6430B-ENU TrainerHandbook Volume1 PDF

OFFICIAL MICROSOFT LEARNING PRODUCT
6430B
Planning for Windows Server
2008 Servers
Volume 1
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
ii Planning for Windows Server 2008 Servers
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront,
Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight,
SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media,
Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Product Number: 6430B
Part Number: X16-25882
Released: 11/2009
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i. Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,
de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Welcome!
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.
Microsoft Certied Trainers and InstructorsYour instructor is a technical and

instructional expert who meets ongoing certication requirements. And, if instructors
are delivering training at one of our Certied Partners for Learning Solutions, they are
also evaluated throughout the year by students and by Microsoft.
Certication Exam BenetsAfter training, consider taking a Microsoft Certication

exam. Microsoft Certications validate your skills on Microsoft technologies and can help
differentiate you when finding a job or boosting your career. In fact, independent
research by IDC concluded that 75% of managers believe certications are important to
team performance1. Ask your instructor about Microsoft Certication exam promotions
and discounts that may be available to you.
Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer

a satisfaction guarantee and we hold them accountable for it. At the end of class, please
complete an evaluation of todays experience. We value your feedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
1
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
Planning for Windows Server 2008 Servers xiii
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Andy WarrenSubject Matter Expert

Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience
in the IT industry, many of which have been spent in writing and teaching. He has
been involved as the subject matter expert (SME) for the 5115B course for
Windows Vista and the technical lead on a number of other courses. He also has
been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in
the United Kingdom, he runs his own IT training and education consultancy.
Byron WrightSubject Matter Expert

Byron Wright is a partner in a consulting firm, where he performs network
consulting, computer systems implementation, and technical training. Byron is also
an instructor for the Asper School of Business at the University of Manitoba,
teaching management information systems and networking. Byron has authored
and coauthored a number of books on Windows servers, Windows Vista, and
Exchange Server, including the Windows Server 2008 Active Directory
Resource Kit.
Planning for Windows Server 2008 Servers xv
Contents
Volume 1
Module 1: Planning Windows Server 2008 Deployment
Lesson 1: Overview of Change Management 1-3
Lesson 2: Planning a Single-Server Installation 1-23
Lesson 3: Performing a Single-Server Installation 1-38
Lesson 4: Automating Windows Server Deployment 1-49
Lab: Planning Windows Server 2008 Deployment 1-60
Module 2: Planning Network Infrastructure for Windows Server 2008

Lesson 1: Planning IPv4 Addressing 2-3
Lesson 2: Planning for Name Resolution Services 2-14
Lesson 3: Determining the Need for WINS 2-27
Lesson 4: Planning a Perimeter Network 2-37
Lesson 5: Planning an IPv4 to IPv6 Transition Strategy 2-42
Lab: Planning Network Infrastructure for Windows Server 2008 2-50
Module 3: Planning for Active Directory

Lesson 1: Selecting a Domain and Forest Topology 3-3
Lesson 2: Selecting a Domain and Forest Functional Level 3-19
Lesson 3: Planning Identity and Access Services in Active Directory 3-27
Lesson 4: Implementing Active Directory in the Physical Network 3-37
Lab: Planning for Active Directory 3-48
Module 4: Planning for Group Policy

Lesson 1: Planning Group Policy Application 4-3
Lesson 2: Planning Group Policy Processing 4-13
Lesson 3: Planning the Management of Group Policy Objects 4-24
Lesson 4: Planning the Management of Client Computers 4-37
Lab: Planning for Group Policy 4-52
xvi Planning for Windows Server 2008 Servers
Module 5: Planning Application Servers

Lesson 1: Overview of Application Servers 5-3
Lesson 2: Supporting Web-Based Applications 5-17
Lesson 3: Supporting SQL Server Databases 5-30
Lesson 4: Deploying Client Applications 5-48
Lesson 5: Planning Terminal Services 5-55
Lab: Planning Application Servers 5-64
Lab Answer Keys

Module 1 Lab: Planning a Windows Server 2008 Deployment L1-1
Module 2 Lab: Planning Network Infrastructure for
Windows Server 2008 L2-13
Module 3 Lab: Planning for Active Directory L3-25
Module 4 Lab: Planning for Group Policy L4-35
Module 5 Lab: Planning Application Servers L5-47
Volume 2
Module 6: Planning File and Print Services
Lesson 1: Planning and Deploying the File Services Role 6-3
Lesson 2: Managing Storage 6-24
Lesson 3: Planning and Implementing the Distributed File System 6-44
Lesson 4: Planning and Implementing Shared Printing 6-56
Lab: Planning File and Print Services 6-66
Module 7: Planning Server and Network Security

Lesson 1: Overview of Defense-in-Depth 7-3
Lesson 2: Planning for Windows Firewall with Advanced Security 7-11
Lesson 3: Planning Protection Against Viruses and Malware 7-24
Lesson 4: Planning Remote Access 7-38
Lesson 5: Planning for NAP 7-45
Lab: Planning Server and Network Security 7-59
Planning for Windows Server 2008 Servers xvii
Module 8: Planning Server Administration

Lesson 1: Selecting the Appropriate Administration Tool 8-4
Lesson 2: Planning Server Core Administration 8-17
Lesson 3: Delegating Administration 8-27
Lab: Planning Server Administration 8-34
Module 9: Planning and Implementing Monitoring and Maintenance

Lesson 1: Planning Monitoring Tasks 9-3
Lesson 2: Calculating a Server Baseline 9-9
Lesson 3: Tools for Monitoring Server Performance 9-17
Lesson 4: Planning Software Updates 9-29
Lab: Planning and Implementing Monitoring and Maintenance 9-40
Module 10: Planning High Availability and Disaster Recovery

Lesson 1: Choosing a High-Availability Solution 10-3
Lesson 2: Planning a Backup and Restore Strategy 10-23
Lab: Planning High Availability and Disaster Recovery 10-34
Module 11: Planning Virtualization

Lesson 1: Overview of Server Virtualization 9-4
Lesson 2: Business Scenarios for Server Virtualization 9-13
Lesson 3: Overview of System Center Virtual Machine Manager 9-20
Lesson 4: Planning Host Resources 9-31
Lab: Planning Virtualization 9-42
Lab Answer Keys

Module 6 Lab: Planning File and Print Services L6-57
Module 7 Lab: Planning Server and Network Security L7-69
Module 8 Lab: Planning Server Administration L8-87
Module 9 Lab: Planning and Implementing Monitoring and
Maintenance L9-95
Module 10 Lab: Planning High Availability and Disaster Recovery L10-103
Module 11 Lab: Planning Virtualization L11-113
About This Course i
MCT USE ONLY. STUDENT USE PROHIBITED

About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.
Course Description
This three-day instructor-led course is intended for IT pros who are interested in
the knowledge and skills necessary to plan a Windows Server 2008 operating
system infrastructure. This course is aimed at server administrators and is not a
how-to course; therefore, it has a significant number of planning exercises with
less focus on hands-on exercises than some courses.
The course content and exercises direct you toward making decisions and
providing guidance to others. This course reflects the decision-making tasks that a
server administrator undertakes.
Server administrators often act as an escalation point and sit between the technical
specialist role and architect role.
Audience
This course is intended for a server administrator who:
Is moving from a technical-specialist role to a decision-making role.
Wants to acquire the necessary knowledge to be able to plan for Windows
Server 2008 servers.
Student Prerequisites
You should have up to one year of experience with implementing server plans,
although you have probably not yet had full responsibility for planning.
This course requires that you meet the following prerequisites:
Skills equivalent to course 6418A (deployment)Installation and
configuration of Windows Server 2008, Windows Deployment Services,
Active Directory directory service upgrades
Skills equivalent to course 6420A (networking fundamentals)TCP/IP
configuration, server administration, network and data security
About This Course ii

Skills equivalent to course 6421A (core network infrastructure training)
Domain Name System (DNS) configuration, Windows Internet Name Service
(WINS) configuration, IPv6 transition, remote access, network policies,
Network Access Protection (NAP), Distributed File System (DFS)
Skills equivalent to course 6424A (Active Directory fundamentals)Configure
Active Directory Domain Services (AD DS), configure Active Directory
Lightweight Directory Services (AD LDS), configure Active Directory
Certificate Services (AD CS), configure Active Directory Federation Services
(AD FS), create users and groups
Skills equivalent to course 6425A (core Active Directory training)Configure
AD DS security, trusts, sites, replication, Group Policy
Up to one year experience implementing server plans
Course Objectives
After completing this course, students will be able to:
Plan for both Windows Server 2008 installation and upgrade from a previous
version of Windows Server to Windows Server 2008.
Plan and implement network connectivity in Windows Server 2008 by using
IPv4-related technologies and plan a migration strategy to IPv6.
Plan the deployment of Active Directoryrelated services in Windows Server
2008.
Apply the design considerations for implementing group policy.
Plan the configuration of different applications services in Windows Server
2008.
Create a plan for file and print services to meet an organizations printing, file
storage, and access needs.
Create a plan to secure the Windows Server 2008 environment.
Create local and remote administration strategies for administering a Windows
Server 2008 environment.
Create a monitoring plan for the Windows Server 2008 environment.
Create a plan that will help mitigate the effects of various disaster scenarios on
the IT infrastructure.
Create a plan for using virtualization in a Windows Server 2008 environment.
About This Course iii

Course Outline
This section provides an outline of the course:
Module 1: Planning Windows Server 2008 Deployment
Module 2: Planning Network Infrastructure for Windows Server 2008
Module 4: Planning for Group Policy
Module 6: Planning File and Print Services
Module 7: Planning Server and Network Security
Module 8: Planning Server Administration
Module 9: Planning and Implementing Monitoring and Maintenance
Module 10: Planning High Availability and Disaster Recovery
Module 11: Planning Virtualization
About This Course iv

Course Materials
The following materials are included with your kit:
Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just
right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key
points that are critical to the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the
knowledge and skills learned in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference
material to boost knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger
tips when its needed.
Course Companion CD. Searchable, easy-to-navigate digital content with
integrated premium online resources designed to supplement the Course
Handbook.
Lessons: Include detailed information for each topic, expanding on the
content in the Course Handbook.
Labs: Include complete lab exercise information and answer keys in digital
form to use during lab time.
Resources: Include well-categorized additional resources that give you
immediate access to the most up-to-date premium content on TechNet,
MSDN, and Microsoft Press.
Student Course Files: Include the Allfiles.exe, a self-extracting executable
file that contains all the files required for the labs and demonstrations.
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification
Program, send e-mail to mcphelp@microsoft.com.
About This Course v

Virtual Machine Environment
This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 R2 with the Microsoft
Lab Launcher to perform the labs. There is also an optional lab included in
Module 11 that you may or may not want to complete. This optional lab is based
on Microsoft Hyper-V and as such you will need to meet the requirements for
installing Hyper-V around Hardware and software. Hardware details are included
in the Hardware Level 6 specification below and other considerations can be
found here:
Hyper-V: http://go.microsoft.com/fwlink/?LinkId=168247
Software required for Module 11 lab but not included in the Training Materials, is:
Windows Server 2008 64-bit Operating System
This software can be sourced from the Microsoft Partner Program via the Partner
Program Action Pack, detailed information on which is available at
https://partner.microsoft.com.
This optional lab is based on Microsoft Hyper-V.
Important: When shutting down the virtual machines in Lab Launcher, the default
setting is Shut Down The Virtual Machine And Save Changes. You should inform
students not to take the default setting but rather to take their time when shutting
down the virtual machines and make sure they select the bottom option in the list,
Turn Off Machines And Discard Changes, at the end of each lab.
To close a virtual machine without saving the changes on Hyper-V, perform the
following steps: 1. On the host computer, start Hyper-V Manager. 2. Right-click the
virtual machine name in the Virtual Machines list, and click Revert. 3. In the Revert
Virtual Machine dialog box, click Revert.
About This Course vi

Classroom Setup
Each classroom computer will have the same virtual machines configured in the
same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught.
This course is a Hardware Level 5.5 course with additional random access memory
(RAM). Please see the classroom setup guide for detailed hardware specs. As stated
earlier, there is also an optional lab included in Module 11 that you may or may
not want to complete. This optional lab is based on Hyper-V.
Important: The Hardware Level in this course has been modified to run by default
under the assumption that 4 gigabytes (GB) RAM is available in the host machine
rather than 2 GB RAM, which is the normal amount of memory required, defined by
Hardware Level 5.5. So the default configuration on installation and boot-up is
configured to run where there is 4 GB RAM available in the host machine. For
detailed steps on how to set up this environment, please follow the steps outlined in
the Classroom Configuration Hardware Level 5.5 with 4 GB RAM section in the
classroom setup guide.
If you do not have 4 GB RAM available in the student machines, you will need to
follow alternative setup steps. An alternative LauncherSettings.config file is provided
with the course, which will redefine the RAM values for each of the virtual machines
to allow them to boot up and run at the normal, Hardware Level 5.5 definition,
allocation of 2 GB RAM being available in the host machine. For details on how to
set up the classroom where only 2 GB is available in the student machines, please
see the Classroom Configuration Hardware Level 5.5 with 4 GB RAM section in the
classroom setup guide.
It is also highly recommended that you read the MSL Lab Launcher Getting Started
Guide, which is available in the MCT Download Center. This contains information
about how to install and customize the MSL Lab Launcher in general terms and will
be complementary to what is contained in this course-specific setup guide.
About This Course vii

Important (continued): The optional lab in Module 11 requires Hardware Level
6.This is to facilitate the setup of Hyper-V. If this hardware is not available, there is
also a paper-based element to the lab, which can still be completed.
Each classroom computer will serve as the host for four virtual machines that will
run in Virtual Server 2005 R2 SP1.
The following are the virtual machines, brief descriptions, and the RAM allocation
to each of them for the default installation, that is, 4 GB RAM available on the host
machine.
RAM
Virtual machine Description (MB)
6430B-SEA-DC1 Domain controller in the adatum.com domain 1,024
6430B-SEA-SVR1 Windows Server in adatum.com domain 1,024
6430B-SEA-SVR2 Windows Server in adatum.com domain 1,024
6430B-SEA-CL1 Windows Vista computer in the adatum.com domain 768
Estimated time to set up the classroom: 120 minutes

The following are the virtual machines, brief descriptions, and the RAM allocation
to each of them for the nondefault installation, that is, 2 GB RAM available on the
host machine.
Virtual machine Description RAM (MB)

6430B-SEA-DC1 Domain controller in the adatum.com domain 512
6430B-SEA-SVR1 Windows Server in adatum.com domain 384
6430B-SEA-SVR2 Windows Server in adatum.com domain 384
6430B-SEA-CL1 Windows Vista computer in the adatum.com domain 384
Estimated time to set up the classroom: 140 minutes

Below are listed both Hardware Level 5.5 and Hardware Level 6. As stated earlier,
there is also an optional lab in Module 11 that requires Hardware Level 6.
About This Course viii

Hardware Level 5.5
Pentium IV 2.4-gigahertz (GHz) processor
PCI 2.1 bus
4 GB of RAM
At least two 40 GB hard disks, 7,200 RPM
DVD drive
NonIndustry Standard Architecture (ISA) network adapter: 10/100 megabits
per second (Mbps)required full duplex
16 (MB) video adapter (32 MB recommended)
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
Projection display device that supports SVGA 800 x 600, 256 colors
In addition, the instructor computer must be connected to a projection display

device that supports SVGA 800 x 600 pixels, 256 colors.
Note: All virtual machines in this course were developed with a resolution of 1024 x
768.
Hardware Level 6
Pentium IV 2.4 GHz processor *
PCI 2.1 bus
4 GB of RAM
At least two 40 GB hard disks, 7,200 RPM
DVD drive
NonISA network adapter: 10/100 Mbps-required full duplex
About This Course ix

16 MB video adapter (32 MB recommended)
SVGA 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
Projection display device that supports SVGA 800 x 600, 256 colors
In addition, the instructor computer must be connected to a projection display

device that supports SVGA 800 x 600 pixels, 256 colors.
* A 64-bit system with hardware-assisted virtualization enabled and data execution
prevention (DEP) is required to install Hyper-V
Planning Windows Server 2008 Deployment 1-1

Module 1
Planning Windows Server 2008 Deployment
Contents:
Lesson 1: Overview of Change Management 1-3
Lesson 2: Planning a Single-Server Installation 1-23
Lesson 3: Performing a Single-Server Installation 1-38
Lesson 4: Automating Windows Server Deployment 1-49
Lab: Planning Windows Server 2008 Deployment 1-60
1-2 Planning for Windows Server 2008 Servers

Module Overview
The deployment of Windows Server 2008 must be carefully planned before it is

performed. This includes identifying the change management process to be used,
identifying the appropriate edition of Windows Server 2008, and evaluating
hardware considerations and applications considerations. Automating the
deployment of Windows Server 2008 with answer files or other technologies
should be evaluated. Failure to properly plan the deployment of Windows Server
2008 could result in downtime to critical business systems.
Objectives
After completing this module, you will be able to:
Describe how change management affects a deployment project.
Plan the deployment of a single computer running Windows Server 2008.
Describe how to perform a single-server installation.
Determine how to automatically deploy Windows Server 2008.

