DNS infrastructure to support IPv6 address and pointer entries
(PTR) records. You may have to upgrade the DNS infrastructure to support the
new AAAA records (required) and PTR records in the IP6.ARPA reverse
domain (optional). Additionally, ensure that the DNS servers support DNS
dynamic update for AAAA records so that IPv6 hosts can register their names
and IPv6 addresses automatically.
Planning Network Infrastructure for Windows Server 2008 2-49
Adatum has created a new regional sales force. As a result, branch offices are being
fitted out to support the various regional sales teams. You are responsible for
planning the network infrastructure for these new branch offices. Joe Healy, the
national Sales Manager, has been communicating with you about his specific
requirements for the regional office. In addition, Alan Steiner, a colleague in IT, has
visited some of the branch offices.
Planning Network Infrastructure for Windows Server 2008 2-51
Requirements Overview
Design an IPv4 addressing scheme for the Adatum western regional branch sales
offices, shown in the exhibit.
The block address 10.10.32.0/21 has been reserved for this region.
You must devise a scheme that supports the required number of subnets, the
required number of hosts, and provide for 25% growth of hosts in each branch.
For each branch, provide the subnet addresses you plan to use, together with the
start and end IP addresses for each subnet.
Additional Information
You do not need to concern yourself with the IP addressing for the corporate side
of the router at each branch.
2-56 Planning for Windows Server 2008 Servers
Proposals
1. How many subnets do you envisage requiring for this region?
Results: After this exercise, you should have a completed IP addressing plan for the
western region branch offices.
Planning Network Infrastructure for Windows Server 2008 2-57
Greg,
Answers in line below,
Regards,
Alan
----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 24 July 2009 13:30
To: Alan@adatum.com
Subject: Branch office network services
Alan,
OK, I have worked out an IP addressing scheme for the branches. Next I need to
think about the infrastructure. Could you answer the following questions?
1. How are IP addresses to be assigned for this region?
[Alan] By DHCP
2. Is there anything I should know about the DNS name space for the sales offices?
[Alan] The sales computers will be in their own DNS name space,
sales.adatum.com
3. I have a vague recollection that one of the line-of-business applications that sales
uses requires NetBIOS. Is that right?
[Alan] You're right, Greg, they need NetBIOS name resolution in sales.
Thanks,
Greg
Planning Network Infrastructure for Windows Server 2008 2-59
Requirements Overview
Specify which network services are required in each sales office, and any changes
that might be required in the head office to facilitate your proposals.
Additional Information
It is important that any router, server, or communications link failure does not
adversely affect users.
2-60 Planning for Windows Server 2008 Servers
Proposals
1. How many DHCP servers do you propose to deploy in the region?
4. To support the DNS name space in the sales division, how would you propose
to configure DNS?
6. If so, how many WINS servers will you require for the region?
Results: After this exercise, you should have a completed plan for the deployment of
network services in the western regional branch offices.
Planning Network Infrastructure for Windows Server 2008 2-61
Note: You might need to wait a few moments before you see the WINS record. Press
Refresh if needed.
Results: After this exercise, you should have successfully deployed branch office
network services.
Review Questions
1. What is the host range of addresses in the 172.16.16.0/21 subnet?
2. You intend to deploy the DHCP server role where necessary throughout your
routed network. What considerations should you bear in mind?
5. When planning WINS, how many servers should you consider deploying?
MCT USE ONLY. STUDENT USE PROHIBITED
Planning for Active Directory 3-1
It is important that before you commence the deployment of Active Directory and
related services, you consider the overall design of the Active Directory topology in
terms of forests, trees, and domains; the site and subnet topology; the
organizational unit and administrative structure.
Objectives
After completing this lesson, you will be able to:
Describe important Active Directory terminology.
Determine how many Active Directory forests to deploy.
Determine when to implement a design that incorporates multiple domains.
Determine how many Active Directory trees to implement in your forest.
Describe a trust relationship.
Select a suitable Active Directory topology.
3-4 Planning for Windows Server 2008 Servers
Key Points
Active Directory is a distributed database that provides a logical grouping of
objects, such as users, computers, and groups. Active Directory is managed
centrally by Windows Server 2008 servers deployed with the AD DS role. These
servers are known as domain controllers. In order to plan and deploy Active
Directory, you must understand the components that combine to create an Active
Directory infrastructure.
What Is a Forest?
In AD DS, a forest is the highest level of the logical structure hierarchy. An
Active Directory forest represents a single self-contained directory. A forest is a
security boundary, which means that administrators in a forest have complete
control over all access to information that is stored inside the forest and to the
domain controllers that are used to implement the forest.
Domain controllers in a forest share a common schema, a common global catalog,
and a common forest-root domain.
Planning for Active Directory 3-5
What Is a Tree?
If your Active Directory consists of more than one domain, you must define the
relationship between the domains. If the domains share a common root and a
contiguous namespace, then they are logically part of the same Active Directory
tree. A tree serves no administrative purpose; that is, there is no tree administrator
as there is a forest or domain administrator. A tree provides a logical, hierarchical
grouping of domains that have parent/child relationships defined through their
names. Your Active Directory tree maps to your DNS namespace.
What Is a Domain?
A domain is an administrative boundary. All domains host an Administrator user
account that has full administrative capabilities over all objects within the domain.
Although the administrator can delegate administration on objects within the
domain, the account retains full administrative control of all objects within the
domain.
In earlier versions of Windows Server, domains were considered to provide
complete administrative separation; indeed, one of the fundamental reasons for
selecting a multidomain topology was to provide for this separation. However, in
Active Directory, the administrator account in the forest root domain also has full
administrative control to all objects in the forest, rendering this domain-level
administrative separation invalid.
3-6 Planning for Windows Server 2008 Servers
What Is a Site?
A site is a logical representation of a geographical area in your network. A site
represents a high-speed network boundary for your Active Directory computers;
that is, computers that can communicate with high speed and low latency can be
grouped into a site; domain controllers within a site replicate Active Directory data
in an optimized way for this environment; this replication configuration is largely
automatic.
Key Points
To create a forest design, first identify the business requirements that an
organizations directory structure needs to accommodate. This involves
determining how much autonomy the groups in the organization need to manage
their network resources, and whether each group needs to isolate their resources
on the network from other groups.
After identifying business requirements, you can determine the number of forests
needed. To determine this number, you must carefully identify and evaluate the
isolation and autonomy requirements for each group in the organization and map
those requirements to the appropriate forest design models.
3-8 Planning for Windows Server 2008 Servers
Additional Reading
Download the Infrastructure Planning and Design Guide Series:
http://go.microsoft.com/fwlink/?LinkID=163879&clcid=0x409.
3-10 Planning for Windows Server 2008 Servers
Key Points
Domains partition the information that is stored inside the directory into smaller
portions so that the information can be more easily stored on various domain
controllers and so that administrators have a greater degree of control over
replication. Data that is stored in the directory is replicated throughout the forest
from one domain controller to another. Some data that is relevant to the entire
forest is replicated to all domain controllers, while other data that is relevant only
to a specific domain is replicated only to domain controllers in that particular
domain. A good domain design makes it possible to implement an efficient
replication topology.
Note: Active Directory consists of three partitions: the schema partition, the
configuration partition, and the domain partition. The first two are replicated to all
domain controllers within the forest; the last, the domain partition, is only replicated
among domain controllers that are part of the same domain.
Planning for Active Directory 3-11
Note: If you identify three regions within your organization, it might be desirable to
create an empty forest root and three child domains. For example, in Adatum.com, there
are three regions: Europe, Americas, and Asia. Although the worldwide headquarters are
in North America, it might still be desirable to create the Adatum.com domain with three
children: europe.adatum.com, americas.adatum.com, and asia.adatum.com. This
configuration enables you to configure truly forest-wide settings on the empty forest
root while not affecting the region of the Americas.
3-12 Planning for Windows Server 2008 Servers
Key Points
Active Directory trees are created by the relationship between the domains within
the forest. There is no intrinsic reason you should, or indeed, should not create
multiple trees within your forest. However, keep in mind that a single tree, with its
contiguous name space, is easier to manage, and easier for users to visualize.
Best Practice
Consider using multiple trees within a single forest if you have multiple name
spaces to support; for example, if within your organization there are several
distinct operating divisions with different public identities, you could create a
different tree for each operating division. Bear in mind that with this scenario, there
is no separation of administration because the forest root administrator still has
complete control over all objects in the forestin whichever tree they reside.
Key Points
A trust relationship enables one security entity to trust another security entity for
the purposes of authentication. In Windows Server 2008, the security entity is the
Windows domain.
In any trust relationship, there are two parties involved; the trusting entity, and the
trusted entity. The trusting entity is the resource-holding entity, while the trusted
entity is the account-holding entity.
Types of Trusts
Trusts can be one-way or two-way. A one-way trust means that although one entity
trusts the other, the reciprocal is not true. In a two-way trust, both entities trust one
another.
Trusts can be transitive or nontransitive. In a transitive trust, if A trusts B and B
trusts C, then A also implicitly trusts C.
Windows Server 2008 supports a number of different trusts for use in different
situations.
Planning for Active Directory 3-15
Trust
type Transitivity Direction Description
External Nontransitive One-way Use external trusts to provide access to
or two- resources that are located on a
way Windows NT 4.0 domain or a domain that is
located in a separate forest that is not joined
by a forest trust.
Key Points
Scenario 1
The Fabrikam Corporation is planning to implement Active Directory throughout
its organization. Fabrikam has a worldwide operation, with offices based in
Europe, Asia, and North America. In consultation with staff in the IT department of
Fabrikam, you determine the following facts:
There are 30,000 users distributed fairly evenly across all the three regions.
Headquarters for the worldwide operation are in Dallas, Texas.
Headquarters for the North American division is also based in Dallas.
The Asian headquarters are based in Singapore, and the European
headquarters are in Paris, France.
Planning for Active Directory 3-17
Scenario 2
You spend some more time researching the Fabrikam organization, and learn the
following additional facts:
The Asian division has recently acquired a company, Contoso Corporation,
based in Australia that manufactures batteries for telecommunications
equipment. This company already has Active Directory deployed in a single
forest environment.
Fabrikam is planning to deploy Exchange Server 2007 within the first few
months of deploying Active Directory.
How might these new discoveries affect your plans? Answer the following
questions:
Windows Server 2008 AD DS provides a number of new features that are only
available if the appropriate domain and functional level has been configured. This
lesson explores these functional levels, and their related features.
Objectives
After completing this lesson, you will be able to:
Describe the Active Directory features available in each of the domain
functional levels.
Describe the Active Directory features available in each of the forest functional
levels.
Configure the domain and forest functional level.
3-20 Planning for Windows Server 2008 Servers
Key Points
The following table shows which features are enabled at each domain functional
level. It also shows the operating systems for domain controllers that are
supported at each functional level.
Planning for Active Directory 3-21
Windows 2000 All default Active Directory features and Windows 2000
native the following features: Server
Universal groups are enabled for both Windows Server
distribution groups and security groups. 2003
Group conversion is enabled, which makes Windows Server
conversion between security groups and 2008
distribution groups possible.
Security identifier (SID) history.
Note: This is the default domain
functional level.
Windows Server All default Active Directory features, all Windows Server
2003 features from the Windows 2000 native 2003
domain functional level, and the following Windows Server
features: 2008
The availability of the domain
management tool, netdom.exe, to
prepare for domain controller rename.
Update of the logon timestamp. The
lastLogonTimestamp attribute will be
updated with the last logon time of the
user or computer. This attribute is
replicated within the domain.
The ability to set the userPassword
attribute as the effective password on
inetOrgPerson and user objects.
The ability to redirect Users and
Computers containers. By default, two
well-known containers are provided for
housing computer and user/group
accounts: namely,
cn=Computers,<domain root> and
cn=Users,<domain root>. This feature
makes possible the definition of a new
well-known location for these accounts.
3-22 Planning for Windows Server 2008 Servers
Supported domain
Domain functional controller
level Enabled features operating systems
Windows Server Includes constrained delegation so that
2003 (continued) applications can take advantage of the
secure delegation of user credentials by
means of the Kerberos authentication
protocol. Delegation can be configured
to be allowed only to specific
destination services.
Supports selective authentication,
through which it is possible to specify
the users and groups from a trusted
forest who are allowed to authenticate
to resource servers in a trusting forest.
Windows Server All default Active Directory features, all Windows Server
2008 features from the Windows Server 2003 2008
domain functional level, and the following
features:
Distributed File System Replication
support for SYSVOL, which provides
more robust and detailed replication of
SYSVOL contents.
Advanced Encryption Services (AES 128
and 256) support for the Kerberos
protocol.
Last Interactive Logon Information,
which displays the time of the last
successful interactive logon for a user,
from what workstation, and the number
of failed logon attempts since the last
logon.
Fine-grained password policies, which
make it possible for password and
account lockout policies to be specified
for users and global security groups in a
domain.
Key Points
The following table shows which features are enabled at each forest functional
level. It also shows the operating systems for domain controllers that are
supported at each functional level.
Windows Server All default Active Directory features, and Windows Server
2003 the following features: 2003
Forest trust. Windows Server
Domain rename. 2008
The ability to deploy a read-only
domain controller (RODC) that runs
Windows
Server 2008.
Improved Knowledge Consistency
Checker (KCC) algorithms and scalability.
The Intersite Topology Generator (ISTG)
uses improved algorithms that scale to
support forests with a greater number of
sites than can be supported at the
Windows 2000 forest functional level.
The ability to create instances of the
dynamic auxiliary class called
dynamicObject in a domain directory
partition.
The ability to convert an inetOrgPerson
object instance into a User object
instance, and the reverse.
The ability to create instances of the
new group types, called application
basic groups and Lightweight Directory
Access Protocol (LDAP) query groups, to
support role-based authorization.
Deactivation and redefinition of
attributes and classes in the schema.
Windows Server This functional level provides all the Windows Server
2008 features that are available at the Windows 2008
Server 2003 forest functional level, but no
additional features. All domains that are
subsequently added to the forest,
however, will operate at the Windows
Server 2008 domain functional level by
default.
Planning for Active Directory 3-25
Key Points
Raise the domain functional level.
Raise the forest functional level.
High-level steps:
1. Raise the domain functional level of the Adatum.com domain to Windows
Server 2008.
2. Raise the forest functional level of the Adatum.com forest to Windows Server
2008.
Question: You recently raised the domain functional level of the sales.adatum.com
domain; however, now you want to revert to the Windows Server 2003 domain
functional level. Is this possible, and if so, how?
Planning for Active Directory 3-27
Windows Server 2008 introduces new Active Directory Services. Active Directory
Lightweight Directory Services (AD LDS) replaces Active Directory Application
Mode (ADAM) with Windows Server 2003, and provides directory services for
applications; Active Directory Federation Services (AD FS) provides an identity
access solution; and Active Directory Rights Management Services (AD RMS)
provides services to enable the creation of information-protection solutions.
Objectives
After completing this lesson, you will be able to:
Describe AD CS.
Describe AD LDS.
Describe AD FS.
Describe AD RMS.
3-28 Planning for Windows Server 2008 Servers
Key Points
Active Directory Certificate Services (AD CS) extend the concept of trust so that a
user, computer, organization, or service can prove its identity outside or inside the
border of your Active Directory forest.
Certificates are issued from a certificate authority (CA). When a user, computer, or
service uses a certificate to prove its identity, the client in the transaction must trust
the issuing CA. A list of trusted root CAs, which includes, for example, VeriSign
and Thawte, is maintained by Windows, and updated as part of Windows Update.
If you think about the last time you made a purchase on an Intranet site, you will
recall that it was probably performed on a site using secure sockets layer (SSL),
with an HTTPS:// address. The server proves its identity to the client, your
browser, representing a certificate issued by a CA that your browser trusts, such as
VeriSign or Thawte.
Planning for Active Directory 3-29
Key Points
AD LDS is an independent mode of Active Directory, without the infrastructure
features that provides directory services for applications. In addition, it also
provides a data store and services for accessing the data store. AD LDS uses
standard application programming interfaces (APIs) for accessing the application
data, including APIs of Active Directory, Active Directory Service Interfaces,
Lightweight Data Access Protocol (LDAP), and System.DirectoryServices.
AD LDS does not have the infrastructure capabilities of Active Directory. It does
not include directory services for the Windows operating system, so it concentrates
on the requirements of specific applications. If AD LDS operates in an Active
Directory environment, it can use Active Directory for authentication.
AD LDS usage complements that of Active Directory. Although AD LDS and Active
Directory can operate concurrently within the same network, AD LDS serves the
requirements of specific applications. An instance of AD LDS can be created for a
specific application without a concern for the dependencies required by Active
Directory. Multiple instances of AD LDS, each supporting a separate application,
can run on a single AD LDS installation.
Planning for Active Directory 3-31
Key Points
AD FS is a role of the Windows Server 2008 operating system that provides an
identity access solution. Using AD FS will give browser-based clients, both inside
and outside the network, access to protected, Internet-facing applications, even
when user accounts and applications are located in different networks or
organizations.
A typical scenario occurs when an application is in one network and a user account
is in another network, and the user is required to enter secondary credentials when
he or she attempts to access the application. However, with AD FS, secondary
accounts are not necessary. Instead, trust relationships are used to project a users
digital identity and access rights to trusted partners. In this federated environment,
each organization continues to manage its own identities, but each organization
can securely project and accept identities from other organizations.
The process of authenticating to one network while accessing resources in another
networkwithout the burden of repeated logon actionsis known as single sign-on
(SSO). AD FS provides a Web-based, SSO solution that authenticates users to
multiple Web applications over the life of a single browser session.
3-34 Planning for Windows Server 2008 Servers
AD FS Role Services
The AD FS server role includes federation services, proxy services, and Web agent
services that you configure to enable Web SSO, federate Web-based resources,
customize the access experience, and manage how existing users are authorized to
access applications.
Depending on your organizations requirements, you can deploy servers running
any one of the following AD FS role services:
Federation Service: The Federation Service comprises one or more federation
servers that share a common trust policy. You use federation servers to route
authentication requests from user accounts in other organizations or from
clients that may be located anywhere on the Internet.
Federation Service Proxy: The Federation Service Proxy is a proxy to the
Federation Service in the perimeter network (also known as a demilitarized
zone (DMZ) and screened subnet). The Federation Service Proxy uses WS-
Federation Passive Requestor Profile (WS-F PRP) protocols to collect user
credential information from browser clients, and it sends the user credential
information to the Federation Service on their behalf.
Claims-aware agent: You use the claims-aware agent on a Web server that hosts
a claims-aware application to allow the querying of AD FS security token
claims. A claims-aware application is a Microsoft ASP.NET application that
uses claims that are present in an AD FS security token to make authorization
decisions and personalize applications.
Windows token-based agent: You use the Windows token-based agent on a
Web server that hosts a Windows NT token-based application to support
conversion from an AD FS security token to an impersonation-level, Windows
NT access token. A Windows NT token-based application is an application that
uses Windows-based authorization mechanisms.
Planning for Active Directory 3-35
Key Points
AD RMS provides services to enable the creation of information-protection
solutions. AD RMS is a format and application-agnostic technology. It will work
with any AD RMSenabled application to provide persistent usage policies for
sensitive information. Content that can be protected using AD RMS includes
intranet sites, Web sites, e-mail messages, and documents. AD RMS includes a set
of core functions that enable developers to add information protection to the
functionality of existing applications.
The AD RMS system, which includes both server and client components,
performs several processes. First, it facilitates licensing and distributing rights-
protected information. An AD RMS system issues rights account certificates
identifying trusted entities, such as users, groups, and services that can publish
rights-protected content. After trust has been established, users can assign usage
rights and conditions to content they want to protect. These usage rights specify
who can access rights-protected content and what they can do with it. When the
content is protected, a publishing license is created for the content. This license
binds the specific usage rights to a given piece of content so that the content can
3-36 Planning for Windows Server 2008 Servers
Additional Reading
AD RMS Documentation Roadmap:
http://go.microsoft.com/fwlink/?LinkID=163878&clcid=0x409
Planning for Active Directory 3-37
Key Points
Domain controllers host the AD DS. Domain controllers provide the following
functions on the network:
Authentication. Domain controllers store the domain accounts database, and
provide authentication services.