Lesson 1
Overview of Change Management
Change management is an essential part of information technology management

for any organization. Using a change management process consistently results in
greater uptime for systems and faster troubleshooting processes. Two common
frameworks for managing change are the Information Technology Infrastructure
Library (ITIL) and Microsoft Operations Framework (MOF). Regardless of the
framework you use, a service-level agreement (SLA) is used to define characteristics
of service support and availability. Microsoft also provides specific guidance for
implementing technologies in Microsoft Solution Accelerators.
Objectives
After completing this lesson, you will be able to:
Describe change management and its benefits.
Describe the considerations for change management.

Describe MOF.
Describe ITIL.
Describe SLAs.
Describe Microsoft Solution Accelerators.

Discussion: What Is Change Management?
Key Points
Change management is the process by which changes are approved, implemented,
and monitored. Some additional steps in formal processes might include a request
for change and change classification as part of the approval process. The change
management process varies widely for different organizations. In larger
organizations, change management is a formal process and can require that a
change-approval board approve all system changes. The board documents all
changes and when they are to occur. In smaller organizations, the process is often
less formal, only requiring the verbal approval of the manager responsible for
information systems.
Question: What is change?
Question: How does your organization address change management?


Question: Are there some situations in which change management is more
important than others?
Question: What are the benefits of a formal change management process?
Question: Are there situations in which the normal change process cannot be
followed?

Considerations for Managing Change
Key Points
Changes to any information system should be made in an organized and
controlled manner. The details of the change management process that you use are
less important than defining a process and using it consistently. A consistent
process ensures that all the necessary approvals are gathered before the change is
implemented and that impact on other systems is avoided.
Successful Change Management
For a change management process to be successful, it must be supported by the
organization. Using the change management process cannot be optional. All staff
must follow the change management procedures. If the change management
process is not enforced and communicated properly, most of the staff will stop
using it over time.
When a change management process is first implemented, many of the
information technology staff will complain about the level of bureaucracy involved.
However, after the initial adjustment in expectations has been made, information
technology staff frustration will be reduced.

Question: Do you like using change management procedures?
Question: Do you see the value in using change management procedures in your
organization?

What Is ITIL?
Key Points
ITIL was originally a set of about 60 books developed in the late 1980s by a
consortium of industry leaders as a set of best practices for IT. These books
described IT processes defined by ITIL and the interdependencies among them.
The development of the library was sponsored by the government of the United
Kingdoms Office of Government Commerce (OGC). ITIL version 3 was released
in 2007.
ITIL is a de facto standard for IT service management. It is widely implemented by
large and medium-sized organizations. In addition to the ITIL books, ITIL
certification is also available.

ITIL Characteristics
ITIL is process oriented, meaning that it focuses on processes in IT organizations
rather than on such things as technology. Processes stress the importance of
objectives. Each ITIL process has a clearly defined objective, together with inputs
and outputs. Processes often involve more than one organizational unit. They can
help the IT organization to identify activities that are well-planned and well-
executed, on the one hand, and those that are carried out without any
coordination, in duplication, unnecessarily, or not at all, on the other.
Other ITIL characteristics include:
A striving for quality of service through continual improvement
A customer focus that includes understanding the needs of the business
Best practices for IT management
Independence of any specific technology
Descriptive guidance at a high level rather than detailed guidance, to preserve
adaptability to your organization
For more details about ITIL, talk to your local training center. You can
also find more information at the official ITIL Web site at
http://go.microsoft.com/fwlink/?LinkID=160967&clcid=0x409.
Question: Does your organization use ITIL?


What Are ITIL Books?
Key Points
ITIL is a large set of documentation describing best practices for IT service
management. ITIL version 3 was released in 2007 and contains five core books.
Each book covers a different stage of the service life cycle. Additional books
providing more detail are provided for specialized topics related to the five core
books. The five core books are:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement

Service Strategy
Service Strategy is the core of the ITIL model for IT service management. A service
strategy defines which services are offered by IT, who the services are for, and how
performance will be measured. When building this strategy, you must consider
the value of services and how customers (users or departments within your
organization) perceive that value. This varies between organizations based on not
only the business processes that are in place, but also based on organizational
culture.
Service Design
Whereas Service Strategy helps to define what services should be offered, Service
Design helps you decide in what way they will be offered. Outcomes of service
design include a service-level agreement, a process for supplier management, and a
plan for security. When creating a service design, you need to consider:
Business requirements
Risks and mitigation
Performance measurement
Policies and procedures
IT skills and capability
Service Transition
Service Transition explains the service design and implements it in a way that
meets all requirements of the service design. This includes not only requirements
during normal operational use, but also requirements for disaster recovery. One of
the key challenges and processes that must be defined for service transition is
change management. Testing of the services as they are implemented must be
performed.
Service Operation
From the customer perspective, service operation is when value is delivered.
Processes for ongoing maintenance of the applications and infrastructure are
defined. Also, processes for incident management and service desk must be in
place. Effective management of ongoing incidents is essential for customer
satisfaction.

Continual Service Improvement
In any system or set of processes, there are opportunities to create additional
value through continual improvement. In the ITIL books, Continual Service
Improvement wraps around the other processes. For long-term success, an
organization must be constantly looking for ways to improve service to provide
additional value for customers.
The key to continual service improvement is the selection of metrics that can be
used to track progress. For each service, you must have metrics that allow you to
determine whether performance is improving or not. The metrics you select need
to relate directly to the value perceived by the customer. For example, IT staff
might want to track CPU utilization on a server, which has no inherent value to the
customer. A more appropriate measure would be how quickly an application
responds to user requests. One cause of slow performance could be CPU
utilization.

What Is MOF?
Key Points
The Microsoft Operations Framework (MOF) process model describes a life cycle
that can be applied to systems of any size and related to any service solution. The
model groups similar information technology management functions called service
management functions (SMFs) into four quadrants.

The following table describes the four quadrants in detail:
Quadrant Mission of Service Operations Management Review
Changing Introduce new service Release readiness review provides

solutions, technologies, approval to deploy the fully developed
systems, applications, and tested release.
hardware, and processes.
Operating Execute day-to-day tasks Operations review is scheduled

effectively and efficiently. periodically to evaluate the information
technology staff's ability to maintain a
specific service, meet service-level
requirements, and document its
experience in a knowledge base.
Supporting Resolve incidents, problems, Service-level agreement (SLA) evaluation

and inquiries quickly. is performed periodically and evaluates
the information technology staff's ability
to meet the service-level requirements
defined in the SLA.
Optimizing Drive changes to optimize Change initiation review increases the

cost, performance, capacity, likelihood that proposed changes are in
and availability in the delivery alignment with business objectives and
of information technology operability requirements.
services.
Note: MOF extends the best practices found in ITIL by including guidance and best
practices derived from the experience of Microsoft operations groups, partners, and
customers.
For more information about MOF, see the Microsoft Solution

Accelerator for MOF on the Microsoft TechNet Web site at

What Is Project Management?
Key Points
Project management is a set of techniques used to achieve a desired result on time,
within budget, and according to specification. The project management process
includes planning, estimating, and controlling all of the activities required to attain
the required end result. A key aspect of projects is that they have a limited scope
that is to be completed within a defined timeframe, meaning that they are
temporary and not ongoing.
The idea of project management is that, regardless of the project being completed,
there are a consistent set of procedures that help to ensure that the project is
completed successfully. The same set of procedures can be used to ensure success
for the building of a bridge as for the building of a new information system.

The stages of project management are:
Initiation (scoping)
Planning and design
Executing
Monitoring and controlling
Closing
Initiation
During initiation, you must identify the deliverables that define when the
project has been completed. At this stage, you also obtain approval from senior
management for the project based on the benefits to the organization. High-level
planning for resources is also performed.
Planning and Design
During planning and design, you create a detailed plan of what needs to be
performed and when. The overall project is broken down into tasks. Then, based
on the tasks, you can define the required resources and schedule when activities
need to occur. As part of this process, a critical path is defined. The critical path
determines the shortest time frame in which the project can be completed.
Executing
During execution, the tasks determined in the plan are performed. The project
manager is responsible for assuring that the necessary resources are available and
that each task is assigned to an appropriate resource. Gantt charts are typically
used to show what tasks are being performed at a given time.
Monitoring and Controlling
Monitoring and controlling is processes used to supervise the completion of tasks
performed during execution. These processes are essential to identify any potential
problems as early as possible so that they can be corrected. One example of
monitoring is regular progress meetings to identify any tasks that are not being
completed on time or require additional resources.

Closing
At the close of a project, you must verify that all deliverables are completed and
obtain client acceptance of those deliverables. Closing should also include the
completion of all documentation related to the project such as meeting minutes,
change control documentation, and testing documentation.
An important part of closing is a post-implementation review. This review helps
you to learn from the project by identifying positive processes that can be used
again. It also allows you identify mistakes so that you do not repeat them on the
next project.
There are a number of different project management methodologies

that can be used. One of the most commonly used is PRINCE2 (Projects
IN Controlled Environments). For more information about PRINCE2 see
the PRINCE2 Web site at http://go.microsoft.com/fwlink
/?LinkID=166904&clcid=0x409.

What Are Service-Level Agreements?
Key Points
An SLA is an agreement between an IT group and an organization. It is important
to define an SLA early, because it documents the service expectations and
requirements that an organization expects the IT service provider to deliver. An
SLA might be written for the availability of a specific system component, a specific
service, or an entire system.
SLA Agreements and Change Management
An SLA should include a regular time that maintenance can be performed. During
the scheduled maintenance time, the system is not expected to be available. This is
typically when changes are implemented. The maintenance window may be daily,
weekly, or monthly, and may range from only a few minutes to a few hours.
When a major change such as a server migration is implemented, an additional
service outage may need to be negotiated as part of the change. For example, if a
file server has a one-hour daily maintenance window, and migrating data to a new
file server will take several hours, an additional outage must be negotiated.

Types of SLAs
Internal SLAs
An internal SLA is between the IT department and other departments in the
same organization.
External SLAs
External SLAs are legally binding contracts and are more formal than internal
SLAs. An external SLA may have more structure, usually including cost and
bonus clauses and sometimes penalty clauses. However, an external SLA
always includes the services specific cost and deliverables, which often include
availability and security services.
Informal SLAs
Not all SLAs are contracts with formal terms and conditions. In some cases,
service-level expectations are based on a verbal agreement between the IT
provider and the organization. This is an informal SLA, and often these types
of agreements develop over time through casual conversations with the IT
provider. An internal agreement is often informal in smaller organizations.

What Are Microsoft Solution Accelerators?
Key Points
Microsoft Solution Accelerators are free tools and guidance from Microsoft on how
to implement Microsoft technologies. If you are planning the implementation of
any new Microsoft technology, you should review the Microsoft Solution
Accelerators for content relevant to the new technology.
Some of the Microsoft Solution Accelerators relevant to Windows Server 2008 are:
Microsoft Assessment and Planning Toolkit
Infrastructure Planning and Design Guides for Windows Server
Microsoft Deployment Toolkit 2008
Windows Server 2008 Security Compliance Management Toolkit
Hyper-V Security Guide

The Microsoft Solution Accelerators are found on the TechNet Web site
at http://go.microsoft.com/fwlink/?LinkID=165474&clcid=0x409.

Lesson 2
Planning a Single-Server Installation
When you introduce Windows Server 2008 into your organization, you need to
determine which edition of Windows Server 2008 meets your needs. You also need
to consider the licensing requirement for Windows Server 2008. Some of the other
topics you need to consider are activation, virtualization, and consolidation of
server roles.
Objectives
Select an appropriate edition of Windows Server 2008.
Describe the Microsoft licensing programs.
Describe the considerations for client access licenses.
Describe the considerations for virtualization.
Describe the considerations for server activation.
Describe the considerations for consolidating server roles.
Describe the Microsoft Planning and Assessment Toolkit.

Windows Server 2008 Editions
Key Points
Windows Server 2008 is available in several different editions to meet the unique
needs of different organizations. Each edition is priced differently, has different
support for hardware, and supports different features. You select the edition based
on your requirements for hardware support and features.
The most common editions of Windows Server 2008 are:
Windows Web Server 2008. This low-cost edition is meant to be used as a
Web application server. It supports up to four processors and 32 GB of RAM
(4 GB on 32-bit systems). It cannot be used as a domain controller.
Windows Server 2008 Foundation. This low-cost edition is meant to be used
in small offices with limited requirements. It is sold only by original equipment
manufacturers (OEMs), not at retail outlets or through volume licensing. It
supports only a single 64-bit processor and 8 GB of RAM. Infrastructure roles
are supported.

Windows Server 2008 Standard. This edition supports up to four processors
and 32 GB of RAM (4 GB on 32-bit systems). Failover clustering and cross-file
replication for distributed file system (DFS) are not supported.
Windows Server 2008 Enterprise. This edition supports up to eight
processors and 2 TB of RAM (64 GB on 32-bit systems). Failover clustering
and cross-file replication for DFS are supported. Hot add memory is also
supported. This edition is typically used in larger organizations that require
these features.
Windows Server 2008 Datacenter. This edition supports up to 64 processors
(32 on 32-bit systems) and 2 TB of RAM (64 GB on 32-bit systems). All
features of Windows Server 2008 Enterprise are supported, as well as hot
replace memory, hot add processors, and hot replace processors. This edition
is typically used in larger organizations that require these features.
For more detailed information about the various editions of Windows

Server 2008, see the Overview of Edition page on the Microsoft Web site

Ways to Obtain Licenses
Key Points
There are three main ways that you can obtain licenses for Windows Server 2008:
Retail. These licenses are purchased from an online or physical retailer. This
type of licensing is typically used by small organizations that are purchasing a
limited number of licenses.
OEM. These licenses are purchased with new hardware. The cost of these
licenses is typically less than retail, but the licenses cannot be moved from one
computer to another.
Volume license. Microsoft has a variety of volume license programs for
purchasing multiple copies of Microsoft software. The cost of these licenses is
typically less than retail but more than OEM licensing. Some volume licensing
options are subscription based rather purchased outright. Software Assurance
is also available. For larger organizations, one key benefit of volume licensing
is simplifying the licensing process.

Software Assurance benefits vary depending on the type of volume licensing
purchased. In all cases, it includes new version rights for software, e-learning, and
product support. Other features may include an employee purchase program and
consulting services.
Regardless of how you obtain your server licenses, you are eligible to use a
previous version of Windows if required. This is referred to as a downgrade right.
For example, if you have an application that runs only on Windows Server 2003
and not Windows Server 2008, you can purchase a Windows Server 2008 license
and install Windows Server 2003 instead.
For more information about licensing, see the Windows Server 2008
Licensing Overview on the Microsoft Web site at http://go.microsoft.com
/fwlink/?LinkID=160956&clcid=0x409.
For more information about Software Assurance, see Microsoft Software

Assurance on the Microsoft Web site at http://go.microsoft.com
/fwlink/?LinkID=166906&clcid=0x409.

Considerations for Client Access Licenses
Key Points
Client access licenses (CALs) are required for all devices and computers that
communicate with the Standard, Enterprise, and Datacenter editions of Windows
Server 2008. When you introduce Windows Server 2008 to your organization, you
must also update the CALs.
CALs are not required in the following circumstances:
When access is through the Internet and is anonymous or unauthenticated
for example, when access is through a Web site that does not have a user
logon.
When access is to Windows Web Server 2008. Not requiring CALs in this
instance allows you to run Web sites requiring authentication to the local Web
server.
When access is to Windows Server 2008 Foundation. An alternative licensing
scheme is used for Windows Server 2008 Foundation that does not use CALs.

Per-Server and Per-Seat Licensing
When you install a server, you can select whether to use per-server or per-seat
licensing. Per-server licensing requires a server to have a CAL for each user who is
accessing it simultaneously. Per-seat licensing requires each user or device to have
only one CAL to access any number of servers. In general, per-seat licensing is
advantageous if you have users or devices accessing multiple servers.
User and Device CALs
If you use per seat-licensing, you can purchase either user or device CALs. A user
CAL allows a specific person to access the server. It cannot be shared between
multiple users, even if they are not logged on at the same time. However, a single
user can access the server from multiple devices by using a single CAL. A device
CAL allows a specific device to access the server. It can be shared between multiple
users of the same device. In general, a device CAL is more useful in environments
where workers use the devices in shifts.
Other Types of CALs
If you are accessing Terminal Services, you must have a Terminal Services CAL
in addition to the Windows Server CAL.
If you are using Rights Management Services, a Rights Management Services
CAL is required.
In some cases, an External Connector (EC) license can be used instead of
CALs.