Optionally host operations master roles (formerly known as Flexible Single
Master Operations (FSMO) roles). There are five operations master roles; two
forest-wide roles and three domain roles. The forest-wide rolesthe schema
master and domain naming masterare both held on the first domain
controller in the forest. The domain rolesthe primary domain controller
(PDC) emulator, the relative identity (RID) master, and the infrastructure
masterare all held by the first domain controller in each domain. You can
transfer these roles as you require.
Optionally hosts the global catalog. You can designate any domain controller
as a global catalog server.
Planning for Active Directory 3-39
Note: Some changes can only be made on a domain controller that holds the
appropriate operations master role. For example, changes to the schema can only be
made on the schema operations master.
3-40 Planning for Windows Server 2008 Servers
Key Points
An AD DS site topology is a logical representation of the physical network.
Designing an Active Directory site topology involves planning for domain
controller placement and designing sites, subnets, site links, and site link bridges
to ensure efficient routing of query and replication traffic.
Key Points
Create a new site.
Configure the replication interval and schedule between the new site and the
existing site.
High-level steps:
Create a site object.
Configure the inter-site replication interval.
Configure the inter-site replication schedule.
Question: What is the default replication schedule and interval for the
DEFAULTIPSITELINK object?
3-44 Planning for Windows Server 2008 Servers
Key Points
A read-only domain controller (RODC) is a new type of domain controller in the
Windows Server 2008 operating system. With an RODC, organizations can easily
deploy a domain controller in locations where physical security cannot be
guaranteed. An RODC hosts a read-only replica of the database in AD DS for a
given domain. The RODC is also capable of functioning as a global catalog server.
Beginning with Windows Server 2008, an organization can deploy an RODC to
address scenarios with limited wide area network (WAN) bandwidth or poor
physical security for computers. As a result, users in this situation can benefit from:
Improved security
Faster logon times
More efficient access to resources on the network
Planning for Active Directory 3-45
Read-only Active Except for account passwords, an RODC holds all the Active
Directory database Directory objects and attributes that a writable domain
controller holds. However, changes cannot be made to the
replica that is stored on the RODC. Changes must be made
on a writable domain controller and replicated back to the
RODC.
Administrator role You can delegate the local administrator role of an RODC to
separation any domain user without granting that user any user rights
for the domain or other domain controllers. This permits a
local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver.
However, this does not give the branch user the right to log
on to any other domain controller or perform any other
administrative task in the domain.
Read-only Domain You can install the Domain Name System (DNS) Server
Name System service on an RODC. An RODC is able to replicate all
application directory partitions that DNS uses, including
ForestDNSZones and DomainDNSZones. If the DNS server is
installed on an RODC, clients can query it for name
resolution as they would query any other DNS server.
3-46 Planning for Windows Server 2008 Servers
Key Points
Prepare the forest for an RODC.
Deploy an RODC into a new site.
Configure and verify the password replication policy for the RODC.
High-level steps:
1. Prepare the forest with the adprep /rodcprep command.
2. Deploy the domain controller role on the SEA-SVR1 server.
3. Configure the RODC password replication policy for SEA-SVR1.
Adatum Contoso
Number of countries 1 5
Adatum Contoso
Number of forests 1 0
Number of domains 1 5
Requirement Overview
To devise an appropriate forest and domain topology for the merged companies.
Additional Information
The new company will continue to operate with dual names; that is, the Adatum and
Contoso brands are equally important.
It is anticipated that the existing Windows NT 4.0 domain controllers and server will be
replaced as part of the migration process.
Proposals
1. Do you intend to upgrade the domain controllers in the Contoso network to
Windows Server 2008?
5. What trust relationships, aside from those created automatically, will you require?
Planning for Active Directory 3-55
Proposals (continued)
6. Provide a sketch of the completed forest.
Results: After this exercise, you should have a completed Contoso Domain Migration
document.
3-56 Planning for Windows Server 2008 Servers
Supporting Documentation
E-mail thread of correspondence with Alan Steiner:
Gregory Weber
From: Alan Steiner [Alan@adatum.com]
Sent: 24 August 2009 14:02
To: Gregory@adatum.com
Subject: Re: Branch Office Plan
Attachments: Sales Office Details.doc
Greg,
Take a look at the attached document. Get back to me with any questions. I got
this from Joe Healy, the Sales manager.
Alan
----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 24 August 2009 13:30
To: Alan@adatum.com
Subject: Branch Office Plan
Alan,
What can you tell me about these new sales offices?
Thanks,
Greg
Planning for Active Directory 3-57
Requirement Overview
To determine the placement and configuration of domain controllers and related
services at the western region sales offices.
Additional Information
It is important that in the event of a link failure between the head office and branch
offices, users are still able to log on to the network and access services.
Proposals
1. Do you intend to deploy a domain controller(s) in the branch offices?
How many?
3. How will you optimize the directory replication for the branches?
4. How will domain controllers know in which branch they are located?
Results: After this exercise, you should have a completed Branch Office Planning
document.
3-60 Planning for Windows Server 2008 Servers
Results: After this exercise, you should have successfully deployed an RODC for the
Redmond sales office.
Review Questions
1. In a multidomain network, why is the global catalog server important?
6. During the creation of a site object, with which other object must you associate
it?
Planning for Group Policy 4-1
Group Policy is an essential part of any Windows Server 2008 network. It can be
used as a centralized management tool to distribute settings and applications to
computers. For servers, group policy is typically used to distribute security
settings. For client computers, group policy is used to configure the user
environment and distribute applications.
Objectives
After completing this module, you will be able to:
Plan group policy application.
Plan group policy processing.
Plan the management of group policy objects.
Plan the management of client computers.
Planning for Group Policy 4-3
Group Policy objects contain a wide variety of settings that can be applied to users
or computers. An effective plan for implementing group policy needs to take into
account how and when these settings are applied. This ensures that the application
of group policy objects is predictable.
Objectives
After completing this lesson, you will be able to:
Describe the types of group policy settings.
Describe the considerations for group policy application.
Describe the considerations for group policy application exceptions.
Describe the new group policy features in Windows Server 2008.
4-4 Planning for Windows Server 2008 Servers
Key Points
A Group Policy Object (GPO) contains thousands of settings that you can use to
control servers and client computers. However, individual settings are restricted in
how they can be applied.
The settings in a GPO that apply to a computer are limited by the operating system
of the computer. For example, some settings will apply to Windows Server 2008
but not Windows Server 2003. Windows Server 2003 ignores a setting that is
specific to Windows Server 2008.
A GPO has both user and computer settings. The user settings apply based on the
location of the user object in Active Directory directory services. The computer
settings apply based on the location of the computer object in Active Directory.
Planning for Group Policy 4-5
Additonal Reading
Windows Server Group Policy page on the TechNet Web site:
http://go.microsoft.com/fwlink/?LinkId=99449
4-6 Planning for Windows Server 2008 Servers
Key Points
Clients initiate Group Policy application by requesting GPOs from Active Directory
Domain Services (AD DS). When Group Policy is applied to a user or computer,
the client component interprets the policy, and then makes the appropriate
environment changes. These components are known as Group Policy client-side
extensions. As GPOs are processed, the Winlogon process passes the list of GPOs
that must be processed to each Group Policy client-side extension. The extension
then uses the list to process the appropriate policy, when applicable.
Consider the following:
Computer settings are processed when the computer starts. To apply new
computer settings immediately, you may need to reboot the system.
User settings are processed when a user logs on. To apply new user settings,
you may need to log off and log back on.
Planning for Group Policy 4-7
Key Points
Typically, all settings from a GPO are applied during the startup and logon
process. However, there are exceptions that need to be considered.
Slow Link Detection
If Group Policy detects a slow link, specific Group Policy settings will not be
processed. The default slow link speed is 500 kilobits per second (Kbps), but this
is configurable.
Slow link detection is useful for controlling how Group Policy is processed at
branch offices and for roaming users with a virtual private network (VPN)
connection. For example, you may not want to automatically install software over a
VPN connection.
Planning for Group Policy 4-9
Key Points
The new features in Group Policy enhance functionality of Group Policy and make
it easier to manage.
New Policies
If you are using Windows Vista as a desktop operating system, there are several
new categories of settings in Group Policy.
Power management settings. You can centrally control power management
for Windows Vista computers. This can be used to save money by putting
computers to sleep at night when they are not in use.
Blocking device installation. You can control the use of removable storage
devices. This allows you to prevent users from removing corporate data on
USB storage devices.
Firewall and IPSec settings. The settings for Windows Firewall and IPSec are
now combined. This reduces confusion where settings could potentially
conflict.
Planning for Group Policy 4-11
ADMX Templates
The administrative templates in previous versions of Windows were ADM files.
You have the option to replace these with ADMX files in Windows Server 2008.
The main benefits are easier editing, multi-language support, and greater efficiency.
Note: More information about ADMX files is provided in the topic Administering Group
Policy Objects.
Group Policy objects are processes primarily based on where the GPO is linked in
Active Directory. However, there are additional options available that modify the
default processing. Filtering lets you control Group Policy processing based on the
group membership of users or Windows Management Instrumentation (WMI)
settings on computers. You can block group policy inheritance to stop settings
from being applied to the lower OUs. Alternatively, you can enforce group policy
inheritance to ensure that settings are applied to all users or computers. Loopback
processing can be used to apply user settings based on the computer you log on at.
Objectives
After completing this lesson, you will be able to:
Describe the considerations for Active Directory structure.
Describe the considerations for using filtering.
Describe the considerations for modifying inheritance.
Describe the considerations for using loopback processing.
4-14 Planning for Windows Server 2008 Servers
Key Points
GPOs can be created and linked to several locations. The GPOs are processed in a
specific order with the last processed GPO having the highest precedence. The
setting with the highest precedence is effective when there are conflicts between
the GPOs.