Considerations for Virtualization
Key Points
Hyper-V is a server role available in the Standard, Enterprise, and Datacenter
editions of Windows Server 2008. It allows Windows Server 2008 to act as a
virtualization host for virtual machines. It is possible to purchase these editions of
Windows Server 2008 without Hyper-V included. However, the price discount is
very small. Hyper-V is only available for 64-bit versions of Windows Server 2008.
When you purchase a single-server license for the Standard, Enterprise, or
Datacenter edition of Windows Server 2008, your license includes virtual image
use rights:
Windows Server 2008 Standard includes one virtual image license. This means
that you can install one physical and one virtual version of Windows Server
2008 Standard on the same physical server.
Windows Server 2008 Enterprise includes four virtual image licenses. This
means that you can install one physical and four virtual versions of Windows
Server 2008 standard on the same physical server.

Windows Server 2008 Datacenter includes unlimited virtual image licenses.
This means that you can install one physical and unlimited virtual versions of
Windows Server 2008 standard on the same physical server. Using Windows
Server 2008 Datacenter on virtualization hosts can greatly simplify the
licensing of servers.
Note: The virtual image use rights include downgrade rights to run previous versions of
Windows Server. For example, a Hyper-V host running Windows Server 2008 Enterprise
could have a Windows Server 2003 virtual machine as one of the virtual machines
included in the virtual image use rights.
CALs are also a concern when you implement Hyper-V for virtualization. If you are
hosting a virtual machine on a Hyper-V host running Windows Server 2008, any
user accessing the virtual machine must have a Windows Server 2008 CAL. For
example, if a Windows Server 2003 virtual machine is hosted on a Hyper-V host,
all users or devices accessing the Windows Server 2003 virtual machine must have
a Windows Server 2008 CAL.

Considerations for Server Activation
Key Points
Product activation is used by Microsoft to prevent casual copying of software.
Windows Server 2008 is one software product that must be activated. This is a
separate process from product registration.
Activation associates a specific set of hardware to a product key to ensure that the
product key is not reused on an unauthorized computer. However, no identifying
information is included as part of the activation process.
Initial activation can be performed over the Internet or by phone. If your server has
access to the Internet, that is the preferred method, because activation over the
Internet takes only a few moments. If your server does not have access to the
Internet, you must activate by telephone, which takes about ten minutes in most
cases.

Unactivated Systems
If you do not activate a new server, after a grace period of 60 days the system will
be unlicensed. The desktop background will change to black, and you will receive
persistent notifications to activate. Only critical Windows updates will be installed.
Otherwise, the server will continue to function normally.
If you significantly modify the hardware in your server, you may be required to
reactivate within three days. You can reactivate either over the Internet or over the
phone. If you do not reactivate, the server is unlicensed with the same results as if
you had never activated it.
Key Management Service
In large organizations in which volume licensing is used, there is often a desire to
keep all activation activity within the organization rather than having each system
activate directly with Microsoft servers. In such a case, you can implement Key
Management Service (KMS). You can use a service record (SRV) in Domain Name
System (DNS) to automatically direct computers to the KMS server. Then new
servers will contact the KMS server for activation rather than contacting Microsoft
servers. However, the KMS server does need to be able to contact Microsoft
servers. Also, computers activated by using a KMS server must reconnect to the
KMS server to verify activation every 60 days.
Multiple Activation Key
When volume licensing is used, an organization may be given a multiple activation
key (MAK). A MAK can be used for multiple activations. When a MAK is used,
activation can be performed over the Internet, by phone, or by using a KMS server.
For more information about volume activation, see Volume Activation

2.0 for Windows Vista and Windows Server 2008 on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkID=160957&clcid=0x409.

Considerations for Consolidating Server Roles
Key Points
There are no specific guidelines for which server roles can be combined on the
same server. The details of what is appropriate vary widely depending on how a
server role is being used in a specific organization. The key is to ensure that a
server resource does not become a bottleneck. For example, a file server with ten
users may generate almost no disk I/O, while a file server with 500 users may
experience disk I/O as a bottleneck.
Some rules of thumb for combining server roles are listed here:
Avoid combining server roles that place a significant load on the same resource
such as memory, disk I/O, the processor, or the network. For example, the
Streaming Media Services role can place a significant load on all server
resources and will not be combined with other roles in most circumstances.
Avoid combining server roles with different security requirements, such as a
domain controller and an external-facing Web server.

Avoid combining server roles that experience peak utilization at the same time,
such as a domain controller and a Dynamic Host Configuration Protocol
(DHCP) server, both of which experience heavy utilization during morning
logins.
Consider combining domain controllers and DNS servers. This allows you to
take advantage of Active directoryenabled zones.
Consider giving each application a separate server to simplify server
maintenance.
The only way to accurately determine whether server roles can be combined is by
monitoring performance. Monitor the servers performing the role for a period of
time, and then determine whether combination will be a problem.

What Is the Microsoft Assessment and Planning Toolkit?
Key Points
The Microsoft Assessment and Planning Toolkit (MAP) is a solution accelerator
that is available for download from Microsoft at no change. It performs hardware
inventory, compatibility analysis, and readiness reports. The tool makes it easy for
you to assess your current IT infrastructure and determine the right Microsoft
technologies for your IT needs.
The Windows Server 2008 Deployment scenarios for MAP are:
Windows Server 2008 Hardware Assessment. This scenario identifies which
servers are capable of running Windows Server 2008 and prescribes the
necessary hardware upgrades for those that are not. It also reports on the
availability of device drivers from Microsoft. Current roles and applications are
also identified.
Security Assessment. This scenario performs an inventory of network clients
and identifies security issues reported by Windows Security Center. It also
reports on Network Access Protection readiness.

Performance Monitoring. This scenario monitors performance of processor,
network, and disk counters over an extended time period. This is typically
used to identify virtualization candidates.
Server Consolidation and Virtualization. This scenario uses data from the
Performance Monitoring scenario to model the virtualization of servers onto a
host.
For more information about MAP, see the Microsoft Assessment

and Planning Toolkit page on the TechNet Web site at

Lesson 3
Performing a Single-Server Installation
When you install Windows Server 2008 onto your organization, you need to
consider whether you will be upgrading existing servers or installing new
servers and migrating services and applications to the new servers. If you are
implementing BitLocker Drive Encryption, you need to ensure that the server is
properly configured to support it. You also need to consider driver compatibility
and application compatibility with Windows Server 2008.
Objectives
Describe considerations for server upgrades.
Describe considerations for server migrations.
Describe the requirement for BitLocker.
Describe the considerations for device drivers.
Describe the considerations for application compatibility.

Considerations for Performing Server Upgrades
Key Points
Windows Server 2008 performs upgrades differently from previous versions of
Windows Server. When you perform an in-place upgrade to Windows Server 2008,
the new operating system is installed in parallel to the existing operating system.
Then, the existing operating system is parsed for recognized settings, which are
migrated into the new installation of Windows Server 2008.
After the upgrade to Windows Server 2008 is complete, it is not possible to roll
back to the original operating system. However, if an error occurs during the
upgrade, the operating system can be rolled back.
The main benefits of performing an upgrade are:
Preservation of existing operating system settings when recognized. Any
settings that are unrecognized will not be moved to the new installation.

Preservation of existing applications and their settings when recognized.
Applications should be tested to ensure that they are migrated properly.
Downtime is limited to the installation of the operating system. There is no
need to migrate large volumes of data between servers.
Some considerations for upgrading include:

Upgrades to Windows Server 2008 can only be performed from Windows
Server 2003 SP1 or later and Windows Server 2003 R2.
Itanium and Web editions cannot be upgraded.
Upgrades can only be performed in the same edition or an upgraded edition.
For example, Windows Server 2003 Standard edition can be upgraded to
Windows Server 2008 Standard or Enterprise edition. Windows Server 2003
Enterprise edition can only be upgraded to Windows Server 2008 Enterprise
edition. Only an existing Datacenter installation can be upgraded to Windows
Server 2008 Datacenter.
Upgrades can only be performed between the same processor architecture. For
example, a 32-bit version of Windows Server 2003 can only be upgraded to a
32-bit version of Windows Server 2008.
Upgrades must use the same language as the original installation.
You cannot upgrade to server core.
For more information about upgrading to Windows Server 2008, see

Upgrading to Windows Server 2008 on the TechNet Web site at
Question: What is the biggest risk in performing an upgrade?


Considerations for Migrating to Windows Server 2008
Key Points
A migration occurs when you install Windows Server 2008 on new hardware and
then move the services, applications, and data from an existing server to the new
server. There is no downtime for services during the installation of Windows
Server 2008, but there may be downtime for services when they are being migrated
to the new server.
The main benefits of performing a migration are:
A clean installation of a new operating system is typically more reliable than an
upgrade of an existing operating system. Microsoft recommends using a clean
installation whenever possible.
The source server can be maintained for rollback even after the new server is
in place. If the new server is not performing properly after implementation,
you can go back to using the original server until the problem is resolved.
You can perform testing on the new server before putting it into production.
You can test applications and new configurations if required.

You are not limited in how you move between operating system versions. You
can migrate data or applications from Windows Server 2003 Enterprise
Edition to Windows Server 2008 Standard.
You are not limited by the processor architecture of the source and destination
operating systems. You can migrate data or applications from a 32-bit
operating system to a 64-bit operating system.
You are not limited by the language configuration of the source and
destination operating systems. You can migrate data or applications from a
server running one language to a server running a different language.
You can migrate supported data and applications to server core. However,
server core has a limited number of server roles that it is suitable for.
Potential drawbacks to performing a server migration are:

Data must be manually moved to the new server. Large file shares can take a
significant amount of time to migrate.
Applications must be reinstalled and properly configuration on the new server.
If no one on staff is familiar with the details of the application, this can be error
prone.
Clients must be redirected to use services on the new server. This may require
that client computers be reconfigured manually in some cases, which is time
consuming. However, you can redirect clients to new file shares by changing
the drive letters mapped on the clients by using a logon script or group policy.
In some cases, you can update a host record in DNS to point to the IP address
of the new server.
For more information about migrating specific services to Windows

Server 2008, see the Migrate to Windows Server 2008 page on the
TechNet Web site at http://go.microsoft.com/fwlink

Considerations for Implementing BitLocker
Key Points
BitLocker Drive Encryption is a feature in Windows Server 2008 that is used to
encrypt the boot volume of the server (the volume with the operating system).
Additional volumes, other than the system volume (the volume with ntldr), can
also be encrypted.
In addition to providing basic file security, BitLocker ensures the integrity of the
operating system. The operating system files on the boot volume are protected
because they are encrypted when the server is not running. The files on the system
partition are protected because a hash value is stored to ensure that there have
been no unauthorized modifications. This hash value is verified during startup.

BitLocker requires:
Separate boot and system volumes (1.5 GB minimum). The minimum size
for the system volume is 1.5 GB. If you do not create two volumes during
initial installation, you can use the BitLocker Drive Preparation Tool. This tool
resizes the existing boot/system volume and then moves the system files to a
newly created system volume to enable BitLocker.
A Trusted Platform Module (TPM) version 1.2. The use of BitLocker
prevents someone from taking a hard drive in your server and gaining access
to the data, because the encryption key is stored in a TPM in the server. The
TPM is a storage location on the motherboard of the server. Alternatively, you
can store the encryption key on a USB drive, but this is less secure.
For more information about BitLocker, see the BitLocker

Drive Encryption page on the TechNet Web site at

Considerations for Device Drivers
Key Points
Whenever you update an existing server to a new operating system, you must
ensure that device drivers are available for the new operating system to support the
existing hardware. Before performing an upgrade, you should check with your
hardware manufacturer to obtain drivers that are certified for Windows Server
2008. However, in many cases, a driver that worked in Windows Server 2003 will
also work for Windows Server 2008.
Many organizations are implementing 64-bit versions of Windows Server 2008 to
obtain the benefits of greater memory capacity. When you install a 64-bit operating
system, you must have 64-bit device drivers for your hardware. In some cases, 64-
bit device drivers will not be available for older hardware.

By default, Windows Server 2008 will not load unsigned 64-bit device drivers, even
though it will accept them during the installation process. If you are unable to
obtain signed device drivers, this requirement can be disabled by going into the
Advanced Boot Options during startup and selecting Disable Driver Signature
Enforcement. However, this is not recommended.
If you are buying new hardware, verify with the vendor that there are 64-bit drivers
available before purchasing the new server. Most new servers have 64-bit drivers
available from the manufacturers Web site.

Considerations for Application Compatibility
Key Points
Many applications that were designed to run on Windows Server 2003 are capable
of running on Windows Server 2008. However, the User Account Control (UAC)
feature in Windows Server 2008 may prevent some applications from running
properly. Before you implement a new application server, check with the
application vendor to ensure that it is supported on Windows Server 2008.
Windows Server 2008 stores some data in a different location than Windows
Server 2003. Windows Server 2008 has directory junctions at the old directory
names that redirect file requests to the new directory locations. For example,
C:\Documents and Settings is now a junction point that points to C:\Users.
Junction points work for most applications but not all, so ensure that your
application functions properly before beginning an upgrade or migration.

Some key points to keep in mind when considering application compatibility are
the following:
When you upgrade a server to Windows Server 2008, an application
compatibility check is performed. However, this check has a limited database
of applications. You should manually verify that an application is capable of
running on Windows Server 2008 by contacting the applications vendor.
It is possible to run 32-bit applications on a 64-bit operating system. This is
done with Windows on Windows (WOW), similar to the mechanism that
allows 32-bit versions of Windows to run 16-bit applications. However, you
cannot run 16-bit applications on a 64-bit version of Windows Server 2008.
For more information, see the Application Considerations When

Upgrading to Windows Server 2008 page on the TechNet Web site at
http://technet.microsoft.com/en-us/library/cc771576(WS.10).aspx.

Lesson 4
Automating Windows Server 2008 Deployment
In a small organization, performing each server installation manually is a

reasonable way to manage server installations. However, larger organizations may
want to standardize and speed up installation by automating deployment.
Depending on the existing infrastructure in your organization, you may choose to
use the Windows Automated Installation Kit (WAIK), Windows Deployment
Services (WDS), or the Microsoft Deployment Toolkit (MDT).
Objectives
Describe the considerations for automated deployments.
Describe the considerations for using WAIK.
Create an answer file.
Describe the considerations for using WDS.
Describe the purpose of MDT.

Considerations for Automated Deployment
Key Points
An automated deployment is an installation in which user input is limited or not
required during the installation of Windows Server 2008. An automated
deployment can be performed in several different ways. The method you select will
be based on your needs and your existing infrastructure. Methods available for
automated deployment include answer files, Windows Deployment Services, and
the Microsoft Deployment Toolkit.
The main benefits of automated deployment are:
Consistent configuration. When the deployment process is automated, you
know that the operating system on each new server is configured in exactly the
same way. This helps avoid configuration problems and is very useful for
larger organizations with multiple servers.
Faster deployment. After the deployment process has been developed, it is
very fast to deploy new servers. The time required varies depending on the
deployment process, but in some cases, deployment may take only 15
minutes.

The main disadvantages of automated deployment are:
Difficulty customizing configuration. The standard configuration created by
an automated deployment process may not be suitable for all servers. The
automatically deployed server must then be customized after installation.
Slowness of creation and testing of the deployment process compared with
the manual installation of a single server. In a smaller organization with only
a few servers, it may take longer to create and test an automated deployment
process than it would to perform several server installations.

What Is WAIK?
Key Points
The Windows Automated Installation Kit (WAIK) includes a number of tools to
simplify the deployment of Windows Vista SP1 and Windows Server 2008 through
automation. The two main tools included with WAIK are:
Windows System Image Manager (WSIM). This tool is used to create answer
files that are used to perform unattended installations. The answer file
contains instructions used during the installation process. Any information
that is normally provided interactively during the installation can be placed in
the answer file instead.
ImageX. This tool is used to perform imaging of the operating system. After an
initial installation is performed, the operating system is configured as you
would like it with appropriate applications and updates. Then you use sysprep
to generalize the operating system before using ImageX to create an image of
the operating system. To save disk space, the Windows Imaging (WIM) images
created by ImageX can contain multiple images, and files that are common
between the images are only stored once in the WIM file. Images can also be
mounted and modified offline.

WAIK also includes a large amount of documentation to help you develop an
automated installation. Some of the documentation includes:
Windows Setup Technical Reference. This document provides information
about how setup.exe performs installations and how the installation can be
automated by using an answer file.
Windows System Image Manager Technical Reference. This document
describes how to use WSIM to create answer files that can be used to perform
unattended installations.
ImageX Technical Reference. This document describes how to use ImageX to
perform imaging operations.
Sysprep Technical Reference. This document describes how to use sysprep to
prepare an operating system for imaging or for delivery to a customer.
Package Manager Technical Reference. This document describes how to
perform offline maintenance of a Windows image.
For more information about WAIK, see the Windows Automated

Installation Kit (Windows AIK) User's Guide page on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkID=160964&clcid=0x409.

Demonstration: Creating an Answer File
An answer file for an automated installation is created by using the Windows

System Image Manager. The settings you can select are based on a catalog file that
is included on the Windows Server 2008 installation media. You can also create a
new catalog file based on a WIM file.
There are seven possible passes during setup that can be automated:
windowsPE. This pass automates installation controlled by WindowsPE
during the first stage of installation. Disk partitioning is possible at this stage.
offlineServicing. This pass is used to apply settings to an existing WIM file
offline. You can add Windows packages such as language packs.
generalize. This pass is used to apply settings when the operating system is
being generalized by sysprep.
Specialize. This pass is used to apply settings either during a regular
installation or when a sysprepped operating system is being configured.

auditSystem. This pass is used to install device drivers in a generalized
operating system before it is specialized. This is a way to update an existing
generalized operating system.
auditUser. This pass is used to install applications in a generalized operating
system before it is specialized. This is a way to update an existing generalized
operating system.
oobeSystem. This pass automates the Out-of-Box Experience (Windows
Welcome).
For more information about the Windows Setup configuration passes,

see the Windows Setup Configuration Passes section of the Unattended
Windows Setup Reference.
High-level steps:
1. Open Windows System Image Manager.
2. Select a catalog file.
3. Create a new answer file.
4. Add the desired settings to the answer file.
5. Save the answer file.

Considerations for Using Windows Deployment
Services (WDS)
Key Points
Windows Deployment Services (WDS) is a Windows Server 2008 tool that is used
to automate the deployment of Windows operating systems. Deployment can be
done with image files or by using an unattended installation.
When using WDS, keep the following considerations in mind:
By using WDS, you gain centralized administration over operating system
installations. You can trigger imaging operations from a single central location
rather than at each computer. When a large number of servers or client
computers are being installed, WDS helps simplify the process.
In most cases, you will use Pre-Boot Execution Environment (PXE) to connect
the computers with the WDS server. This requires that your computers
support PXE booting. PXE booting is a common feature in current computers,
but it must be enabled in the BIOS. DHCP is used during the PXE boot
process and must be properly configured.

WDS is also capable of using multicasts for imaging. With multicasting,
multiple computers can be imaged in the same amount of time as a single
computer, because each image is received by multiple computers at the same
time. Network routers must be configured to allow multicasting. Many
organizations disable multicasting on routers.
When a computer boots from PXE, a Windows PE boot image is downloaded
to memory and used to perform the imaging process. The Windows PE boot
image that is downloaded must have support for the network adapter in the
computer being imaged.
For more information about WDS, see Module 4: Using Windows

Deployment Services in Course 6418B, Deploying Windows Server 2008.

What Is the Microsoft Deployment Toolkit?
Key Points
Microsoft Deployment Toolkit (MDT) provides technology for deploying Windows
operating systems, the 2007 Microsoft Office system, and Microsoft Office 2003.
Microsoft Deployment is the next version of Business Desktop Deployment (BDD)
2007. However, the larger focus of Microsoft Deployment is on methodology and
best practices. By following the guidance in Microsoft Deployment, teams are
putting into action proven best practices that Microsoft uses in its own
development projects and that are based on the Microsoft Solutions Framework
(MSF).
MDT shows you how to use the new deployment tools together as part of an end-
to-end deployment process. MDT also provides tools and scripts to increase
automation and lower costs, as well as leveraging and enhancing other Microsoft
tools and products.

Server Deployment Challenges
Server deployment introduces some unique challenges beyond those presented by
workstation deployment. Hardware configurations are often more complicated,
and network configuration may involve static IP addresses, multiple network
adapters, and advanced network components, such as TCP/IP offloading, Network
Load Balancing, and clustering.
Server operating system configuration is more complex than workstation operating
system configuration. For example, server disk configuration is complicated, as it
involves redundant array of independent disks (RAID) controllers, original
equipment manufacturer (OEM) configuration partitions, and Storage Area
Network (SAN) configurations. Correct server role installation and configuration is
very important, security is crucial, and upgrades are more common in some
scenarios.
MDT Deployment Approaches
MDT provides guidance for the following types of deployment:
Zero Touch Installation (ZTI) deployment for Microsoft System Center
Configuration Manager (SCCM) 2007. If the organization has an existing
System Center Configuration Manager infrastructure, teams can use that
infrastructure to capture the reference operating system image and efficiently
deploy it to client computers.
ZTI deployment for Systems Management Server (SMS) 2003. If the
organization has an existing Systems Management Server 2003 infrastructure,
use ZTI deployment to capture the reference operating system image, and then
deploy it using Systems Management Server 2003.
Lite Touch Installation (LTI) deployment. If the organization does not have
a System Center Configuration Manager or Systems Management Server 2003
infrastructure, teams can use the LTI process to capture reference operating
system images, and then deploy them across the network.
Question: Why would you use MDT in addition to WAIK or WDS?


Lab: Planning a Windows Server 2008
Deployment
Note: Your instructor may run this lab as a class discussion.
A. Datum Corporation has a single head office with a single datacenter that hosts
all servers. The servers in the datacenter are running a mix of Windows 2000
Server, Windows Server 2003, and Windows Server 2003 R2. The organization has
entered into a new volume licensing agreement with Microsoft that allows all
servers to be updated to Windows Server 2008.

Exercise 1: Creating a Planning Flowchart for a Windows
Server 2008 Deployment
Scenario
You have been tasked with creating a flowchart to help the IT staff in A. Datum
Corporation decide how to upgrade or migrate individual servers to Windows
Server 2008. This flowchart needs to help determine how the process is
accomplished and which edition of Windows Server 2008 will be used.
Sara Davis, the IT manager, has provided some information about what she
expects the flowchart to include and how to approach the task.
The main tasks for this exercise are as follows:
1. Read the supporting documentation.
2. Create the flowchart.

f Task 1: Read the supporting documentation
Supporting Documentation
E-mail thread of correspondence with Sara Davis:
Gregory Weber
From: Sara Davis [Sara@adatum.com]
Sent: 18 July 2009 11:30
To: Gregory@adatum.com
Subject: Re: Server Upgrade Flowchart
Greg,
I dont have a lot of preconceived notions about this should be put together. I just
know that we need some sort of tool to help us in our decision-making process
during the upgrades. Id rather have one person (you) do the research and
planning once than have the process repeated each time we do a server upgrade.
Since weve entered into the new volume licensing agreement, it makes sense to
implement Windows Server 2008 whenever possible.
I dont have a complete list of criteria that need to be taken into account. Youll
need to determine what is appropriate. However, some of the criteria I was
thinking of are:
32-bit vs. 64-bit
Upgrade vs. migrate
Application compatibility
The best way to approach this project is to generate a list of relevant criteria for the
decision-making process. Then you can arrange them into a flowchart that
represents the decision-making process.
In some cases, well have new hardware. In some cases, we wont have new
hardware. Your flowchart will need to take into account both situations.
Regards,
Sara.

----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 18 July 2009 10:01
To: Sara@adatum.com
Subject: Server Upgrade Flowchart
Sara,
I would like to confirm some of the details regarding the flowchart assignment you
gave me in the meeting this morning. As I understand it, you would like others on
the team to be able to use this flowchart to determine how any given server in our
organization can be updated to using Windows Server 2008. Is this correct?
Do you have any specific criteria that you think need to be taken into account?
Are there any assumptions I can make about new hardware?
Regards,
Greg
f Task 2: Create the flowchart

1. On a piece of paper, generate a list of relevant criteria that must be considered
during the upgrade or migration process.
2. Use the list of criteria you have generated to create a flowchart for determining
whether to upgrade or migrate.
which edition of Windows Server 2008 you should use.
whether to use a 32-bit or 64-bit operating system.
Results: After this exercise, you should have created flowcharts to help to determine
how to upgrade or migrate an existing server to Windows Server 2008.

Exercise 2: Planning a Windows Server 2008 Deployment
Scenario
Several servers in the A. Datum Corporation datacenter have been identified as the
first candidates for migration to Windows Server 2008. For each of these servers,
you must determine the process to be used.
1. Create a deployment plan for the archive file server.
2. Create a deployment plan for the main file server.
3. Create a deployment plan for the antivirus server.
4. Create a deployment plan for the human resources application server.

Gregory Weber
From: Alan Steiner [Alan@adatum.com]
Sent: 22 July 2009 09:05
Subject: Re: First batch of server upgrades to Windows Server 2008
Attachments: Archive File Server.docx
Main File Server.docx
Antivirus Server.docx
Human Resources Application Server.docx
Greg,
Ive attached a document for each server. It includes the relevant information weve
documented for each server as well as the questions we need answered to perform
the upgrade or migration.
Regards
Alan.
Sent: 20 July 2009 08:45
To: Alan@adatum.com
Subject: First batch of server upgrades to Windows Server 2008
Alan,
Were going to be doing some server upgrades to Windows Server 2008 soon. Can
you please send me the analysis that you performed on the archive file server, main
file server, antivirus server, and human resources application server?
Thanks.
Greg

Deployment Plan: Archive File Server
Document Reference Number: GW0688/1
Document Author Gregory Weber

Date 20th July
Requirement Overview
This server is to be upgraded or migrated to Windows Server 2008 to take advantage of
the more efficient file-sharing protocols in Windows Server 2008.
The archive file server is used to store older data that is accessed only occasionally.
Extended outages are possible with notification.
It is used only as a file server. It has no other functions.
The hardware is relatively new, and no new hardware has been allocated for this server.
Additional Information
This server is currently running a 32-bit version of Windows Server 2003 R2.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new hardware?
2. Which edition of Windows Server 2008 will be used?
3. Will 32-bit or 64-bit Windows Server 2008 be used?


Deployment Plan: Main File Server

Date 20th July
the more efficient file-sharing protocols in Windows Server 2008.
The main file server is mission critical and cannot be taken out of production during
business hours. Downtime must be limited to less than one day.
This server should support cross-file replication for DFS. This may be implemented in
the future to support remote offices, and the cross-file replication will reduce
synchronization traffic on the WAN.
Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).
New hardware has been allocated for this server if required.
Clients access this file server through mapped drive letters that are created by a logon
script.
Proposals
4. How will downtime be minimized?


Deployment Plan: Antivirus Server

Date 25th July
This server is to be upgraded or migrated to Windows Server 2008 to standardize the
server operating systems.
The antivirus server can experience an outage of 24 hours without impacting clients.
New hardware has been allocated for this server.
The antivirus application has not been tested by the vendor in 64-bit environments and
is not supported in 64-bit environments.
Proposals


Deployment Plan: Human Resources Application Server

Date 25th July
the performance improvements in IIS 7.
The existing server is consistently short on memory, and a new server with 8 GB of
memory has been allocated to address this.
The application data is also stored on this server and must be taken into account.
There can be no downtime during business hours.
The new server should support failover clustering, as it is being considered for the
future.
None
Proposals
4. What process will you use to minimize downtime?


f Task 1: Create a deployment plan for the archive file server
1. Read the supporting documentation for the archive file server.
2. Update the proposal document by answering the questions.
f Task 2: Create a deployment plan for the main file server

f Task 3: Create a deployment plan for the antivirus server

f Task 4: Create a deployment plan for the human resources application

server
Results: After this exercise, you should have created a deployment plan for the archive
file server, the main file servers, the antivirus server, and the human resources
application server.

Module Review and Takeaways
Review Questions
1. Why is change management important when deploying Windows Server
2008?
2. When selecting a version of Windows Server 2008, which factors should you
take into account?
3. Is it better to upgrade an existing server or migrate to new hardware?
4. In which situations is automated deployment preferred to a manual

installation?

Common Issues Related to Deploying Windows Server 2008
Identify the causes for the following common issues related to Windows Server
2008, and fill in the troubleshooting tips. For answers, refer to the relevant lessons
in the module.
Issue Troubleshooting Tip

Application incompatibility
Device driver availability
Servers requiring activation
Real-World Issues and Scenarios

1. You want to install Windows Server 2008 as a host for virtualization. This
server will host three virtual machines. Which is the most cost-effective version
of Windows Server 2008 to obtain?
2. You have a line-of-business application that runs on a 32-bit server with

Windows Server 2003 Standard Edition. You would like to migrate this server
to a 64-bit edition of Windows Server 2008 to take advantage of increased
memory. What process should you use to ensure that downtime is limited?
3. You are deploying Windows Server 2008 on ten servers in three locations. To
simplify documentation and management, you would like all ten servers to
have the same configuration. How does automating server deployment help to
ensure that the configuration is the same for all ten servers?
Best Practices Related to Windows Server 2008 Deployment

Supplement or modify the following best practices for your own work situations:
Remember to consider CALs when upgrading to Windows Server 2008.
In virtualized environments, consider using Windows Server 2008 Datacenter
to simplify server licensing.
Choose a 64-bit version of Windows Server 2008 if necessary drivers and
software are compatible. This also helps with greater memory access.

When possible, perform a migration to Windows Server 2008 rather than an
upgrade.
When deploying Windows Server 2008 to multiple computers, consider the
use of automated deployment.
Tools
Tool Use For Where to Find It

Microsoft Obtaining tools and guidance On the TechNet Web site at
Solution for deploying Microsoft http://go.microsoft.com/fwlink
Accelerators technologies /?LinkID=165474&clcid=0x409
Microsoft Identifying whether your On the Microsoft Assessment and

Assessment organization is ready to Planning Toolkit page on the TechNet
and Planning deploy Windows Server 2008 Web site at http://go.microsoft.com
Toolkit /fwlink/?LinkID=160958&clcid=0x409
Windows Automating the installation On the Automated Installation Kit (AIK)

Automated of Windows Server 2008 for Windows Vista SP1 and Windows
Installation Kit Server 2008 page on the Microsoft Web
site at http://go.microsoft.com/fwlink
/?LinkID=165476&clcid=0x409
Windows Centrally creating and A server role in Windows Server 2008

Deployment deploying Windows Server
Services 2008 images
Microsoft Planning and performing On the Microsoft Deployment Toolkit

Deployment automated installations of page on the TechNet Web site at
Toolkit Windows Server 2008 http://go.microsoft.com/fwlink
/?LinkID=165477&clcid=0x409
Planning Network Infrastructure for Windows Server 2008 2-1

Module 2
Planning Network Infrastructure for
Windows Server 2008
Contents:
Lesson 1: Planning IPv4 Addressing 2-3
Lesson 2: Planning for Name Resolution Services 2-14
Lesson 3: Determining the Need for WINS 2-27
Lesson 4: Planning a Perimeter Network 2-37
Lesson 5: Planning an IPv4 to IPv6 Transition Strategy 2-42
Lab: Planning Network Infrastructure for Windows Server 2008 2-50

Module Overview
Network infrastructure services play an important role in providing the foundation

for additional, higher-level services, such as Active Directory directory service, and
for applications, such as messaging and database systems. It is vital that you plan
the deployment of these foundation services with great care to ensure the smooth
running of mission-critical applications.
Objectives
Plan an IPv4 addressing strategy.
Plan the deployment and configuration of DNS servers.
Determine how to handle NetBIOS names within your organization.
Place appropriate servers in your perimeter network.
Plan an IPv4 to IPv6 transition strategy.

Lesson 1
Planning IPv4 Addressing
In order to properly implement network services, it is important that you have a

thorough understanding of IPv4 addressing. Good understanding of IPv4
addressing enables you to make appropriate decisions about the configuration
and placement of network servers within your IPv4 infrastructure.
Objectives
Describe an IP subnet.
Plan an IPv4 addressing scheme.
Select an appropriate IPv4 addressing scheme
Plan the implementation of DHCP Servers.
Allocate IPv4 addresses by using DHCP.

What Is a Subnet?
Key Points
A subnet is a networks physical segment, which a router or routers separate from
the rest of the network. When your Internet service provider (ISP) assigns your
network a Class A, B, or C address range, you often must subdivide the range to
match your networks physical layout. You subdivide a large network into logical
subnets.
When you subdivide a network into subnets, you create a unique ID for each
subnet, which you derive from the main network ID. To create subnets, you must
allocate some of the bits in the host ID to the network ID, which enables you to
create more networks.

By using subnets, you can:
Use a single Class A, B, or C network across multiple physical locations.
Number of
Default subnet Number of hosts per
Class First octet mask networks network
A 1-127 255.0.0.0 126 16,777,214
B 128-191 255.255.0.0 16,384 65,534
C 192-223 255.255.255.0 2,097,152 254
Reduce network congestion by segmenting traffic and reducing broadcasts on

each segment.
Overcome limitations of current technologies, such as exceeding the
maximum number of hosts that each segment can have. For example, Ethernet
can have no more than 1,024 hosts on a network. However, dividing the
segment into further segments increases the total number of allowable hosts.
A subnet mask specifies which part of an IPv4 address is the network ID and
which is the host ID. A subnet mask has four octets, similar to an IPv4 address.
In simple IPv4 networks, the subnet mask defines full octets as part of the network
ID and host ID. A 255 represents an octet that is part of the network ID, and a 0
represents an octet that is part of the host ID.
In complex networks, you might subdivide one octet with some bits that are for
the network ID and some for the host ID. Classless addressing, or Classless Inter-
Domain Routing (CIDR), is when you use more or less than a whole octet for
subnetting. This type of subnetting uses a different notation, which the following
example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4
addressing:
172.16.16.1/20
The /20 represents how many subnet bits are in the mask, and this notation is
Variable Length Subnet Masking (VLSM).