The processing order is: local group policy, site level GPOs, domain level GPOs,
first level organizational unit GPOs, second level organizational unit GPOs.
When planning the Active Directory structure, keep the followings GPO
considerations in mind:
Local group policy is typically only used when a setting needs to be applied to
only a single computer such as a kiosk.
Site level GPOs are useful for enforcing policies at a single physical location
that has multiple domains. Also, software distribution can be performed at the
site level to ensure that a local source is used for the installation. In general,
Microsoft recommends linking GPOs to domains and OUs rather than sites.
Planning for Group Policy 4-15
Note: Windows Server 2008 introduces fine-grained password polices that allow you to
configure password policies for groups of users rather than the entire domain.
Key Points
There are two ways in which filtering can be applied to group policy processing.
Security filtering controls which GPOs are processed based on user membership in
security groups. WMI filters control GPO processing based on the WMI queries to
a workstation. WMI queries can be used to determine most hardware and software
configuration information.
When using filtering, consider the following:
The use of security filtering can simplify OU planning for a domain. For
example, you can create an OU for the accounting department with one
generic GPO for all users and then have additional GPOs filtered by security
group membership for workgroups such as payables within the accounting
department.
The use of WMI filtering can ensure that new software is installed only to
appropriate computers. For example, a new application could be provided
only to computers with a specific amount of memory or a specific operating
system.
Planning for Group Policy 4-17
Security Filtering
Security filtering is based on the fact that GPOs have access control lists (ACLs)
associated with them. These ACLs contain access entries for different security
principals. In order for a GPO to be applied to a security principal in an OU, the
security principal requires at a minimum the following permissions set to:
Allow Read
Allow Apply Group Policy
For more information about security filtering, see Security filtering using
GPMC on the TechNet Web site at http://go.microsoft.com/fwlink
/?LinkID=164084&clcid=0x409.
For more information about WMI filtering, see WMI filtering using
GPMC on the TechNet Web site at http://go.microsoft.com/fwlink
/?LinkID=164152&clcid=0x409.
4-18 Planning for Windows Server 2008 Servers
Key Points
You have the option to modify the default group policy processing by blocking
inheritance and enforcing the application of specific GPOs. Using block
inheritance prevents the child level from automatically inheriting GPOs linked to
higher sites, domains, or organizational units. Enforcement prevents the settings in
a parent GPO from being blocked or overridden by settings in a child GPO.
When modifying inheritance, keep in mind the following key points:
Blocking inheritance is not selective. You cannot select specific policies to
block. When you block inheritance, it blocks the inheritance of all policies. To
reapply specific settings after the point of blocked inheritance, you need to link
a GPO with those settings after the point of blocked inheritance. This GPO can
be a new GPO with the specific setting required or an already exiting GPO that
is also linked elsewhere. Settings that you may want to reapply after
enforcement include security configuration or software disc.
Planning for Group Policy 4-19
Key Points
User policy settings are normally derived entirely from the GPOs associated with
the user account, based on its AD DS location. However, loopback processing
directs the system to apply the user settings from the GPOs that apply to the
computer to any user who logs on to a computer affected by this policy.
When planning for loopback processing, consider the following:
Loopback processing is typically enabled for special use computers where you
want different user settings to apply based on the computer that the user is
logged on at. For example, a computer used to run manufacturing equipment
may have more restrictive user settings in place.
When you want to apply additional restrictions to users based on the
computer they are logging on at, use merge mode. Merge mode combines the
settings from the user and the computer. The merged settings from the
computer will override settings from the user.
Planning for Group Policy 4-21
All group policy management is performed by using the Group Policy Management
console. The steps for individual tasks vary.
To enforce a policy:
Right-click the policy link and select Enforced.
There are a variety of options available when you are managing GPOs. You need to
consider whether you should introduce ADMX templates for group policy settings
or continue using ADM templates. You also have the option to use starter GPOs as
a base for building new GPOs. You must determine whether you will link GPOs to
multiple locations or create multiple GPOs. To ensure that you can recover GPOs if
necessary, you also need to consider how GPOs will be backed up. Finally, you can
delegate the management of GPOs in several ways.
Planning for Group Policy 4-25
Key Points
When administering group policy objects, consider the following:
The tool for administering GPOs is the Group Policy Management Console
(GPMC). This tool is included as a feature in Windows Server 2008. You can
install GPMC on Windows Vista SP1 by downloading and installing the
Remote Server Administration Tools.
A GPO is composed of a group policy container and group policy template.
The group policy container is stored in Active Directory. The group policy
template is stored in the SYSVOL share on domain controllers.
When a new GPO is created, it must be replicated to other domain controllers.
Until replication is complete, the GPOs applied to a user or computer may be
inconsistent. Application of GPOs may also be inconsistent if there are
problems with Active Directory replication or the replication of SYSVOL in the
GPOs.
Planning for Group Policy 4-27
For more information about ADMX files see Managing Group Policy
ADMX Files Step-by-Step Guide on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkId=99453.
For more information about how to create a central store for ADMX
files see How to create a Central Store for Group Policy Administrative
Templates in Windows Vista on the Microsoft Help and Support Web site
at http://go.microsoft.com/fwlink/?LinkID=164210&clcid=0x409.
4-28 Planning for Windows Server 2008 Servers
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. When you
create a new GPO from a starter GPO, the new GPO has all the Administrative
Template settings that the starter GPO defined. In this way, starter GPOs act as
templates for creating GPOs.
The GPMC stores starter GPOs in a folder named StarterGPOs, which is located in
SYSVOL. Individual starter GPOs can be exported into .cab files for easy
distribution. You then can import these .cab files back into the GPMC.
Planning for Group Policy 4-29
Key Points
When you create a GPO, it is stored as part of the domain structure. Some data is
stored in Active Directory and some data is stored in the SYSVOL share. That
content is then replicated to all domain controllers in the domain. To apply a GPO
to a domain or OU, you link the GPO to a domain or OU. You can link a single
GPO to multiple locations.
When considering reusing or copying GPOs, keep the following points in mind:
When you link a single GPO to multiple locations, it allows you to centrally
control the GPO. When the GPO is updated with new settings, the new
settings are applied to all users or computers affected by the GPO.
If a single GPO is linked to multiple locations, you should carefully control
which administrators have permissions to modify the GPO. A departmental
administrator could modify the central GPO while thinking that he was only
modifying settings for a single OU.
Planning for Group Policy 4-31
Key Points
When backing up and restoring GPOs, consider the following:
GPOs are backed up as part of a system state backup on a domain controller.
However, it is difficult to recover a GPO from a system state backup.
You can create a GPO backup at anytime by using the GPMC. GPMC allows
you to backup one or all GPOs. It is a good idea to back up GPOs before
making changes.
You can use scripts to schedule GPO backups. Then GPO backups are
available as a file that can be easily restored if required. The script
BackupAllGPOs.wsf is located in C:\Program Files\GPMC\Scripts.
Only read permissions are required to perform a backup of GPOs. This makes
it easy to delegate the backup of GPOs.
A starter GPO is not useful as a backup. A GPO backup contains all GPO
settings, not just administrative templates. This differentiates them from starter
GPOs.
Planning for Group Policy 4-33
Key Points
When delegating management of GPOs, consider the following:
By default, only members of Domain Admins and Group Policy Creator
Owners are able to create GPOs. In most cases, you will want to delegate the
creation of GPOs without making users a member of Domain Admins.
You can delegate permission to create GPOs in a domain by making users a
member of the Group Policy Creator Owners group. Also, you can delegate
this permission from within GPMC at the Group Policy Objects folder.
By default, only members of Domain Admins, Enterprise Admins, and the
domain local Administrators can link GPOs with the domain or an OU. In
most cases, you will want to delegate the linking of GPOs without making
users a member of these groups.
You can delegate permission to link GPOs to domains and OUs within the
GPMC at the domain or OU. This is useful to allow departmental
administrators to link GPOs to their own OU.
Planning for Group Policy 4-35
Key Points
Key Points
Many network administrators consider servers to be the most important part of the
network. They are high-profile computers because many users are affected when
they do not function properly. However, client computers are just as important as
server computers. Each user on a network is working with a client computer and a
poorly configured client computer affects the productivity of that user.
Managing client computers includes:
Distributing applications. Installing applications on client computers is a
time-consuming process when performed manually on each computer. Even if
applications are included in an image used during initial configuration,
application updates still need to be applied. Applications and updates should
be installed by using an automated method. Using an automated method to
install applications and updates saves time and money for the organization.
4-40 Planning for Windows Server 2008 Servers
Key Points
Group policy is one of the easiest and most inexpensive methods you can use for
managing client computers. It can be used to perform software distribution,
enforce security settings, enforce application settings, and standardize the user
environment.
To manage client computers, you can use:
Group policy settings. Group policy settings include software distribution,
security settings, and administrative templates. The software distribution can
be used to distribute applications, application updates, and operating system
updates. The security settings control a wide variety of operating system
settings such as which users are allowed to perform Remote Desktop
operations and whether digital signing is required for network
communication. The administrative templates let you configure a wide variety
of settings for Windows components. Also, administrative templates can be
customized to deliver registry settings that control applications. Some vendors
provide administrative templates for their applications.
4-42 Planning for Windows Server 2008 Servers
Key Points
Considerations for using group policy Preferences include:
You can use both group policy settings and group policy preferences. There is
no conflict between group policy settings and group policy preferences. The
settings in group policy preferences are not available in group policy settings.
Preference settings are not enforced and can be modified by the user. You
should not consider preferences as a security enforcement mechanism.
Application of group policy preferences is supported for Windows XP with
SP2, Windows Vista, Windows Server 2003 with SP1, and Windows Server
2008. If you have Windows 2000 clients, you must use another mechanism to
standardize the user environment.
Use the Data Sources node to easily add or modify ODBC data sources for
applications. This is useful during application deployment or when a Microsoft
SQL Server database has been moved to a new server.
4-44 Planning for Windows Server 2008 Servers
Key Points
The considerations for software deployment by using group policy include the
following:
To place an application shortcut in the Start Menu, assign the application to a
computer or user. An application assigned to a computer will be available to all
users. An application assigned to a user will be available only for that user.
To allow users to access an application quickly on first use, assign the
application to the computer. Assigning an application to a computer installs
the application in the background on computer startup. Then when the user
accesses the application for the first time, it is already installed.
To limit disk space usage, assign applications to users or publish applications
to users. When an application is assigned or published to a user, the
application is not installed until first use or until installation is selected from
Control Panel.
Planning for Group Policy 4-47
For best practices on the use of group policy for software installation, see
Best practices for group policy Software Installation on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkId=99486.
4-48 Planning for Windows Server 2008 Servers
Key Points
A script for managing client computers can be written in any scripting language
supported by the client computer. The two most common languages for scripts are
batch files and Microsoft Visual Basic scripts. By using a script, you can configure
almost any aspect of an operating system or application.
You can specify a logon script in the properties of each user account. By using
group policy, you can run scripts that apply to computer or user accounts. For
computer accounts, there are startup and shutdown scripts. For user accounts,
there are logon and logoff scripts.
Considerations for using scripts:
Logon scripts are the most commonly used type of script. The most common
use of logon scripts is to map drive letters. If your environment supports the
use of group policy preferences, you may no longer need logon scripts.
Specifying the logon script in the properties of each user account is awkward
because it must be done for each account. It is simpler to use logon scripts in
group policy.
Planning for Group Policy 4-49
Key Points
The considerations for using folder redirection include:
You can redirect folders in addition to the My Documents folder (which
includes My Pictures). In Windows XP and Windows Vista, you can also
redirect the Application Data, Desktop, and Start Menu folders. In Windows
Vista only, you can also redirect Contacts, Downloads, Favorites, Searches,
Links, Music, Video, Saved Games, and Pictures.
Folder redirection makes it possible to back up user data without backing up
client computers. For example, many applications store configuration data and
templates in Application Data. If this folder is redirected to a network server,
then it can be backed up on the server without backing up the client
computer.
Planning for Group Policy 4-51
A. Datum has never implemented group policy other than for basic password
configuration in the domain using the default GPOs. After attending a recent
seminar, the IT manager wants to use group policy more effectively for the
organization.
At minimum, I need to you to figure out how these can be implemented. As part of
your plan, please create an OU structure and define where each group policy will
be linked.
Let me know if you require any clarification.
Regards,
Allison
Planning for Group Policy 4-55
Results: After this exercise, you should have a completed group policy plan for
A. Datum.
Planning for Group Policy 4-57
Results: After this exercise, you should have successfully implemented group policy.
Review Questions
1. What are some of the ways you can speed up group policy processing?
2. How can you modify how group policy is processed and applied?
Group policy is not applying Use Group Policy Results in Group Policy Management
as expected to view the GPOs that are being applied.
You are unsure how changes Use Group Policy Modeling in Group Policy
will affect group policy Management to view the results of potential changes
application to network speed, loopback processing, site, security
group membership, and WMI filters.
2. In the past, you have created customized ADM templates and they were
automatically included with the GPO on SYSVOL. This allowed the GPO to be
properly edited from any location. You have now created a customized ADMX
template and realize that it is stored locally. Others will not be able to edit the
GPO. How can you resolve this?
3. Your organization has no formal plan in place for backing up GPOs. Only a
full backup, including system state, is being performed each day. How can you
improve this?
4-64 Planning for Windows Server 2008 Servers
Tools
This module focuses on the support that Windows Server 2008 provides for
Application Servers. When supporting an application server, you first need to
understand the characteristics of the application, whether it is Web-based or
traditional. Microsoft SQL Server databases have unique support requirements
that are very different from infrastructure servers. Finally, part of planning
application servers is determining how remote users will access applications.
Terminal Services is an excellent method for providing remote access to
applications for roaming users and remote offices.
Objectives
After completing this module, you will be able to:
Describe application servers.
Plan support for Web-based applications.
Plan support for SQL Server databases.
Plan the deployment of client applications.
Plan the implementation of Terminal Services.
Planning Application Servers 5-3
Key Points
When computer networks became a common part of corporate environments, they
were initially used primarily for file sharing and printing. File sharing allowed
organizations to more easily control access to files and back them up. Shared
printing allowed many users to share a single printer and save on printing costs.
After file sharing and shared printing were common, application servers began to
be added to networks.
An application server is a server that runs user applications. They have more
intensive processing and memory requirements than file and print servers because
they perform more complex tasks. Some examples of application servers are Web
servers and e-mail servers.
5-6 Planning for Windows Server 2008 Servers
Key Points
The authentication method used by a traditional application is determined by the
application developer. However, sometimes an application will provide several
options that an administrator can choose from when installing the application.
Some of the most common options for authentication are:
Active Directory. Some applications are able to communicate with Active
Directory directory services for authentication. This allows you to use the
existing user objects to assign permissions within the application.
LDAP. Lightweight Directory Access Protocol (LDAP) can be used to access
information in a variety of directories, including Active Directory Domain
Services (AD DS) and Active Directory Lightweight Directory Services
(AD LDS). This option also allows you to use the existing user objects to
assign permissions within the application.
5-8 Planning for Windows Server 2008 Servers
Key Points
Some of the considerations for supporting traditional applications are:
Active Directory or LDAP authentication simplifies user logons. Either of
these authentication options allows users to log on using a single set of
credentials. This also simplifies user management.
Client software for traditional applications may be difficult to update. In
most cases, when you update the client software for a traditional application,
you must update the software on all client computers at the same time. This
may be a requirement to prevent older client software from corrupting data
used by the new client software. If you are unable to update all client software
in a timely way, some users may not be able to access the application for
several hours or even days.
5-10 Planning for Windows Server 2008 Servers
Note: When running a traditional application over the Internet, performance may be
slow even if only small amounts of data are transferred. Frequent communication
combined with high latency will result in slow performance.
Key Points
Web-based applications use a Web-browser on client computers instead of
application software. The Web browser on the client is responsible only for
formatting and displaying processed data on the client computer. The Web server
sends all of the necessary data to the client. All of the application logic is
maintained in software executed on a Web server instead. The software on the
Web server typically communicates with a SQL Server database back-end for data
storage.
Some considerations for Web-based applications are:
Web-based applications are well suited for use over the Internet and by remote
locations. The amount of data passed between the Web server and the client is
relatively small when compared to traditional applications. All of the data
processing is performed before the information to display is transferred to the
Web browser on the client.
5-12 Planning for Windows Server 2008 Servers
Key Points
Windows Server 2008 has a number of features and roles that support the use of
Windows Server 2008 as an application server. The requirements vary depending
on the application. Individual application servers may require none or all of these
features and roles. Most applications will include the requirements in the
installation documentation.
.NET Framework 3.0 features. The Microsoft .NET Framework is used by
applications to access operating system services through application
programming interfaces (APIs). Version 3.0 includes the APIs necessary to
support the .NET Framework 2.0 applications and additional elements. This
means that a computer with the .NET Framework 3.0 installed can run
applications built for the .NET Framework 2.0 or the .NET Framework 3.0.
Earlier versions of the .NET Framework can be downloaded from the
Microsoft Web site if required and run in parallel with the .NET Framework
3.0.
5-14 Planning for Windows Server 2008 Servers
Key Points
The maintenance of application servers is different than the maintenance of
infrastructure servers. Infrastructure services like Active Directory or DNS are
designed to be highly available. When one domain controller is down, clients and
applications automatically direct their Active Directory requests to other functional
domain controllers. Application servers may not have this type of redundancy.
Considerations for maintaining applications servers include:
Define a maintenance window for each application server. A maintenance
window is regularly scheduled time when users do not expect the application
server to be functional. During this time you can perform system updates or
other maintenance tasks. The maintenance window is scheduled at a time
when user activity would normally be minimal, such as late at night. If unusual
maintenance needs to be performed outside of that window, it must be
negotiated with the users of the application server.
5-16 Planning for Windows Server 2008 Servers
Web-based applications are well suited for remote offices and even users over the
Internet. However, when you configure Web-based applications, you need to
consider how users are authenticated and whether Secure Sockets Layer (SSL) will
be used to secure communication. If SSL is used to secure communication, you
need to determine from where you will obtain the SSL certificate and how it will be
configured. IIS provides application and application pools to control how Web-
based applications are processed on the server.
5-18 Planning for Windows Server 2008 Servers
Key Points
When IIS is used as the Web server for a Web-based application, there are several
authentication options you can choose from. Which option you select will depend
on your scenario and the options supported by the application vendor.
Some authentication considerations for Web-based applications are:
Basic authentication is supported by all Web browsers and has no difficulty
traversing firewalls. However, it transmits credentials in clear text, which could
be viewed as they travel over the network or Internet. For this reason, basic
authentication is seldom used alone.
Basic authentication with SSL is the most commonly used authentication
methods. SSL is used to encrypt the credentials while they are in transit
between the Web browser and Web server. This makes the authentication
process secure and compatible with all Web browsers and Web servers. When
SSL is used to secure authentication, it is also normally used to secure all other
application data while in transit.
5-20 Planning for Windows Server 2008 Servers
Web sites accessed by using a single label name are considered part of
the local intranet zone. For more information, see How to use security
zones in Internet Explorer on the Microsoft Help and Support Web site at
http://go.microsoft.com/fwlink/?LinkID=165683&clcid=0x409.
Key Points
For Web-based applications, SSL is used to encrypt communication between a
Web browser and a Web server. The entire communication process between the
client and server is encrypted. This protects authentication credentials and
application data.
To enable SSL on a Web server, you must obtain a certificate for the Web server.
The public key and private key that are part of the certificate are used during the
communication process.
The SSL communication process is:
1. The client sends a request to the server by using HTTPS.
2. The server responds by providing the client with the public key of the server.
3. The client generates a symmetrical key for encryption.
5-22 Planning for Windows Server 2008 Servers
Key Points
The certificate used to secure SSL communication is used to verify the identity of
the Web server in addition to securing communication. The certificate contains a
subject name that identifies the server and must be trusted by the clients. You can
generate a certificate by using an internal CA (certification authority) or an external
CA.