Private IP addresses are commonly used for local area networks (LANs). These
private IP address ranges are non-routed on the global Internet. An organization
needing a private address space can use these addresses without approval from an
ISP.
Private address ranges include:
Class Mask Range
A 10.0.0.0/8 10.0.0.0-10.255.255.255
B 172.16.0.0/12 172.16.0.0-172.31.255.255
C 192.168.0.0/16 192.168.0.0-192.168.255.255
Additional Reading
For more information see Address Allocation for Private Internets:
http://go.microsoft.com/fwlink/?LinkID=163880&clcid=0x409

Planning an IPv4 Addressing Scheme
Key Points
In order to select an appropriate addressing scheme for your organization, you
must:
Choose whether to use public or private IPv4 addresses.
Calculate the number of subnets required. You can calculate the number of
subnet bits by determining how many you need in your network. Use the
formula 2^n, where n is the number of bits. The result must be at least the
number of subnets that your network requires.
Calculate the number of hosts in each subnet. You can calculate the number of
host bits required by using the formula 2^n-2, where n is the number of bits.
Select an appropriate subnet mask(s).

When you have determined these factors, you must then:
Calculate the subnet addresses. To determine subnet addresses quickly, you
can use the lowest value bit in the subnet mask. For example, if you choose to
subnet the network 172.16.0.0 by using 3 bits, this would mean using
255.255.224.0 as the subnet mask. The decimal 224 is 11100000 in binary,
and the lowest bit has a value of 32, so that will be the increment between each
subnet address.
Determine the range of host addresses within each subnet. You can calculate
each subnets range of host addresses by using the following process: the first
host is one binary digit higher than the current subnet ID, and the last host is
two binary digits lower than the next subnet ID.
Implement the planned addressing scheme.

Discussion: Selecting an Appropriate IPv4 Addressing
Scheme
Key Points
Question: Contoso.com has implemented IPv4 throughout the organization. It is

currently implementing a new head office building. The office will host 5,000
computers distributed fairly evenly across 10 floors of these offices. What address
class would suit this scenario?
Question: Analysis of the network traffic at the existing head office shows that the
maximum number of hosts per subnet should be around 100. How many subnets
are required, and assuming a network address for the whole site of 172.16.0.0,
what mask should you use to ensure sufficient support for the required subnets?

Question: Assuming the network address for the head office is 172.16.0.0/19,
what mask would you assign to each subnet?
Question: How many hosts can you have in each subnet based on your selected
mask?
Question: Assuming you implement the mask you determined for each subnet,
what would the first subnet address be?
Question: What are the first and last host addresses for the first subnet?

Planning the Deployment of DHCP Servers
Key Points
You can configure static IPv4 configuration manually for each of your networks
computers. IPv4 configuration includes:
IPv4 address
Subnet mask
Default gateway
DNS server
Static configuration requires that you visit each computer and input the IPv4
configuration. This method of computer management becomes very time-
consuming if your network has more than 20 users. Additionally, making a large
number of manual configurations increases the risk that mistakes will occur.

DHCPv4 enables you to assign automatic IPv4 configuration for large numbers of
computers without having to assign each one individually. The DHCP service
receives requests for IPv4 configuration from computers that you configure to
obtain an IPv4 address automatically, and assigns IPv4 information from scopes
that you define for each of your networks subnets. The DHCP service identifies the
subnet from which the request originates, and assigns IP configuration from the
relevant scope.
Considerations for Planning DHCP Servers

In order to provide continued IPv4 functionality, the DHCP server must remain
online at all times to service renewal requests. However, to increase high
availability of the addressing service, consider deploying multiple DHCP servers.
When deploying DHCP servers, consider the following factors:
DHCP servers do not communicate with one another. Therefore, if you
configure duplicate or overlapping scopes on the servers, duplicate IP
addresses could be allocated, leading to network problems. Consider using the
80/20 rule to help to address this issue.
Routers do not typically forward the broadcast packets used by DHCP clients
during the initial configuration and renewal phases. Therefore, it is necessary
to implement additional functionality or protocols in order to ensure that
client computers that reside within subnets with no local DHCP server can still
obtain an IP address dynamically.
The DHCP service is disk intensive. Consequently, you must implement
DHCP on servers with an optimized disk subsystem.
Use shorter lease durations where there is a shortage of addresses available in
a pool.

Demonstration: Allocating IPv4 Addresses with DHCP
Key Points
Deploy an additional DHCP server in the adatum.com domain.
Authorize the server in Active Directory.
Create the necessary scopes to support the 80/20 role for two subnets.
High-level steps:
Deploy the DHCP server role on the SEA-SVR1 server.
Create an IPv4 scope on SEA-SVR1 that provides 80 percent of the IPv4
addresses for subnet 1; the remainder is excluded from allocation.
Create a second IPv4 scope that provides 20 percent of the IPv4 addresses for
subnet 2; the remainder is excluded from allocation.
Question: Why is it important to authorize DHCP servers?


Lesson 2
Planning for Name Resolution Services
Name resolution provides the foundation for many network services. The Domain
Name System (DNS) has been widely adopted as the standard for name resolution
in IP networks. To ensure that network services can function optimally, you must
plan your DNS implementation carefully.
Objectives
Describe the name resolution process.
Plan your DNS name space.
Plan DNS zones.
Describe DNS forwarding and when to use forwarding.
List the considerations for deploying the DNS role.
Deploy the DNS server role.

How DNS Names Are Resolved
Key Points
When DNS names are resolved on the Internet, an entire system of computers is
used rather than just a single server. There are 13 root servers on the Internet that
are responsible for managing the overall structure of DNS resolution.
For example, the name resolution process for the name www.microsoft.com is:
A workstation queries the local DNS server for the IP address of
www.microsoft.com.
If the local DNS server does not have the information, then it queries a root
DNS server for the location of the .com DNS servers.
The local DNS server queries a .com DNS server for the location of the
Microsoft.com DNS servers.
The local DNS server queries the Microsoft.com DNS server for the IP address
of www.microsoft.com.
The IP address of www.microsoft.com is returned to the workstation.

The name resolution process can be modified by:
Caching. After a local DNS server resolves a DNS name, it will cache the
results for approximately 24 hours. Subsequent resolution requests for the
DNS name are given the cached information.
Forwarding. A DNS server can be configured to forward DNS requests to
another DNS server instead of querying root servers. For example, requests for
all Internet names can be forwarded to a DNS server in your perimeter
network, or else to a DNS server at your ISP.

Planning Your DNS Namespace
Key Points
When you begin planning your DNS name space, you must consider both the
internal name space as well as the external name space. There is no requirement
for you to implement the same DNS domain name internally that you have
externally. When implementing a domain name for your internal DNS name space,
there are three possible strategies:
Select a matching domain name internally, for example adatum.com. This
provides simplicity, which is why it is often a suitable choice for smaller
organizations.
Choose a different domain name, for example adatum.priv. This provides for
obvious separation in the name space. In complex networks with many
Internet-facing applications, use of a different name introduces some clarity
when configuring these applications. For example, edge servers, placed in your
perimeter network, often require multiple network interface cards, one
connected to the private network, and one servicing requests from the public
network. If they each have different domain names, it is often easier to
complete the configuration of that server.

Implement a child domain of the public domain name, for example
priv.adatum.com. This provides a hybrid approach; the name is different,
allowing for separation of the name space, but also related to the public name,
providing simplicity.

Planning DNS Zones
Key Points
In essence, a zone is a database that stores the information about a part of the DNS
name space. Often, the zone maps on a one-to-one basis with the DNS domains. If
you create a subdomain, for example south.adatum.com, then you must consider
how to implement the domain name into your DNS infrastructure.
There are essentially two approaches:
You can create a new zone for the new DNS domain name. This zone will have
its own DNS name servers, and you must configure a relationship between the
new child DNS domain name and its parent, adatum.com.
The alternative method is to create a subdomain in the existing adatum.com
zone. In this scenario, no name servers exist within the south.adatum.com
child domain; rather, the DNS servers in the parent domain, adatum.com,
service name query requests for hosts assigned a south.adatum.com DNS
name.

Planning for Subdomains
The choice about whether to implement separate zones for child subdomains is
primarily based on two factors:
Administrative separation. If you want to provide for a degree of
administrative separation of the name space, you can choose to create multiple
zones, each with its own administrator.
Performance. If the child subdomain is large, and hosts many records, use
delegation so that the domain has its own DNS servers to host the zone; this
provides for higher performance.
Planning for Zone Transfers

After you have determined how many zones you will create, you must determine
the type of zones and how zone information will be replicated, or transferred,
between the name servers that service the zone. There are a number of choices:
You can implement Active Directory integrated zones. In this event, all domain
controllers that also host the DNS role receive zone data automatically through
Active Directory replication. This is the simplest approach, and the most
secure as Active Directory replication traffic is authenticated and encrypted.
Alternatively, you can implement non-Active Directory integrated zones. In this
instance, when you deploy the DNS role and create your zones, you must
define whether the zone is primary or secondary. A primary zone is an editable
copy of the zone, while a secondary zone is read-only, and provided for
servicing client queries. The secondary zone receives its zone data from a
master server on a periodic basis. You must define the relationship between
the secondary zone and its master server, which may be either a DNS server in
the primary zone, or another secondary DNS server. In addition, you must
enable and configure zone transfers.
Best Practice
Use Active Directory integrated zones to simplify zone transfers.

What Is DNS Forwarding?
Key Points
A forwarder is a network DNS server that forwards DNS queries for external DNS
names to DNS servers outside that network. You also can use conditional
forwarders to forward queries according to specific domain names.
A network DNS server is designated a forwarder when other DNS servers in the
network forward to it the queries that they cannot resolve locally. By using a
forwarder, you can manage name resolution for names outside your network, such
as names on the Internet, and improve the efficiency of name resolution for your
networks computers.
The server that is forwarding requests in the network must be able to communicate
with the DNS server located on the Internet. This means either you configure it to
forward requests to another DNS server or it uses root hints to communicate.

Best practices
Use a central forwarder DNS server for Internet name resolution. This can improve
performance, simplify troubleshooting, and is a security best practice.
You can use stub zones instead of conditional forwarding to handle name
resolution between specific domains. Use stub zones when you want a DNS server
hosting a parent zone to remain aware of the authoritative DNS servers for one of
its child zones.
Use stub zones if you want to provide for dynamic conditional forwarding.

Considerations for the DNS Role
Key Points
When planning to deploy DNS, there are several considerations that you must
review. These considerations include:
How many DNS zones will you configure on the server?
How many DNS records will each zone contain?
How many DNS clients will be communicating with the server on which you
configure the DNS role?
Where will you place DNS servers?
Will you place the servers centrally or does it make more sense to locate DNS
servers in branch offices?

Active Directory Integration
The Windows Server 2008 DNS role can store the DNS database two different
ways, as shown in the following table.
Storage
Method Description
Text File The DNS server role stores the DNS entries in a text file, which you
can edit with a text editor.
Active The DNS server role stores the DNS entries in the Active Directory
Directory database; this database can be replicated to other domain
controllers, even if they do not run the Windows Server 2008 DNS
role. You cannot use a text editor to edit DNS data that Active
Directory stores.
Active Directory integrated zones are easier to manage than traditional text-based
zones, and are more secure. The replication of zone data occurs as part of Active
Directory replication.
DNS Server Placement

Typically, you will deploy the DNS role on all domain controllers. If you decide to
implement some other strategy, keep the following points in mind:
How will client computers resolve names in the event of their usual DNS
server becoming unavailable?
What will the impact on network traffic be if client computers start to use an
alternate DNS server, perhaps distantly located?
How will you implement zone transfers? Active Directory integrated zones use
Active Directory replication to transfer the zone to all other domain
controllers. If you implement nonActive Directory integrated zones, you must
plan the zone transfer mechanism yourself.

Demonstration: Deploying the DNS Server Role
Key Points
Deploy an additional DNS server in the adatum.com domain.
Configure delegation for a subdomain.
Configure a DNS zone on the new server.
High-level steps:
1. Deploy the DNS server role to the SEA-SVR1 server.
2. On SEA-DC1, create a DNS delegation for the south.adatum.com subdomain.
3. Reconfigure the DNS suffix of the SEA-SVR1 server to south.adatum.com.
4. On SEA-SVR1, create the south.adatum.com zone.

5. Reconfigure the network properties on SEA-SVR1 and test DNS resolution.
6. Configure and test DNS forwarding on the SEA-SVR1 server.
Question: What is the difference between a DNS subdomain and a delegated

zone?

Lesson 3
Determining the Need for WINS
NetBIOS is a session management protocol, implemented over TCP/IP networks as

NetBT. Traditionally, NetBIOS applications rely on broadcasts to facilitate name
registration, name release, and name querying. Windows Internet Naming Service
(WINS) is a NetBIOS name server that you can use to resolve NetBIOS names to
IPv4 addresses. WINS provides a centralized database for registering dynamic
mappings of NetBIOS names used on a network. If you have NetBIOS applications,
it is important you understand how the WINS service works in order to plan the
placement of WINS servers. In addition, you should understand how WINS
integrates with DNS in order to plan your migration from WINS.

Objectives
Describe when WINS is required.
Plan a WINS server deployment.
Implement the WINS feature.
Describe the GlobalNames zone.
Implement the GlobalNames zone.

When Is WINS Required?
Key Points
WINS resolves NetBIOS names to IP addresses, which can reduce NetBIOS
broadcast traffic and enable clients to resolve the NetBIOS names of computers
that are on different network segments (subnets).
There are several reasons WINS remains necessary on many networks. The main
reason is because some applications still use NetBIOS to provide functionality to
users.
WINS is required for the following reasons:
Older versions of Microsoft operating systems rely on WINS for name
resolution.
Some applications, typically older ones, rely on NetBIOS names.
You may need dynamic registration of single-label names.

Users may rely on the Network Neighborhood or My Network Places network
browser features.
You may not be using Windows Server 2008 as your DNS infrastructure.
You must deploy the WINS feature before a computer running Windows Server
2008 can become a WINS server. It is recommended that you configure a WINS
server with a static IP address because client computers contact the WINS server
by using an IP address.
Note: WINS is an IPv4-only service, and it will not work in an IPv6 environment.
In addition to WINS, NetBIOS names can be resolved by broadcast messages or by

implementing LMHOSTS files on all computers. Broadcast messages do not work
well on large networks because routers do not pass broadcasts. Using an
LMHOSTS file for NetBIOS name resolution is a high-maintenance solution
because the file must be constantly updated on the computers.

WINS Considerations
Key Points
The complete Windows Server 2008 WINS system includes the following
components:
WINS server. This computer processes name registration requests from WINS
clients, registers client names and IP addresses, and responds to NetBIOS
name queries that clients submit. The WINS server then returns the IP address
of a queried name if the name is listed in the server database.
WINS database. This database stores and replicates the NetBIOS name-to-IP
address mappings for a network.
WINS clients. These computers are configured to query a WINS server
directly. WINS clients dynamically register their NetBIOS names with a WINS
server.

WINS proxy agent. This computer monitors name query broadcasts on a
subnet and forwards those queries directly to a WINS server. A WINS proxy
agent enables NetBIOS-enabled computers that are unable to communicate
directly with a WINS server to resolve NetBIOS names of remote computers.
When you configure multiple WINS servers, it is important that you configure
replication between them. This ensures that the integrity of the NetBIOS names
database is maintained. WINS servers that are replication partners can implement
replication in one of three ways:
Push replication. With push replication, after a threshold of changes has
occurred, the WINS server pushes the changes to its replication partners. You
can configure the threshold value.
Pull replication. With pull replication, a WINS server periodically pulls
changes down from its replication partners. You can configure the interval
value.
Push/Pull replication. Both push and pull replication is configured between
replication partners.

Demonstration: Deploying the WINS Feature
Key Points
Deploy the WINS feature to the SEA-DC1 computer.
Use the NBTSTAT utility to register records.
Examine records with the WINS management console.
High-level steps:
1. Deploy the WINS server feature on the SEA-DC1 server.
2. Reconfigure the network settings on SEA-DC1 to use WINS for name
resolution.
3. Register NetBIOS records with the WINS server and examine these records.
Question: What NetBIOS records does a typical Windows computer register with
its WINS server?