Some considerations for selecting an SSL certificate are:
Certificates generated by an internal CA are not trusted by clients outside your
organization. An untrusted certificate generates warnings on the client
computers. Only use an internal CA for generating certificates for internal
clients where you can configure the clients to trust certificates issued by the
internal CA. Windows Server 2008 includes CA functionality and can generate
certificates at no cost.
5-24 Planning for Windows Server 2008 Servers
Key Points
Dynamic Web content is content on a Web server that requires processing beyond
just retrieving a static Web page from a disk. Dynamic Web content typically
includes some type of script embedded in the Web page that is processed by the
Web server before the content is delivered to the client. A very simple example of
dynamic Web content is a page footer that is inserted into each page delivered by a
Web server. Full Web applications that track user state during processes are more
complex.
Some considerations for dynamic Web content:
There a variety of ways that dynamic content can be implemented. They
include: ASP, ASP.NET, CGI, and service side includes. To avoid potential
security risks, you should enable only those methods that are required.
5-26 Planning for Windows Server 2008 Servers
Key Points
One of the concerns with Web-based applications is how one application on a Web
server will affect another. IIS uses the concept of applications and application pools
to control how dynamic content is processed.
An application is a URL (http://www.contoso.com/accounting/app.aspx) or
section of URL namespace (http://www.contoso.com/accounting/). For each
application you can define the credentials used to access the physical files on the
server. The default configuration passes the user credentials through. Each
application is also part of an application pool.
Application pools contain one or more applications. Each application pool is
treated as a single processing unit with its own memory space. There are a wide
variety of settings available to control CPU utilization limits, application pool
recycling,
5-28 Planning for Windows Server 2008 Servers
Key Points
In this demonstration, you will see how to configure IIS.
High-level steps:
1. Open IIS Manager.
2. Review bindings and the SSL certificate.
3. Create a new application.
4. Review application configuration.
5. Review application pool configuration and the recycling settings.
5-30 Planning for Windows Server 2008 Servers
Many application servers, such as SharePoint and Microsoft Project Server, use
SQL Server as a back end for data storage. It is essential that you understand the
basics of SQL Server operation and support to be able to properly support an
application server. There are multiple editions of SQL Server 2008 and the one you
need depends on the scenario it is being used in. Transaction logs are an integral
part of how SQL Server maintains databases and need to be considered when you
decide on a backup and restore strategy for a SQL Server database.
Objectives
After completing this lesson, you will be able to:
Describe why database knowledge is required by administrators
Describe SQL Server.
Planning Application Servers 5-31
Key Points
As the administrator of a Windows network, you need to understand the basics
of how databases work. Databases are used as a back end to store data and
configuration information for a wide variety of applications. End-user applications
that store data in a database include most Web-based applications, SharePoint,
Microsoft Project server, and Exchange Server. Administrator utilities that use a
database include System Center Operations Manager and System Center Virtual
Machine Manager. To support these applications, you need to understand the
basics of database administration.
Managing the databases associated with an application is different from managing
files such as Microsoft Office Word documents or Microsoft Office Excel
spreadsheets. Some of the important differences are:
Databases have constantly changing data and the database files are constantly
open. To back up a database, special procedures are required. If you back up a
live database by using an open file agent for backup, the backup will be
inconsistent and you may not be able to restore it.
Planning Application Servers 5-33
Note: Exchange Server does not use SQL Server for data storage. Exchange Server uses a
different type of database called Microsoft Extensible Storage Engine (ESE).
5-34 Planning for Windows Server 2008 Servers
Key Points
Microsoft SQL Server 2008 is a database that can be used for a variety of purposes,
such as business intelligence or data warehousing. However, a common use for
SQL Server is as back-end data storage for applications. Both traditional client-
server applications and Web-based applications often use SQL Server to store
application data.
When applications query, modify, and add data to a SQL Server database, they use
Structured Query Language (SQL). SQL is a standard language that is used for
communication with databases. In some cases, it can be useful for server
administrators to be familiar with SQL, but it is not required to perform basic
management of Microsoft SQL Server.
Reporting Services is an optional feature of SQL Server that is used to
automatically generate reports from a SQL Server database. Some applications
require Reporting Services to be installed for full functionality. For example,
System Center Operations Manager requires Reporting Services to generate system
reports showing the health of monitored computers.
Planning Application Servers 5-35
Key Points
There are several editions of SQL Server 2008. Each edition has different features.
You should select the edition that meets the requirements of your applications.
Free editions of SQL Server 2008:
Express. This is an entry level database that is suitable for learning and
applications with limited data requirements. It supports only 1 CPU and 1 GB
of RAM. The maximum database size is 4 GB.
Compact. This edition is designed for use on mobile devices. There are no
limits on CPU and memory use. The maximum database size is 4 GB.
Planning Application Servers 5-37
For detailed information about SQL Server 2008 editions and their
features, see Compare Edition Features on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkID=167150&clcid=0x409.
For a pricing overview of SQL Server 2008 editions, see SQL Server 2008
Pricing on the Microsoft Web site at http://go.microsoft.com/fwlink
/?LinkID=167151&clcid=0x409.
5-38 Planning for Windows Server 2008 Servers
Key Points
The data in a SQL Server database is protected by permissions, similar to how
NTFS permissions are used to protect data in the file system. For SQL Server to
appropriately determine permissions, the user must authenticate to SQL Server.
SQL Server 2008 authentication modes:
Windows authentication. In this authentication mode, all permissions are
linked to Active Directory or local Windows user accounts. In most cases, this
is easier for users and administrators. Users may be automatically
authenticated to an application based on the credentials cached in the local
workstation, or at least do not need to remember a second set of credentials.
Administrators do not need to maintain a second set of credentials.
Planning Application Servers 5-39
Key Points
There are a number of tools available to manage SQL Server 2008. Graphical tools
are the most commonly used by network administrators. More advanced database
administrators can use SQL commands directly to perform server management
tasks.
SQL Server Management Studio is a graphical utility for managing SQL Server
2008. With this utility, you can manage almost any aspect of SQL Server 2008
or previous versions of SQL Server. You can create databases, modify security,
configure backups, and many other features. You can also enter SQL
commands directly through SQL Server Management Studio.
SQL Server Configuration Manager is a graphical utility that performs a few
specific SQL Server management tasks. It can start and stop SQL services,
modify and manage the accounts used by SQL services, modify network
protocols.
Planning Application Servers 5-41
For more information about SQL Server 2008 management tools, see
Features and Tools Overview (SQL Server 2008) on the MSDN Web site
at http://go.microsoft.com/fwlink/?LinkID=165686&clcid=0x409.
High-level steps:
1. Open SQL Server Management Studio.
2. Review the list of databases.
3. Review the properties of a database.
4. Review the authentication mode settings.
5. Review the instance level security accounts
6. Review the database level security accounts.
5-42 Planning for Windows Server 2008 Servers
Key Points
Each action performed in a SQL Server 2008 database is referred to as a
transaction. Each transaction may have multiple steps, such as modifying multiple
tables. For example, a transaction may remove money from one account and then
add money to another account. It is important that all steps in a transaction are
completed successfully. To increase the reliability of transactions and prevent
problems with inconsistent databases, SQL Server 2008 uses transaction logs.
Each database has a transaction log. When a transaction is initiated, the transaction
is written to the transaction log before any modifications are performed in the
database. Then if there are any errors during the transaction, such as a power
failure or disk error, the transaction can be rolled back or completed to keep the
database consistent.
You can set a recovery model for a database that controls how logging is
performed. These are called recovery models because they control how you
perform recovery from a backup and how you perform backups.
Planning Application Servers 5-43
Key Points
Databases are not backed up in the same way as the file system of a server. You can
still perform full, differential, and incremental backups. However, each of these
options is working with the database and transaction logs.
When the full recovery mode is being used, you have the following options for
backup:
Full backup. When you perform a full backup, the database and transaction
logs are backed up. The transaction logs are also truncated. Truncating the
transaction logs frees up disk space.
Incremental backup. When you perform an incremental backup only the
transaction logs are backed up. The transaction logs are also truncated after
they are backed up. If you are performing a daily incremental backup, it
includes a single data of transaction logs.
Planning Application Servers 5-45
When the simple recovery mode is being used, it is not possible to perform
incremental or differential backups because the log files contain only current
transactions. You can only perform full backups on a database by using simple
recovery mode.
When you recover a SQL database, you first restore the database and all of the
transaction logs; then the transaction logs are replayed to bring the database up to
a current state. Replaying transaction logs reapplies the transactions to the
database. If any transaction log is missing or corrupt, the replay will stop and you
cannot recover past that point.
5-46 Planning for Windows Server 2008 Servers
Key Points
Some considerations for supporting SQL server are:
The transaction log file never shrinks in size automatically. When you truncate
a transaction log, the file size stays the same, but data is removed from the file.
You can manually shrink the file if required.
The database file never shrinks in size automatically. When you delete data
from a database, the file size stays the same, but data is removed from the file.
You can manually shrink the file if required.
To enhance recoverability, use full recovery mode. If you use simple recovery
mode, then you can only restore back to the point in time of the backup.
To enhance recoverability, store database files on a separate physical disk from
transaction logs. Then if a disk is lost or corrupted, you can restore the
database and replay the transaction logs up to the current point.
Planning Application Servers 5-47
When you deploy a new operating system, you need to consider application
compatibility with that operating system. Even when a new operating system is not
being used, each organization needs to determine the best way to deploy
applications. In this lesson, you will learn about these topics and learn how to
deploy an application by using Group Policy.
Objectives
After completing this lesson, you will be able to:
Describe considerations for application compatibility.
Describe the methods for deploying applications.
Deploy an application by using group policy.
Planning Application Servers 5-49
Key Points
For commercial software, the best way to ensure that a desktop application is
compatible with a new desktop operating system is to verify with the application
vendor. If the application is supported on the new operating system, then you can
safely use it with the new operating system. If the application is not supported, it
may still work, but you should do extensive testing. Alternatively, you can wait for
the vendor to provide an updated version of the application for the new operating
system.
To simplify, Microsoft provides a list of applications that are compatible with
Windows Vista and Windows 7 on the TechNet Web site. This is an alternative to
verifying individually with each vendor.
5-50 Planning for Windows Server 2008 Servers
Key Points
Traditionally, applications were deployed by going from computer to computer
with a CD-ROM and installing the application manually by running setup.
However, this was a time consuming process and led to non-standard
configurations because each technician performing the software install may have
been selecting different options.
Other ways to deploy applications include:
Inclusion in an operating system image. When applications are included in
an operating system image, they do not need to be configured after a computer
is updated. However, this is only suitable for applications that are deployed to
all users. It also does not address the need to update applications when
updates become available.
5-52 Planning for Windows Server 2008 Servers
Key Points
High-level steps:
1. Open Group Policy Management.
2. Create a new GPO.
3. Add the application to the new GPO.
4. Test delivery of the application.
Planning Application Servers 5-55
Key Points
Terminal Services is a Windows Server 2008 role that provides access to
applications that run centrally on a server. When clients connect to a Terminal
Server the amount of network traffic is very small. All application processing
occurs on the Terminal Server. The Terminal Server sends screen draw commands
to the client and the client sends mouse and keyboard input to the Terminal
Server.
The client accessing a terminal server can be a desktop computer running the
Remote Desktop client or a Windows terminal. A Windows terminal is a device
that only runs the Remote Desktop client and does not provide functionality to run
other applications.
When the Remote Desktop client is used to access a Terminal Server, file and
printer redirection can be implemented. File redirection allows the remote client to
save files from the Terminal Server to a local disk on the client. Printer redirection
allows the remote client to print from terminal server applications but have the
print job created on a local printer.
Planning Application Servers 5-57
Key Points
Terminal Services in Windows Server 2008 has been updated with many useful
features. Some of the new features are:
Single sign-on. This simplifies logon over internal networks by allow the
credential from a client computer to be automatically passed to the terminal
server. When used to control a single application window, it makes the
process similar to opening a local application.
Easy Print. This simplifies printing to local computers on the client. It avoids
the need to install printer drivers on the terminal server that match the printer
on the client computer. All print jobs are created in XPS format on the
Terminal Server and rendered for the appropriate printer locally.
TS RemoteApp. This allows clients to open a window with a single application
when connecting to a Terminal Server rather than an entire desktop. This
simplifies the process for users and is very useful for line-of-business
applications that have been centralized on a Terminal Server.
Planning Application Servers 5-59
Key Points
Terminal Services require client access licenses (CALs) in addition to the CALs
required for accessing Windows. Terminal Server CALs can be per device or per
user. Roaming users often access a terminal server from many devices. In such a
case, user-based licensing is more cost effective. For internal computers shared by
multiple users and accessing a line-of-business application device-based CALs will
be more cost effective.
Each Terminal Server must be configured to use per user or per device licensing. A
single Terminal Server cannot mix the two licensing modes. To use per user and
per device licensing, you must have at least two Terminal Servers.
Planning Application Servers 5-61
Note: When a Terminal Server is installed, it will function for 120 days without
communicating with a licensing server. However, after 120 days, a Terminal Server will
stop allowing connections.
5-62 Planning for Windows Server 2008 Servers
Key Points
When planning for the Terminal Services role, keep the following considerations in
mind:
Use Terminal services to provide remote offices with access to centralized
applications. Accessing an application or data by using Terminal Services has
much better performance over a wide area network (WAN) than remotely
accessing application data.
Use Terminal Services to provide remote users with access to data and
applications. Accessing an application or data by using Terminal Services has
much better performance than using a VPN.
Centralize the deployment of line-of-business applications on a Terminal
Server. It is much easier to update a central copy of an application on a
Terminal Server than on multiple client computers.
Use RemoteApp to simplify access to applications on a terminal server. This
provides users with a desktop icon that is simpler to understand than using a
full Remote Desktop.
Planning Application Servers 5-63
A. Datum has recently identified the need to implement new applications to meet
the needs of a growing organization. The first is a portal for collaborating on
projects. Windows SharePoint Services has been selected for this purpose. The
second need is a new financial application that will be deployed by using Terminal
Services.
Gregory Weber
From: Allison Brown [Allison@adatum.com]
Sent: 30 July 2009 14:25
To: Gregory@adatum.com
Subject: Group Policy implementation
Greg,
As we discussed in the meeting this morning, Id like you to take the lead on
planning our implementation of the new application servers.
The first application server is for Windows SharePoint Services. We are
implementing this only as a pilot project at this point. A new server
(sharepoint.adatum.com) has been allocated for this task and has SQL Server 2008
Express already installed with an instance named SQLEXPRESS. If we move this
project out of the pilot phase, then well consider updates for better performance.
Windows SharePoint Services creates two Web sites on the server. One Web site is
for managing WSS and the other is for accessing content. The content that users
enter for the pages is stored in the SQL Server database.
Some of the things I need your input on are:
What server roles and features do you think will be required?
Do you have any concerns about hardware specifications?
What sort of maintenance schedule will this application require?
How will we ensure that this server and application are secure?
How can we simplify access to this application for internal users?
How should this be backed up?
The second application server is a Terminal Server that will be used by the new
financial application. This is also a pilot project that we need to test before rolling it
out to other users.
Some of the users are at head office and some others are at remote branches that
will be accessing over the WAN. I really need your input as to what benefits using
Terminal Services provides to us. I have to admit, Im not entirely clear as to why
we want to do it this way. However, the vendor recommended it.
5-66 Planning for Windows Server 2008 Servers
Results: After this exercise, you should have created a plan for implementing WSS and
Terminal Services.
5-68 Planning for Windows Server 2008 Servers
Results: After this exercise, you should have successfully implemented Windows
SharePoint Services and verified the configuration.
5-70 Planning for Windows Server 2008 Servers
Results: After this exercise, you should have successfully implemented Terminal
Services and distributed a Terminal Services application.
Review Questions
1. How can you provide access to a client server application over the Internet and
still have acceptable performance?
2. Why do you need to consider transaction logs when planning backup and
recovery for SQL Server?
3. How can you isolate Web applications so that a programming error in one
does not affect another?
5-74 Planning for Windows Server 2008 Servers
2. Your organization does not have backup software with an agent for SQL
Server. The agent for SQL Server has been ordered, but will not arrive for
several weeks. In the meantime, how can you backup the SQL Server database
without stopping the database?
3. Use the list of criteria you have generated to create a flowchart for determining
which edition of Windows Server 2008 you should use.
Lab: Planning a Windows Server 2008 Deployment L1-3
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take
advantage of the more efficient file-sharing protocols in Windows Server 2008.
The archive file server is used to store older data that is accessed only occasionally.
Extended outages are possible with notification.
It is used only as a file server. It has no other functions.
The hardware is relatively new, and no new hardware has been allocated for this
server.
Additional Information
This server is currently running a 32-bit version of Windows Server 2003 R2.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new
hardware?
Answer: Because no new hardware has been allocated, this server must be
upgraded. The file server role is a limited risk for upgrading. It should be
recognized by the upgrade process.
2. Which edition of Windows Server 2008 will be used?
Answer: Windows Server 2008 Standard can be used. There are no
requirements that necessitate the use of Windows Server 2008 Enterprise or
Datacenter.
3. Will 32-bit or 64-bit Windows Server 2008 be used?
Answer: A 32-bit version of Windows Server 2008 will be used, because you
cannot upgrade between processor architectures.
L1-8 Module 1: Planning Windows Server 2008 Deployment
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take
advantage of the more efficient file-sharing protocols in Windows Server 2008.
The main file server is mission critical and cannot be taken out of production during
business hours. Downtime must be limited to less than one day.
It is used only as a file server. It has no other functions.
This server should support cross-file replication for DFS. This may be implemented in
the future to support remote offices, and the cross-file replication will reduce
synchronization traffic on the WAN.
Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).
New hardware has been allocated for this server if required.
Additional Information
Clients access this file server through mapped drive letters that are created by a
logon script.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new
hardware?
Answer: New hardware has been allocated, so this server should be migrated.
2. Which edition of Windows Server 2008 will be used?
Answer: This server will use Windows Server 2008 Enterprise to support the
use of cross-file replication for DFS.
Lab: Planning a Windows Server 2008 Deployment L1-9
Proposals (continued)
3. Will 32-bit or 64-bit Windows Server 2008 be used?
Answer: There is no indication of any reason not to use 64-bit, so a 64-bit
operating system should be used.
4. How will downtime be minimized?
Answer: Even though there is a large amount of data, the migration of this
data is not a concern. The data is stored on a SAN, and the new server can
point at the existing storage on the SAN. Clients can be directed to the new
server by updating their logon script.
L1-10 Module 1: Planning Windows Server 2008 Deployment
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to standardize
the server operating systems.
The antivirus server can experience an outage of 24 hours without impacting
clients.
New hardware has been allocated for this server.
Additional Information
The antivirus application has not been tested by the vendor in 64-bit environments
and is not supported in 64-bit environments.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new
hardware?
Answer: New hardware has been allocated for this server. So, it should be
migrated.
2. Which edition of Windows Server 2008 will be used?
Answer: Windows Server 2008 Standard can be used because there are no
requirements that necessitate the use of Windows Server 2008 Enterprise or
Datacenter.
3. Will 32-bit or 64-bit Windows Server 2008 be used?
Answer: A 32-bit version of Windows Server 2008 should be used, because
the antivirus application is not supported on a 64-bit operating system. When
64-bit support is available, an upgrade to a 64-bit version of Windows Server
2008 can be considered.
Lab: Planning a Windows Server 2008 Deployment L1-11
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take
advantage of the performance improvements in IIS 7.
The existing server is consistently short on memory, and a new server with 8GB of
memory has been allocated to address this.
The application data is also stored on this server and must be taken into account.
There can be no downtime during business hours.
The new server should support failover clustering, as it is being considered for the
future.
Additional Information
None
L1-12 Module 1: Planning Windows Server 2008 Deployment
Proposals
1. Will this server be upgraded on existing hardware or migrated to new
hardware?