What Is the GlobalNames Zone?
Key Points
The GlobalNames Zone (GNZ) is a new feature of Windows Server 2008. The GNZ
provides single-label name resolution for large enterprise networks that do not
deploy WINS. Some networks may require the ability to have static, global records
with single-label names that WINS currently provides. These single-label names
refer to well-known and widely used servers with statically assigned IP addresses. A
GNZ is manually created and is not available for dynamic registration of records.
GNZ is intended to help customers migrate to DNS for all name resolution; the
DNS Server role in Windows Server 2008 supports the GNZ feature.
GNZ is intended to assist in the migration from WINS; however, it is not a
replacement for WINS. GNZ is not intended to support the single-label name
resolution of records that are registered in WINS dynamically and those that are
not managed by IT administrators typically. Support for these dynamically
registered records is not scalable, especially for larger customers with multiple
domains and/or forests.

The recommended GNZ deployment is by using an Active Directory Domain
Services (AD DS)integrated zone, named GlobalNames, that is distributed
globally.
Instead of using the GNZ, you can choose to configure DNS and WINS integration.
You do this by configuring the DNS zone properties to perform WINS-lookups for
NetBIOS-compliant names. The advantage of this approach is that you can
configure client computers to only use a single name service, DNS, and still be able
to resolve NetBIOS-compliant names.
Best Practice
If your organization relies heavily on NetBIOS applications, continue to use WINS.
If you plan to migrate from WINS to DNS, implement WINS integration on your
DNS zones. When you have decommissioned most of your NetBIOS applications,
or only have a few NetBIOS applications, use the GNZ to manage static, single-
label names.

Demonstration: Implementing the GlobalNames Zone
Key Points
Enable and configure the GlobalNames zone for the adatum.com forest.
Configure WINS-lookup on the adatum.com zone.
Compare WINS-lookup with the GNZ.
High-level steps:
1. On SEA-DC1, enable support for the GlobalNames zone.
2. Configure DNS/WINS integration on the adatum.com DNS zone.
Question: Can you enable dynamic update on the GlobalNames zone?


Lesson 4
Planning a Perimeter Network
In order to make your network applications available to users connected to the

Internet, you must publish these applications. A common way of publishing these
applications, while maintaining security, is to use servers placed in a perimeter
network.
Objectives
Describe a perimeter network.
Determine which services should be deployed to the perimeter network.

What Is a Perimeter Network?
Key Points
There are a number of different ways that you can configure your perimeter
network, and these include:
Three-legged firewall. A single device or computer with multiple network
interface cards, one of which is Internet facing, another of which is connected
to the perimeter network, and the remaining card being connected to the
intranet. Software installed on the host is used to create the separation
between the networks. The separation is achieved through filtering on the
firewall device so that only specified traffic is passed between the interfaces
designated as public, private, and perimeter. This solution works well for
smaller networks; however, because the firewall device is connected directly to
all three networks, security is compromised compared with other solutions.

Dual back-to-back firewalls. In this scenario, two firewalls are connected in
sequence across three networks: the Internet, your perimeter network, and
your corporate intranet. The network to which both firewalls are connected is
the perimeter network. The firewalls are configured to allow only appropriate
traffic to pass between their connected networks. This is a more complex and
expensive solution because it requires additional hardware and software to
configure; however, it provides for a more secure environment and is the
configuration of choice for larger networks.
Through the combination of hardware and software, and with appropriate

configuration, you should be able to create a perimeter network with the degree
of network isolation that you require, while at the same time allowing for the
necessary communication between devices located in each of the three networks.
Best Practice
Only deploy services that you specifically need in your perimeter network, and
always publish services where possible, rather than physically deploy servers to the
perimeter.

Which Services Should Be Placed In the Perimeter
Network?
Key Points
It is rare for an organization to operate without the need to connect its network
infrastructure to the Internet. At the very least, most organizations use e-mail
applications to conduct some elements of their core business.
Conduct an audit of the network services that you have within your organization
and determine which services must be available to users from the Internet. Then
consider how you want to make those services available. For example, if users
require access to their e-mail while they work away from their office, consider the
use of Web-based e-mail solutions because these are often easier to make securely
available.
Note: Applications can be configured to use specific Transmission Control Protocol (TCP)
ports; indeed, many applications are configurable to use only Hypertext Transfer
Protocol (HTTP) or HTTP Secure (HTTPS). This means that you can configure the Internet-
facing firewall to allow only TCP port 80/443 inbound.

Typical Perimeter Applications
Although not an exhaustive list, the following table helps identify common
applications that you might need to make available in your perimeter network.
Applications Protocols Comments

E-mail Post Office Protocol 3 (POP3), Microsoft Exchange Server 2007
Internet Message Access Protocol 4 supports extensive publishing
(IMAP4), Simple Mail Transfer through the use of Microsoft ISA
Protocol (SMTP), Outlook Web server. In addition, the Exchange
Access (HTTPS), Outlook Anywhere Edge Transport server role
(HTTPS), Exchange ActiveSync enables SMTP relay functionality
(HTTPS) from the perimeter network.
Web server HTTP, HTTPS Place the Web servers directly in

the perimeter network or publish
them with ISA server.
Active LDAP It is inadvisable to place domain

Directory controllers in the perimeter
network. If your edge application
requires access to Active
Directory, consider deploying
Active Directory Lightweight
Directory Services (AD LDS) into
the perimeter.
Web HTTPS, Session Initiation Protocol Microsoft Office Communications

Conferencing (SIP), Persistent Shared Object server supports the use of edge
Model (PSOM), Real-time servers to extent conferencing to
Transport Protocol (RTP), Real-time Internet participants. In addition,
Control Protocol (RTCP) an ISA server or other reverse-
proxy is required to enable some
conferencing features.
Instant SIP SIP is the industry standard

Messaging protocols used for instant
messaging.

Lesson 5
Planning an IPv4 to IPv6 Transition Strategy
IPv6 is a critical technology that will help ensure that the Internet can support a
growing user base and the increasingly large number of IP-enabled devices. The
current IPv4 has served as the underlying Internet protocol for almost 30 years. Its
robustness, scalability, and limited feature set now is challenged by the growing
need for new IP addresses, due in large part to the rapid growth of new network-
aware devices. IPv6 slowly is becoming more common. While adoption may be
slow, it is important to understand how this technology will affect current
networks and how to integrate IPv6 into those networks.
Objectives
Describe the benefits of IPv6 over IPv4.
Describe IPv6 addressing.
Describe the IPv6 transition technologies.

Benefits of IPv6
Key Points
Support for IPv6, a new suite of standard protocols for the Internets Network
layer, is built into Windows Server 2008.
The IPv6 protocol provides the following benefits:
Large address space. A 32-bit address space allows for 2^32 or 4,294,967,296
possible addresses. A 128-bit address space allows for 2^128 or
340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space
is designed to be more efficient for routers, which means that even though
there are many more addresses, routers can process data much more efficiently
because of address optimization.

Stateless and Stateful address configuration. IPv6 has auto-configure
capability without a DHCP protocol, and it can find router information so that
hosts can access the Internet; this is a stateless address configuration. A
stateful address configuration is when you use the DHCPv6 protocol. Stateful
configuration has two additional configuration levels: one in which DHCP
provides all the information, including the IP address and the subnet
information, and another that provides just the subnet information.
Built-in security. IPv6 has built-in IP security, whereas in IPv4, it is an
extension of the protocol. This facilitates configuration of secure network
connections. In IPv4, modifying the IPv4 source, destination, and port
information could invalidate IP security (IPsec) data. This causes issues when
IPv4 traverses network address translators (NATs). IPv6 restores point-to-
point communication because NATing was conceived to extend the life of
IPv4 public IP addresses.
Prioritized delivery. IPv6 contains a field in the packet that allows network
devices to determine that the packet should be processed at a specified rate.
This allows traffic prioritization. For example, when streaming video traffic, it
is critical that the packets arrive in a timely manner. You can set this field to
ensure that network devices determine that the packet delivery is time
sensitive.
Neighbor detection. IPv6 has much better detection of other devices and
hosts in its local network. You can use this to create ad-hoc networks through
which you can share information.
Extensibility. Finally, IPv6 has been designed so that you can extend it with
much fewer constraints than IPv4.

What Is the IPv6 Address Space?
Key Points
The most obvious distinguishing feature of IPv6 is its use of much larger addresses.
IPv4 IP addresses are expressed in four groups of decimal numbers, such as
192.168.1.1.
Each grouping of numbers represents a binary octet. In binary, the preceding
number is:
11000000.10101000.00000001.00000001 (4 octets = 32 Bits)
The size of an address in IPv6 is 128 bits, which is four times larger than an IPv4
address. IPv6 addresses also are expressed as hexadecimal addresses in their
readable format. For example, 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A.
This may seem counterintuitive for end users. However, the assumption is that
average users will rely on DNS names to resolve hosts and rarely will type IPv6
addresses manually. The IPv6 address in hex also is easier to convert to binary and
vice versa. This simplifies working with subnets, and calculating hosts and
networks.

Working with IPv6 Addresses
To convert an IPv6 binary address, which is 128 bits in length, perform the
following steps:
Break it into eight groups of 16 bits.
Convert each of these eight groupings of 16 bits into four hex characters.
For each of the 16 bits, evaluate four bits at a time to derive each hex number.
You should number each set of four binary numbers 1, 2, 4, and 8 starting
from the right and moving left. The first bit [0010] is assigned the value of 1,
the second bit [0010] is assigned the value of 2, the third bit [0010] is assigned
the valued of 4, and finally, the fourth bit [0010] is assigned the value of 8.
To derive the hexadecimal value for this section of four bits, add up the values
assigned to each bit where the bits are set to 1. In the example of 0010, the
only bit that is set to 1 is the bit assigned the 2 value. The rest are set to zero.
The hex value of these bits is 2.
Examples
The following table describes the 16-bit binary number portion of a 128-bit IP
address:
[0010][1111][0011][1011]
Binary 0010 1111
Values of each binary position 8421 8421
Adding values where the bit = 1 0+0+2+0 = 2 8 + 4 + 2 + 1 = 15 or hex F
The following example is a single IPv6 address in binary form. Note that the binary
representation of the IP address is quite long. The following two lines of binary
numbers is one IP address:
0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010

The 128-bit address is divided along 16-bit boundaries (eight groupings of
16 bits):
0010000000000001 0000110110111000 0000000000000000
0010111100111011 0000001010101010 0000000011111111
1111111000101000 1001110001011010
Each boundary is further broken into sets of four bits. Applying the methodology
described above, convert the IPv6 address. The following table shows the binary
and corresponding hexadecimal values for each set of four bits:
Binary Hexadecimal
[0010][0000][0000][0001] [2][0][0][1]
[0000][1101][1011][1000] [0][D][B][8]
[0000][0000][0000][0000] [0][0][0][0]
[0010][1111][0011][1011] [2][F][3][B]
[0000][0010][1010][1010] [0][2][A][A]
[0000][0000][1111][1111] [0][0][F][F]
[1111][1110][0010][1000] [F][E][2][8]
[1001][1100][0101][1010] [9][C][5][A]
Each 16-bit block expressed as four hex characters then is delimited with colons.
The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within
each 16-bit block. However, each block must have at least a single digit. With
leading zero suppression, the address representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

IPv6 Transition Technologies
Key Points
The migration from IPv4 to IPv6 is expected to take considerable time. This was
taken into consideration when designing IPv6 and as a result, the transition plan
for IPv6 is a multistep process that allows for extended coexistence. To achieve the
goal of a pure IPv6 environment, use the following general guidelines:
Upgrade your applications to be independent of IPv6 or IPv4. Applications
must be changed to use new Windows Sockets application programming
interfaces (APIs) so that name resolution, socket creation, and other functions
are independent regardless of whether you are using IPv4 or IPv6.
Update the DNS infrastructure to support IPv6 address and pointer entries
(PTR) records. You may have to upgrade the DNS infrastructure to support the
new AAAA records (required) and PTR records in the IP6.ARPA reverse
domain (optional). Additionally, ensure that the DNS servers support DNS
dynamic update for AAAA records so that IPv6 hosts can register their names
and IPv6 addresses automatically.

Upgrade hosts to IPv6/IPv4 nodes. You must upgrade hosts to use a dual IP
layer or stack. You also must add DNS resolver support to process DNS query
results that contain both IPv4 and IPv6 addresses. Deploy ISATAP to ensure
that IPv6/IPv4 hosts can reach each other over the IPv4-only intranet.
Upgrade routing infrastructure for native IPv6 routing. You must upgrade
routers to support native IPv6 routing and IPv6 routing protocols.
Implement tunneling. An eventual successful transition to IPv6 requires
interim coexistence of IPv6 nodes in todays predominantly IPv4 environment.
To support this, IPv6 packets are tunneled automatically over IPv4 routing
infrastructures, enabling IPv6 clients to communicate with each other by using
6to4 addresses or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
addresses and tunneling IPv6 packets across IPv4 networks.
Convert IPv6/IPv4 nodes to IPv6-only nodes. You can upgrade IPv6/IPv4
nodes to be IPv6-only nodes. This should be a long-term goal, because it will
take years for all current IPv4-only network devices to be upgraded to IPv6-
only. For those IPv4-only nodes that cannot be upgraded to IPv6/IPv4 or IPv6-
only, employ translation gateways as appropriate so that IPv4-only nodes can
communicate with IPv6-only nodes.

Lab: Planning Network Infrastructure for
Windows Server 2008
Adatum has created a new regional sales force. As a result, branch offices are being
fitted out to support the various regional sales teams. You are responsible for
planning the network infrastructure for these new branch offices. Joe Healy, the
national Sales Manager, has been communicating with you about his specific
requirements for the regional office. In addition, Alan Steiner, a colleague in IT, has
visited some of the branch offices.

Exercise 1: Determining an Appropriate Network
Addressing Scheme
Scenario
You have been tasked with designing an IPv4 addressing scheme to support the
western region branch offices. There are 10 new offices, 3 in this region, and each
with around 100 computers.
Read the supporting documentation.
Answer the questions in the Update the Branch Office Network Infrastructure
Plan: IPv4 Addressing document.

E-mail thread of correspondence with Joe Healy and Alan Steiner:
Gregory Weber
From: Joe Healy [Joe@adatum.com]
Sent: 21 July 2009 17:30
Subject: Re: Network applications for branches
Greg,
Well, I'm not terribly technical myself, but in terms of what the sales people use,
it's mostly office productivity software. They do have a sales database, of course,
which I believe to be built on SQL Server. Currently, that data is held on several
different databases, but we're merging that right now to create a national database.
I understand from your colleague, Alan Steiner, that we're going to create regional
replicas of the data in that database. As to network traffic, I guess you'd need to ask
Alan.
Hope that is useful.
Regards,
Joe
Sent: 20 July 2009 09:01
To: Joe@adatum.com
Subject: Network applications for branches
Joe,
I'm about to start working on this branch offices deployment. We're at the stage of
planning the network infrastructure. Can you tell me something about the
applications that the sales team uses? I'm trying to get a feel for network traffic and
usage patterns.
Regards,
Greg

Gregory Weber
Sent: 22 July 2009 09:05
Subject: Re: Branch office network traffic analysis
Attachments: Adatum Western Region Branch Network Plan.vsd
Greg,
Each branch will be connected via a router to the head office; I've attached a basic
schematic of the western regional offices.
We've allocated the network address 10.10.32.0/21 for all branches in this region.
In terms of traffic, the database synchronization takes place overnight so should
not impact traffic overly. I think the traffic in the head office sales subnets right
now should be fairly indicative. Rather than send you the output, I'll just say that
we figure on around 50 computers per subnet.
Regards,
Alan
Sent: 22 July 2009 08:45
To: Alan@adatum.com
Subject: Branch office network traffic analysis
Alan,
Do you have any information about network traffic at the new branches? I
understand there is to be a database with regional replicas. Do you have any
information on that? I'm trying to figure out the number of subnets I'm going to
need per branch.
Any other information gratefully received!
Greg

Adatum Western Region Branch Network Plan.vsd

f Task 2: Update the proposal document with your planned course of

action
Answer the questions in the Branch Office Network Infrastructure Plan:
IPv4 Addressing document.
Branch Office Network Infrastructure Plan: IPv4 Addressing

Date 25th July
Requirements Overview
Design an IPv4 addressing scheme for the Adatum western regional branch sales
offices, shown in the exhibit.
The block address 10.10.32.0/21 has been reserved for this region.
You must devise a scheme that supports the required number of subnets, the
required number of hosts, and provide for 25% growth of hosts in each branch.
For each branch, provide the subnet addresses you plan to use, together with the
start and end IP addresses for each subnet.
You do not need to concern yourself with the IP addressing for the corporate side
of the router at each branch.

(continued)
Proposals
1. How many subnets do you envisage requiring for this region?
2. How many hosts will you deploy in each subnet?
3. What subnet mask will you use for each branch?
4. What are the subnet addresses for each branch?
5. What range of host addresses are in each branch?
Results: After this exercise, you should have a completed IP addressing plan for the
western region branch offices.