Answer: A new server has been allocated with additional memory. A
migration should be performed.
2. Which edition of Windows Server 2008 will be used?
Answer: The memory requirement is 8 GB. This is possible with a 64-bit
version of Windows Server 2008 Standard. However, Windows Server 2008
Enterprise is required to support failover clustering.
3. Will 32-bit or 64-bit Windows Server 2008 be used?
Answer: A 64-bit version of Windows Server 2008 should be used to best
access the 8 GB of memory.
4. What process will you use to minimize downtime?
Answer: To minimize downtime, the new server should be implemented in
parallel with the existing server. After the new server has been thoroughly
tested, then you can perform a final data migration. Downtime is only
required for the final data migration.
Results: After this exercise, you should have created a deployment plan for the archive
file server, the main file servers, the antivirus server, and the human resources
application server.
Lab: Planning Network Infrastructure for Windows Server 2008 L2-13
Requirement Overview
Design an IPv4 addressing scheme for the Adatum western regional branch sales
offices, shown in the exhibit.
The block address 10.10.32.0/21 has been reserved for this region.
You must devise a scheme that supports the required number of subnets, the
required number of hosts, and provide for 25% growth of hosts in each branch.
For each branch, provide the subnet addresses you plan to use, together with the
start and end IP addresses for each subnet.
L2-14 Module 2: Planning Network Infrastructure for Windows Server 2008
Additional Information
You do not need to concern yourself with the IP addressing for the corporate side
of the router at each branch.
Proposals
1. How many subnets do you envisage requiring for this region?
Answer: There are 300 computers in the region. The specification states that
around 50 computers should be deployed in each subnet. We also need to
plan for growth of around 25%. Six subnets are required in the region to host
computers, but an additional subnet per location should be planned for to
host the growth in computers. This is a total of nine subnets.
2. How many hosts will you deploy in each subnet?
Answer: The specification states we must deploy a maximum of 50 host
computers per subnet.
3. What subnet mask will you use for each branch?
Answer: The current network address for the region is 10.10.32.0/21. This
leaves 11 bits to allocate to subnets and hosts. To express 9 subnets, we would
require 4 bits, as 3 bits only provides for 8 subnets. 4 bits actually provides for
16 subnets, which is plenty. This is a decimal mask of 255.255.255.128.
4. What are the subnet addresses for each branch?
Answer:
Branch 1:
10.10.32.0/25
10.10.32.128/25
10.10.33.0/25
Branch 2:
10.10.33.128/25
10.10.34.0/25
10.10.34.128/25
Branch 3:
10.10.35.0/25
10.10.35.128/25
10.10.36.0/25
Lab: Planning Network Infrastructure for Windows Server 2008 L2-15
Proposals (continued)
5. What range of host addresses are in each branch?
Answer:
Branch 1:
10.10.32.1 > 10.10.32.126
10.10.32.129 > 10.10.32.254
10.10.33.1 > 10.10.33.126
Branch 2:
10.10.33.129 > 10.10.33.254
10.10.34.1 > 10.10.34.126
10.10.34.129 > 10.10.34.254
Branch 3:
10.10.35.1 > 10.10.35.126
10.10.35.129 > 10.10.35.254
10.10.36.1 > 10.10.36.126
Results: After this exercise, you should have a completed IP addressing plan for the
western region branch offices.
L2-16 Module 2: Planning Network Infrastructure for Windows Server 2008
Requirement Overview
Specify which network services are required in each sales office, and any changes
that might be required in the head office to facilitate your proposals.
Additional Information
It is important that any router, server, or communications link failure does not
adversely affect users.
Proposals
1. How many DHCP servers do you propose to deploy in the region?
Answer: Assuming that the routers are all RFC-compliant, there is no need to
deploy DHCP servers in each subnet. Perhaps one DHCP server in each
location would be sufficient. For fault tolerance, duplicate scopes configured
at the head office DHCP server, with appropriate exclusions to support the
80/20 rule, would provide for addressing fault tolerance.
2. Where do you propose to deploy these servers?
Answer: One DHCP server in each regional office.
3. What name resolution services are required?
Answer: Both DNS and NetBIOS name resolution are required.
Lab: Planning Network Infrastructure for Windows Server 2008 L2-17
Proposals (continued)
4. To support the DNS name space in the sales division, how would you propose
to configure DNS?
Answer: There are two choices:
a. Configure a subdomain for sales in the existing Adatum.com DNS name
space. Then create sufficient DNS servers for deployment to the region as
secondary servers of the Adatum.com zone.
b. Create a delegation for the sales.adatum.com zone in the Adatum.com
zone. Provide at least two name servers to support this delegated zone.
5. Will you require WINS?
Answer: Possibly.
6. If so, how many WINS servers will you require for the region?
Answer: Probably two, configured as replicas.
7. If not, how do you propose to support single-label names?
Answer: Instead of WINS, the GNZ could be used.
Results: After this exercise, you should have a completed plan for the deployment of
network services in the western regional branch offices.
L2-18 Module 2: Planning Network Infrastructure for Windows Server 2008
Note: You might need to wait a few moments before you see the WINS record. Press
Refresh if needed.
Results: After this exercise, you should have successfully deployed branch office
network services.
Requirement Overview
To devise an appropriate forest and domain topology for the merged companies.
Additional Information
The new company will continue to operate with dual names; that is, the Adatum and Contoso
brands are equally important.
It is anticipated that the existing Windows NT 4.0 domain controllers and server will be replaced as
part of the migration process.
Proposals
1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server
2008?
Answer: Answers will vary. It seems sensible to base the plan on the assumption that the
domain controllers will be upgraded. This means that an AD DS solution can be implemented.
If you do not intend to upgrade the domain controllers, it will be necessary to establish
multiple external trust relationships between the AD DS domains in Adatum and the Windows
NT 4.0 domain in Contoso.
L3-26 Module 3: Planning for Active Directory
Proposals (continued)
2. How many forests do you anticipate?
Answer: Answers will vary; either one or two forests. You could implement a single forest that
supports two trees: Adatum.com and Contoso.com. Alternatively, you could implement two
forests, one for each organization. The choice largely depends on how administration is to be
effected in the merged organization; if the two parts of the organization are to be separately
administered, then opt for two forests; otherwise, select one forest.
3. How many domains do you plan to implement?
Answer: Answers will vary. Currently, Adatum has a single domain. There is no compelling
reason the existing Windows NT 4.0 resource domains in Contoso could not be merged into a
single AD DS domain, and use organizational units to manage resources.
4. How many trees do you envisage?
Answer: Answers will vary. Either a single tree per forest if you select two forests, or else two
trees in a single Adatum.com forest: Adatum.com and Contoso.com.
5. What trust relationships, aside from those created automatically, will you require?
Answer: Answers will vary. Assuming that you opt for a single forest, no additional trusts are
required. If you opted for two forests, then a pair of forest root trusts would be required. If you
opted to remain in Windows NT 4.0 mode, then many trusts would be required; without
additional information, it is difficult to assess precisely how many. Remember that in Windows
NT, trusts are one-way and non-transitive.
6. Provide a sketch of the completed forest.
Answer: A possible solution consisting of a single forest of two trees:
Results: After this exercise, you should have a completed Contoso Domain Migration
document.
Lab: Planning for Active Directory L3-27
Requirement Overview
To determine the placement and configuration of domain controllers and related
services at the western region sales offices.
Additional Information
It is important that in the event of a link failure between the head office and branch
offices, users are still able to logon to the network and access services.
Proposals
1. Do you intend to deploy a domain controller(s) in the branch offices? How
many?
Answer: Yes, one domain controller per branch.
2. Will you deploy an RODC(s)?
Answer: The need for security is important; an RODC provides for a more
secure way of deploying a domain controller.
3. How will you optimize the directory replication for the branches?
Answer: Each branch will be represented in Active Directory by a site object.
4. How will domain controllers know in which branch they are located?
Answer: Subnet objects should also be created and associated with a site. The
domain controllers, and other computers, use their IP configuration to
determine their site location in Active Directory.
L3-28 Module 3: Planning for Active Directory
Proposals (continued)
5. Do you anticipate the need for global catalog services?
Answer: Yes. Many services require access to global catalog.
6. How will you configure global catalog and DNS?
Answer: An RODC can support the global catalog and DNS role.
7. What additional Active Directoryrelated services are required to support the
branch office line-of-business applications?
Answer: A line-of-business application requires access to a directory service.
AD LDS might be suitable.
Results: After this exercise, you should have a completed Branch Office Planning
document.
Lab: Planning for Active Directory L3-29
10. In the Static IP assignment dialog box, click Yes, the computer will use a
dynamically assigned IP address (not recommended).
11. On the Specify the Password Replication Policy page, click Next.
12. On the Delegation of RODC Installation and Administration page, click
Next.
13. On the Install from Media page, click Next.
14. On the Source Domain Controller page, click Next.
15. On the Location for Database, Log Files, and SYSVOL page, click Next.
16. On the Directory Services Restore Mode Administrator Password page, in
the Password box, type Pa$$w0rd.
17. In the Confirm password box, type Pa$$w0rd, and then click Next.
18. On the Summary page, click Next.
19. In the Active Directory Domain Services Installation Wizard, select the Reboot
on completion check box.
Results: After this exercise, you should have successfully deployed an RODC for the
Redmond sales office.
L3-34 Module 3: Planning for Active Directory
Enforced Security Block read and Domain - Enforced Security filter: Lab
write access to computers group
removable drives denied apply
permission
Results: After this exercise, you should have a completed Group Policy plan for
A. Datum.
L4-38 Module 4: Planning Group Policy
Results: After this exercise, you should have successfully implemented group policy.
Results: After this exercise, you should have a completed plan for implementing WSS
and Terminal Services.
L5-50 Module 5: Planning Application Servers
Results: After this exercise, you should have successfully implemented Windows
SharePoint Services and verified the configuration.
Lab: Planning Application Servers L5-53
Note: In a production environment, you would configure the group policy setting by
using a GPO rather than the local Group Policy.
Results: After this exercise, you should have successfully implemented a Terminal
Server and distributed a Terminal Services application.