Exercise 2: Planning the Placement of Network Servers
Scenario
Having determined the appropriate addressing scheme for the branch offices in the
western region sales division, you must now determine how best to deploy
network services to support users working in those locations. Alan Steiner has sent
you an e-mail with some additional information about the requirements.
Using the information in the supporting documentation, and bearing in mind the
subnet addressing scheme you previously planned, complete the Branch Office
Network Infrastructure Plan: Network Services document.
Network Services document.

E-Mail thread of correspondence with Alan Steiner:
Gregory Weber
Sent: 24 July 2009 17:00
Subject: Re: Branch office network services
Greg,
Answers in line below,
Regards,
Alan
Sent: 24 July 2009 13:30
To: Alan@adatum.com
Subject: Branch office network services
Alan,
OK, I have worked out an IP addressing scheme for the branches. Next I need to
think about the infrastructure. Could you answer the following questions?
1. How are IP addresses to be assigned for this region?
[Alan] By DHCP
2. Is there anything I should know about the DNS name space for the sales offices?
[Alan] The sales computers will be in their own DNS name space,
sales.adatum.com
3. I have a vague recollection that one of the line-of-business applications that sales
uses requires NetBIOS. Is that right?
[Alan] You're right, Greg, they need NetBIOS name resolution in sales.
Thanks,
Greg


action
Branch Office Network Infrastructure Plan: Network Services

Date 25th July
Requirements Overview
Specify which network services are required in each sales office, and any changes
that might be required in the head office to facilitate your proposals.
It is important that any router, server, or communications link failure does not
adversely affect users.

(continued)
Proposals
1. How many DHCP servers do you propose to deploy in the region?
2. Where do you propose to deploy these servers?
3. What name resolution services are required?
4. To support the DNS name space in the sales division, how would you propose
to configure DNS?
5. Will you require WINS?
6. If so, how many WINS servers will you require for the region?
7. If not, how do you propose to support single-label names?
Results: After this exercise, you should have a completed plan for the deployment of
network services in the western regional branch offices.

Exercise 3: Implementing the Planned Network Services
Scenario
You are on-site at one of the regional offices, and you must now configure network
services to support your proposals.
1. Start the virtual machines and log on.
2. Deploy the DHCP server role.
3. Configure scopes to support the branch office.
4. Configure DNS to support the branch office.
5. Enable DNS/WINS integration to support NetBIOS applications.
f Task 1: Start the virtual machines, and then log on

1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6430B. The Lab Launcher starts.
2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch.
3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch.
4. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password
Pa$$w0rd.
5. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password
Pa$$w0rd.
6. Minimize the Lab Launcher window.
f Task 2: Deploy the DHCP Server role on SEA-SVR1

1. Switch to the SEA-SVR1 computer.
2. Use Server Manager to deploy the DHCP Server role. Use the following
information to complete the process:
a. On the Select Network Connection Bindings page, click Next.
b. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS
Server IPv4 Address box, type 10.10.0.10, and then click Next.

c. On the Specify IPv4 WINS Server Settings page, click Next.
d. On the Add or Edit DHCP Scopes page, click Next.
e. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6
stateless mode for this server, and then click Next.
f. On the Authorize DHCP Server page, click Next.
f Task 3: Configure the primary DHCP scope for subnet 1

Create a new scope. Use the following information to help complete the
process:
Scope Name: Branch 1 subnet 1 scope 1
IP address range: 10.10.32.1 > 10.10.32.125
Subnet mask: 25 bits
Exclusions: 10.10.32.100 > 10.10.32.125
Lease duration: default
Router: 10.10.32.126
f Task 4: Configure the secondary DHCP scope for subnet 2

Create a new scope. Use the following information to help complete the
process:
Scope Name: Branch 1 subnet 2 scope 2
IP address range: 10.10.32.129 > 10.10.32.253
Subnet mask: 25 bits
Exclusions: 10.10.32.129 > 10.10.32.229
Lease duration: default
Router: 10.10.32.254

f Task 5: Create a subdomain in DNS
1. Switch to the SEA-DC1 computer.
2. Open the DNS Manager.
3. Add a new domain in the Adatum.com zone.
f Task 6: Configure zone transfers for the Adatum.com zone

In the DNS Manager, enable zone transfers for the Adatum.com zone.
f Task 7: Deploy the DNS role on SEA-SVR1

2. Using Server Manager, deploy the DNS Server role on SEA-SVR1.
f Task 8: Configure a secondary zone on SEA-SVR1

Create a new forward lookup zone on SEA-SVR1. Use the following
information to help complete the process:
Zone type: secondary
Zone name: Adatum.com
Master DNS server: 10.10.0.10
f Task 9: Enable the WINS feature, and configure DNS/WINS integration

1. Using Server Manager, on SEA-SVR1, add the WINS Server feature.
3. In DNS Manager, enable WINS Forward Lookup:
a. Right-click Adatum.com, and then click Properties.
b. On the WINS tab, select the Use WINS forward lookup check box.
c. In the IP address box, type 10.10.0.100, press Add, and then click OK.

5. In DNS Manager, right-click Adatum.com, and then click Transfer from
Master.
Note: You might need to wait a few moments before you see the WINS record. Press
Refresh if needed.
f Task 10: Configure DHCP options to support the deployed services

1. On SEA-SVR1, in the DHCP console, right-click Server Options, and then click
Configure Options.
2. Configure the following options:
006 DNS Servers: 10.10.0.100
015 DNS Domain Name: sales.adatum.com
044 WINS/NBNS Servers: 10.10.0.100
Results: After this exercise, you should have successfully deployed branch office
network services.
f To prepare for the next module

1. For each running virtual machine, close the Virtual Machine Remote Control
(VMRC) window.
2. In the Close box, select Turn off machine and discard changes. Click OK.

Review Questions
1. What is the host range of addresses in the 172.16.16.0/21 subnet?
2. You intend to deploy the DHCP server role where necessary throughout your
routed network. What considerations should you bear in mind?
3. What is the difference between a subdomain in a DNS zone, and a delegated

zone?
4. What are the advantages of Active Directory integrated zones?
5. When planning WINS, how many servers should you consider deploying?
Planning for Active Directory 3-1

Module 3
Planning for Active Directory
Contents:
Lesson 1: Selecting a Domain and Forest Topology 3-3
Lesson 2: Selecting a Domain and Forest Functional Level 3-19
Lesson 3: Planning Identity and Access Services in Active Directory 3-27
Lesson 4: Implementing Active Directory in the Physical Network 3-37
Lab: Planning for Active Directory 3-48

Module Overview
In order to optimize an Active Directory Domain Services (AD DS) infrastructure,

you must plan the implementation carefully. This planning should include
consideration of the Active Directory directory services topology, the domain and
forest functional level, which related Active Directory services you must deploy in
order to support your network, and the steps you must take to configure Active
Directory to support your physical network infrastructure.
Objectives
Select an appropriate Active Directory topology.
Configure the domain and forest functional level.
Describe Active Directory identity and access services.
Configure Active Directory to support your physical network.

Lesson 1
Selecting a Domain and Forest Topology
It is important that before you commence the deployment of Active Directory and
related services, you consider the overall design of the Active Directory topology in
terms of forests, trees, and domains; the site and subnet topology; the
organizational unit and administrative structure.
Objectives
Describe important Active Directory terminology.
Determine how many Active Directory forests to deploy.
Determine when to implement a design that incorporates multiple domains.
Determine how many Active Directory trees to implement in your forest.
Describe a trust relationship.
Select a suitable Active Directory topology.

Overview of Active Directory
Key Points
Active Directory is a distributed database that provides a logical grouping of
objects, such as users, computers, and groups. Active Directory is managed
centrally by Windows Server 2008 servers deployed with the AD DS role. These
servers are known as domain controllers. In order to plan and deploy Active
Directory, you must understand the components that combine to create an Active
Directory infrastructure.
What Is a Forest?
In AD DS, a forest is the highest level of the logical structure hierarchy. An
Active Directory forest represents a single self-contained directory. A forest is a
security boundary, which means that administrators in a forest have complete
control over all access to information that is stored inside the forest and to the
domain controllers that are used to implement the forest.
Domain controllers in a forest share a common schema, a common global catalog,
and a common forest-root domain.

What Is the Schema?
The schema is the Active Directory component that defines all the objects and
attributes that the directory service uses to store data. For instance, the schema
defines the user object type, and defines the attributes that are maintained for the
user object type such as full name, password, display name, and so forth.
The schema is a single master element of Active Directory. This means that you
must make changes to the schema at the domain controller that holds the schema
operations master role.
What Is the Global Catalog?

The global catalog is a distributed database that contains a searchable
representation of every object from all domains in a multidomain forest. However,
the global catalog does not contain all attributes for each object; rather, it maintains
a subset of attributesthose that are most likely to be useful in cross-domain
searches.
What Is a Tree?
If your Active Directory consists of more than one domain, you must define the
relationship between the domains. If the domains share a common root and a
contiguous namespace, then they are logically part of the same Active Directory
tree. A tree serves no administrative purpose; that is, there is no tree administrator
as there is a forest or domain administrator. A tree provides a logical, hierarchical
grouping of domains that have parent/child relationships defined through their
names. Your Active Directory tree maps to your DNS namespace.
What Is a Domain?
A domain is an administrative boundary. All domains host an Administrator user
account that has full administrative capabilities over all objects within the domain.
Although the administrator can delegate administration on objects within the
domain, the account retains full administrative control of all objects within the
domain.
In earlier versions of Windows Server, domains were considered to provide
complete administrative separation; indeed, one of the fundamental reasons for
selecting a multidomain topology was to provide for this separation. However, in
Active Directory, the administrator account in the forest root domain also has full
administrative control to all objects in the forest, rendering this domain-level
administrative separation invalid.

A domain is a replication boundary. Active Directory consists of three elements, or
partitions; these are the schema, the configuration partition, and the domain
partition. Generally, it is only the domain partition that changes frequently.
The domain partition contains objects that are likely to be updated often; these
include users, computers, groups, and organizational units. Consequently, Active
Directory replication consists primarily of the updates to objects defined within the
domain partition. Only domain controllers in a particular domain receive domain
partition updates from other domain controllers.
What Is a Site?
A site is a logical representation of a geographical area in your network. A site
represents a high-speed network boundary for your Active Directory computers;
that is, computers that can communicate with high speed and low latency can be
grouped into a site; domain controllers within a site replicate Active Directory data
in an optimized way for this environment; this replication configuration is largely
automatic.
What Is an Organizational Unit?

Organizational units are container objects within a domain that enable an
administrator to group objects together for management purposes. Objects within
an organizational unit can be managed as a single entity.

Considerations for Designing a Forest Infrastructure
Key Points
To create a forest design, first identify the business requirements that an
organizations directory structure needs to accommodate. This involves
determining how much autonomy the groups in the organization need to manage
their network resources, and whether each group needs to isolate their resources
on the network from other groups.
After identifying business requirements, you can determine the number of forests
needed. To determine this number, you must carefully identify and evaluate the
isolation and autonomy requirements for each group in the organization and map
those requirements to the appropriate forest design models.

Considerations
There are several points that are helpful to consider when determining the number
of forests to deploy.
Isolation requirements limit design choices. Therefore, if isolation
requirements have been identified, be sure that the groups actually require
data isolation and that data autonomy is not sufficient for their needs. Then
the organization must ensure that the various groups in the organization
clearly understand the concepts of isolation and autonomy.
Negotiating the design can be a lengthy process. It can be difficult for groups
to come to agreement about ownership and utilization of available resources.
During the design process there must be enough time for the groups in the
organization to conduct adequate research to identify their needs, which
involves setting firm deadlines for design decisions and getting consensus
from all parties on the established deadlines.
Determining the number of forests to deploy involves balancing costs against
benefits. A single-forest model is the most cost-effective option and requires
the least amount of administrative overhead. Although a group in the
organization might prefer autonomous service operations, it might be more
cost-effective for the organization to subscribe to service delivery from a
centralized, trusted IT group, allowing the group to own data management
without creating the added costs of service management. Balancing costs
against benefits might require input from the executive sponsor.
After the design requirements are mapped to forest models and the forest
model is selected that meets the needs of the organization, you should
document the proposed forest design. The information that you should
include in the documentation is the name of the group for which the forest is
designed, the contact information for the forest owner, the type of forest for
each forest, and the requirements that each forest is designed to meet. This
documentation helps the design team to ensure that all of the appropriate
people are involved in the design process and to clarify the scope of the
deployment project.

Best Practice
Use a single forest unless any of the following apply:
You need the level of administrative separation that multiple forests provide.
Your organization is very large, and consists of several distinct operating
divisions, each of which has different schema requirements.
You are deploying an application that is implemented on a per-forest basis,
such as Exchange Server 2007, and different parts of your organization have
differing requirements of this forest-level application.
Additional Reading
Download the Infrastructure Planning and Design Guide Series:

Guidelines for Designing an Active Directory Domain
Infrastructure
Key Points
Domains partition the information that is stored inside the directory into smaller
portions so that the information can be more easily stored on various domain
controllers and so that administrators have a greater degree of control over
replication. Data that is stored in the directory is replicated throughout the forest
from one domain controller to another. Some data that is relevant to the entire
forest is replicated to all domain controllers, while other data that is relevant only
to a specific domain is replicated only to domain controllers in that particular
domain. A good domain design makes it possible to implement an efficient
replication topology.
Note: Active Directory consists of three partitions: the schema partition, the
configuration partition, and the domain partition. The first two are replicated to all
domain controllers within the forest; the last, the domain partition, is only replicated
among domain controllers that are part of the same domain.

Guidelines
There are three guidelines when devising a domain infrastructure.
Review domain models. By reviewing the domain models, factors that impact
the domain design model can be identified. By identifying the amount of
available capacity on the network that can be allocated to Active Directory, an
organization can select a model that provides efficient replication of
information with minimal impact on available network bandwidth. If an
organization includes a large number of users, deploying more than one
domain enables the partitioning of data and gives more control over the
amount of replication traffic that will pass through a given network
connection. This makes it possible to control where data is replicated and
reduce the load created by replication traffic on slow links in the network.
Determine the number of domains. Every forest starts with a single domain.
The maximum number of users that a single domain forest can contain is
based on the slowest link that must accommodate replication between domain
controllers and the available bandwidth allocated to Active Directory. If all the
users cant be accommodated in a single domain, then an organization can
select the regional domain model. This involves dividing the organization into
regions that work in a specific organization and with the existing network. For
example, the organization can be separated into regions based on continental
boundaries. While an organization will need to create a domain for each
region, it is best to minimize the number of regions. Although it is possible to
include an unlimited number of domains in a forest, for manageability reasons
it is recommended that a forest include no more than 10 domains. The key in
determining the number of regions is to establish the appropriate balance
between optimizing replication bandwidth and minimizing administrative
complexity.
Note: If you identify three regions within your organization, it might be desirable to
create an empty forest root and three child domains. For example, in Adatum.com, there
are three regions: Europe, Americas, and Asia. Although the worldwide headquarters are
in North America, it might still be desirable to create the Adatum.com domain with three
children: europe.adatum.com, americas.adatum.com, and asia.adatum.com. This
configuration enables you to configure truly forest-wide settings on the empty forest
root while not affecting the region of the Americas.

Determine whether to upgrade existing domains or deploy new domains.
This consideration is only important when upgrading an existing Windows
Server Active Directory infrastructure to Windows Server 2008 AD DS. In this
scenario, each domain will either be a new domain or an existing domain that
has been upgraded in place. Users from existing domains that are not
upgraded in place must be migrated into new domains. Moving accounts
between domains can impact end users. Before deciding whether to migrate
users into a new domain or upgrade existing domains in place, evaluate the
long-term administrative benefits of a new Active Directory domain against the
cost of migrating users into the domain.

Determining Whether to Implement Multiple Trees in
Your Forest
Key Points
Active Directory trees are created by the relationship between the domains within
the forest. There is no intrinsic reason you should, or indeed, should not create
multiple trees within your forest. However, keep in mind that a single tree, with its
contiguous name space, is easier to manage, and easier for users to visualize.
Best Practice
Consider using multiple trees within a single forest if you have multiple name
spaces to support; for example, if within your organization there are several
distinct operating divisions with different public identities, you could create a
different tree for each operating division. Bear in mind that with this scenario, there
is no separation of administration because the forest root administrator still has
complete control over all objects in the forestin whichever tree they reside.
Note: There is no technical benefit to this strategyonly a political one.


What Is a Trust Relationship?
Key Points
A trust relationship enables one security entity to trust another security entity for
the purposes of authentication. In Windows Server 2008, the security entity is the
Windows domain.
In any trust relationship, there are two parties involved; the trusting entity, and the
trusted entity. The trusting entity is the resource-holding entity, while the trusted
entity is the account-holding entity.
Types of Trusts
Trusts can be one-way or two-way. A one-way trust means that although one entity
trusts the other, the reciprocal is not true. In a two-way trust, both entities trust one
another.
Trusts can be transitive or nontransitive. In a transitive trust, if A trusts B and B
trusts C, then A also implicitly trusts C.
Windows Server 2008 supports a number of different trusts for use in different
situations.

In a single forest, all domains trust one another with internal, two-way transitive
trusts. In essence, this means that all domains trust all other domains. These trusts
extend across trees within the forest. Aside from these automatically created trusts,
you can configure additional trusts between domains within your forest, between
your forest and other forests, and between your forest and other security entities,
such as Kerberos realms or Windows NT 4.0 domains. The following table
provides more information.
Trust
type Transitivity Direction Description
External Nontransitive One-way Use external trusts to provide access to
or two- resources that are located on a
way Windows NT 4.0 domain or a domain that is
located in a separate forest that is not joined
by a forest trust.
Realm Transitive or One-way Use realm trusts to form a trust relationship

nontransitive or two- between a non-Windows Kerberos realm and
way a Windows Server 2008 or a Windows
Server 2008 R2 domain.
Forest Transitive One-way Use forest trusts to share resources between

or two- forests. If a forest trust is a two-way trust,
way authentication requests that are made in
either forest can reach the other forest.
Shortcut Transitive One-way Use shortcut trusts to improve user logon

or two- times between two domains within a
way Windows Server 2008 or a Windows
Server 2008 R2 forest. This is useful when two
domains are separated by two domain trees.

Discussion: Selecting an Active Directory Topology
Key Points
Scenario 1
The Fabrikam Corporation is planning to implement Active Directory throughout
its organization. Fabrikam has a worldwide operation, with offices based in
Europe, Asia, and North America. In consultation with staff in the IT department of
Fabrikam, you determine the following facts:
There are 30,000 users distributed fairly evenly across all the three regions.
Headquarters for the worldwide operation are in Dallas, Texas.
Headquarters for the North American division is also based in Dallas.
The Asian headquarters are based in Singapore, and the European
headquarters are in Paris, France.

Each continental headquarters supports regional national offices; these
national offices are connected by high-speed links to their respective
continental headquarters.
The national offices act as hubs for branch offices.
Using this information, answer the following questions.
Question: What are your initial thoughts about a forest topology?
Question: How many domains do you envisage using?
Question: How many sites do you imagine will be required?
Question: Do you think that more than one tree is indicated?
Scenario 2
You spend some more time researching the Fabrikam organization, and learn the
following additional facts:
The Asian division has recently acquired a company, Contoso Corporation,
based in Australia that manufactures batteries for telecommunications
equipment. This company already has Active Directory deployed in a single
forest environment.
Fabrikam is planning to deploy Exchange Server 2007 within the first few
months of deploying Active Directory.
How might these new discoveries affect your plans? Answer the following
questions:
Question: How many forests do you envisage?
Question: How does implementing Exchange Server affect your plans?


Scenario 3
With a final set of staff interviews with some of the regional IT managers, it
transpires that it is highly desirable to implement administrative separation of each
region. How does this affect your Active Directory topology?
Answer the following questions:
Question: How many forests do you envisage?
Question: How many domains are required?
Question: How many trusts will you need to create?


Lesson 2
Selecting a Domain and Forest Functional Level
Windows Server 2008 AD DS provides a number of new features that are only
available if the appropriate domain and functional level has been configured. This
lesson explores these functional levels, and their related features.
Objectives
Describe the Active Directory features available in each of the domain
functional levels.
Describe the Active Directory features available in each of the forest functional
levels.
Configure the domain and forest functional level.

What Are the Domain Functional Levels?
Key Points
The following table shows which features are enabled at each domain functional
level. It also shows the operating systems for domain controllers that are
supported at each functional level.

Supported domain
Domain functional controller
level Enabled features operating systems
Windows 2000 All default Active Directory features and Windows 2000
native the following features: Server
Universal groups are enabled for both Windows Server
distribution groups and security groups. 2003
Group conversion is enabled, which makes Windows Server
conversion between security groups and 2008
distribution groups possible.
Security identifier (SID) history.
Note: This is the default domain
functional level.
Windows Server All default Active Directory features, all Windows Server
2003 features from the Windows 2000 native 2003
domain functional level, and the following Windows Server
features: 2008
The availability of the domain
management tool, netdom.exe, to
prepare for domain controller rename.
Update of the logon timestamp. The
lastLogonTimestamp attribute will be
updated with the last logon time of the
user or computer. This attribute is
replicated within the domain.
The ability to set the userPassword
attribute as the effective password on
inetOrgPerson and user objects.
The ability to redirect Users and
Computers containers. By default, two
well-known containers are provided for
housing computer and user/group
accounts: namely,
cn=Computers,<domain root> and
cn=Users,<domain root>. This feature
makes possible the definition of a new
well-known location for these accounts.

(continued)
Supported domain
Domain functional controller
level Enabled features operating systems
Windows Server Includes constrained delegation so that
2003 (continued) applications can take advantage of the
secure delegation of user credentials by
means of the Kerberos authentication
protocol. Delegation can be configured
to be allowed only to specific
destination services.
Supports selective authentication,
through which it is possible to specify
the users and groups from a trusted
forest who are allowed to authenticate
to resource servers in a trusting forest.
Windows Server All default Active Directory features, all Windows Server
2008 features from the Windows Server 2003 2008
domain functional level, and the following
features:
Distributed File System Replication
support for SYSVOL, which provides
more robust and detailed replication of
SYSVOL contents.
Advanced Encryption Services (AES 128
and 256) support for the Kerberos
protocol.
Last Interactive Logon Information,
which displays the time of the last
successful interactive logon for a user,
from what workstation, and the number
of failed logon attempts since the last
logon.
Fine-grained password policies, which
make it possible for password and
account lockout policies to be specified
for users and global security groups in a
domain.
Note: Changes to the domain functional level is not reversible.


What Are the Forest Functional Levels?
Key Points
The following table shows which features are enabled at each forest functional
level. It also shows the operating systems for domain controllers that are
supported at each functional level.
Forest functional Supported domain

level Enabled features controllers
Windows 2000 All default Active Directory features. Windows 2000

Server
Note: This is the default forest functional
Windows Server
level.
2003
Windows Server
2008

(continued)
Forest functional Supported domain

level Enabled features controllers
Windows Server All default Active Directory features, and Windows Server
2003 the following features: 2003
Forest trust. Windows Server
Domain rename. 2008
The ability to deploy a read-only
domain controller (RODC) that runs
Windows
Server 2008.
Improved Knowledge Consistency
Checker (KCC) algorithms and scalability.
The Intersite Topology Generator (ISTG)
uses improved algorithms that scale to
support forests with a greater number of
sites than can be supported at the
Windows 2000 forest functional level.
The ability to create instances of the
dynamic auxiliary class called
dynamicObject in a domain directory
partition.
The ability to convert an inetOrgPerson
object instance into a User object
instance, and the reverse.
The ability to create instances of the
new group types, called application
basic groups and Lightweight Directory
Access Protocol (LDAP) query groups, to
support role-based authorization.
Deactivation and redefinition of
attributes and classes in the schema.
Windows Server This functional level provides all the Windows Server
2008 features that are available at the Windows 2008
Server 2003 forest functional level, but no
additional features. All domains that are
subsequently added to the forest,
however, will operate at the Windows
Server 2008 domain functional level by
default.

Note: Changes to the forest functional level are not reversible.
Guidelines for Raising the Domain or Forest Functional Level

The following guidelines apply to raising the domain or forest functional levels:
You must be a member of the Domain Admins group to raise the domain
functional level.
You must be a member of the Enterprise Admins group to raise the forest
functional level.
You can raise the domain functional level on the primary domain controller
(PDC) emulator operations master only. The AD DS administrative tools that
you use to raise the domain functional level (the Active Directory Domains and
Trusts snap-in and the Active Directory Users and Computers snap-in)
automatically target the PDC emulator when you raise the domain functional
level.
You can raise the forest functional level on the schema operations master only.
Active Directory Domains and Trusts automatically targets the schema
operations master when you raise the forest functional level.
You can raise the functional level of a domain only if all domain controllers in
the domain run the version or versions of Windows that the new functional
level supports.
You can raise the functional level of a forest only if all domain controllers in
the forest run the version or versions of Windows Server operating system that
the new functional level supports.
You cannot set the domain functional level to a value that is lower than the
forest functional level.
You cannot lower the domain or forest functional level after you have raised it.
You cannot reverse the operation of raising the domain and forest functional
levels. If you have to revert to a lower functional level, you must rebuild the
domain or forest, or restore it from a backup copy.

Demonstration: Modifying the Functional Level
Key Points
Raise the domain functional level.
Raise the forest functional level.
High-level steps:
1. Raise the domain functional level of the Adatum.com domain to Windows
Server 2008.
2. Raise the forest functional level of the Adatum.com forest to Windows Server
2008.
Question: You recently raised the domain functional level of the sales.adatum.com
domain; however, now you want to revert to the Windows Server 2003 domain
functional level. Is this possible, and if so, how?

Lesson 3
Planning Identity and Access Services in Active
Directory
Windows Server 2008 introduces new Active Directory Services. Active Directory
Lightweight Directory Services (AD LDS) replaces Active Directory Application
Mode (ADAM) with Windows Server 2003, and provides directory services for
applications; Active Directory Federation Services (AD FS) provides an identity
access solution; and Active Directory Rights Management Services (AD RMS)
provides services to enable the creation of information-protection solutions.
Objectives
Describe AD CS.
Describe AD LDS.
Describe AD FS.
Describe AD RMS.

What Is AD CS?
Key Points
Active Directory Certificate Services (AD CS) extend the concept of trust so that a
user, computer, organization, or service can prove its identity outside or inside the
border of your Active Directory forest.
Certificates are issued from a certificate authority (CA). When a user, computer, or
service uses a certificate to prove its identity, the client in the transaction must trust
the issuing CA. A list of trusted root CAs, which includes, for example, VeriSign
and Thawte, is maintained by Windows, and updated as part of Windows Update.
If you think about the last time you made a purchase on an Intranet site, you will
recall that it was probably performed on a site using secure sockets layer (SSL),
with an HTTPS:// address. The server proves its identity to the client, your
browser, representing a certificate issued by a CA that your browser trusts, such as
VeriSign or Thawte.

A public key infrastructure (PKI) is based on a chain of trust. A certificate authority
can create a certificate for another certificate authority. The second CA can then
issue certificates to users, computers, organizations, or services that will be trusted
by any client that trusts the upstream, root CA.
The certificates can be used for numerous purposes in an enterprise network,
including the creation of secure channels such as the SSL example mentioned
earlier and for virtual private networks (VPNs) and wireless security as well as for
authentication, such as smart card logon.
AD CS gives you the technologies and tools you need to create and manage a PKI.
Although AD CS can be run on a stand-alone server, it is much more common and
much more powerful to run AD CS integrated with AD DS, which can act as a
certificate store and can provide a framework within which to manage the lifetime
of certificates: how they are obtained, renewed, and revoked.

What Is AD LDS?
Key Points
AD LDS is an independent mode of Active Directory, without the infrastructure
features that provides directory services for applications. In addition, it also
provides a data store and services for accessing the data store. AD LDS uses
standard application programming interfaces (APIs) for accessing the application
data, including APIs of Active Directory, Active Directory Service Interfaces,
Lightweight Data Access Protocol (LDAP), and System.DirectoryServices.
AD LDS does not have the infrastructure capabilities of Active Directory. It does
not include directory services for the Windows operating system, so it concentrates
on the requirements of specific applications. If AD LDS operates in an Active
Directory environment, it can use Active Directory for authentication.
AD LDS usage complements that of Active Directory. Although AD LDS and Active
Directory can operate concurrently within the same network, AD LDS serves the
requirements of specific applications. An instance of AD LDS can be created for a
specific application without a concern for the dependencies required by Active
Directory. Multiple instances of AD LDS, each supporting a separate application,
can run on a single AD LDS installation.

AD LDS Usage Scenarios
There are four situations in which organizations will find the use of AD LDS
beneficial.
An organization with application-specific directories that uses customized
schemas or that depend on decentralized directory management can benefit
from AD LDS. Because AD LDS directories are separate from the domain
infrastructure of AD DS, they can support applications that depend on schema
extensions that are not desirable in the AD DS directorysuch as schema
extensions that are useful to a single application. In addition, the local server
administrator can administer the AD LDS directories; domain administrators
do not need to provide administrative support.
A company that has directory-enabled application development and
prototyping environments that are separate from the enterprises domain
structure can use AD LDS. Application developers who are creating directory-
enabled applications can install the AD LDS role on any server, even on stand-
alone servers or workstations. As a result, developers can control and modify
the directory in their development environment without interfering with the
organizations AD DS infrastructure. These applications can be deployed
subsequently with either AD LDS or AD DS as the applications directory
service, as appropriate. Network administrators can use AD LDS as a prototype
or pilot environment for applications that will eventually be deployed with
AD DS as its directory store, as long as the application does not depend on
features specific to AD DS.
A company that needs management of external client computers access to
network resources can benefit from AD LDS. Enterprises that need to
authenticate extranet client computers, such as Web client computers or
transient client computers, can use AD LDS as the directory store for
authentication. This helps enterprises avoid having to maintain external client
information in the enterprises domain directory.
Organizations that need to enable earlier LDAP client computers in a
heterogeneous environment to authenticate against AD DS can use AD LDS.
When organizations merge, there is often a need to integrate LDAP client
computers running different server operating systems into a single network
infrastructure. In such cases, rather than immediately upgrading client
computers running earlier LDAP applications or modifying the AD DS schema
to work with the earlier clients, network administrators can install the AD LDS
server role on one or more servers. The AD LDS server role acts as an interim
directory store using the earlier schema until the client computers can be
upgraded to use AD DS natively for LDAP access and authentication.

Note: An example of the use of AD LDS is to support the Exchange Server 2007 Edge
Transport server role. The Edge Transport server is deployed to the perimeter network,
typically on a server computer that is not part of a domain. The Edge Transport server
hosts an instance of AD LDS to determine how to handle inbound messages; for
example, to which internal Hub Transport server to route a message to an intended
recipient.

What Is AD FS?
Key Points
AD FS is a role of the Windows Server 2008 operating system that provides an
identity access solution. Using AD FS will give browser-based clients, both inside
and outside the network, access to protected, Internet-facing applications, even
when user accounts and applications are located in different networks or
organizations.
A typical scenario occurs when an application is in one network and a user account
is in another network, and the user is required to enter secondary credentials when
he or she attempts to access the application. However, with AD FS, secondary
accounts are not necessary. Instead, trust relationships are used to project a users
digital identity and access rights to trusted partners. In this federated environment,
each organization continues to manage its own identities, but each organization
can securely project and accept identities from other organizations.
The process of authenticating to one network while accessing resources in another
networkwithout the burden of repeated logon actionsis known as single sign-on
(SSO). AD FS provides a Web-based, SSO solution that authenticates users to
multiple Web applications over the life of a single browser session.

Note: AD FS provides a federated identity management solution that interoperates with
other security products that support the WS-* Web Services Architecture. AD FS employs
the federation specification of WS-*, called the WS-Federation Passive Requestor Profile
(WS-F PRP). This specification makes it possible for environments that do not use the
Windows identity model to federate with Windows environments.
AD FS Role Services
The AD FS server role includes federation services, proxy services, and Web agent
services that you configure to enable Web SSO, federate Web-based resources,
customize the access experience, and manage how existing users are authorized to
access applications.
Depending on your organizations requirements, you can deploy servers running
any one of the following AD FS role services:
Federation Service: The Federation Service comprises one or more federation
servers that share a common trust policy. You use federation servers to route
authentication requests from user accounts in other organizations or from
clients that may be located anywhere on the Internet.
Federation Service Proxy: The Federation Service Proxy is a proxy to the
Federation Service in the perimeter network (also known as a demilitarized
zone (DMZ) and screened subnet). The Federation Service Proxy uses WS-
Federation Passive Requestor Profile (WS-F PRP) protocols to collect user
credential information from browser clients, and it sends the user credential
information to the Federation Service on their behalf.
Claims-aware agent: You use the claims-aware agent on a Web server that hosts
a claims-aware application to allow the querying of AD FS security token
claims. A claims-aware application is a Microsoft ASP.NET application that
uses claims that are present in an AD FS security token to make authorization
decisions and personalize applications.
Windows token-based agent: You use the Windows token-based agent on a
Web server that hosts a Windows NT token-based application to support
conversion from an AD FS security token to an impersonation-level, Windows
NT access token. A Windows NT token-based application is an application that
uses Windows-based authorization mechanisms.

What Is AD RMS?
Key Points
AD RMS provides services to enable the creation of information-protection
solutions. AD RMS is a format and application-agnostic technology. It will work
with any AD RMSenabled application to provide persistent usage policies for
sensitive information. Content that can be protected using AD RMS includes
intranet sites, Web sites, e-mail messages, and documents. AD RMS includes a set
of core functions that enable developers to add information protection to the
functionality of existing applications.
The AD RMS system, which includes both server and client components,
performs several processes. First, it facilitates licensing and distributing rights-
protected information. An AD RMS system issues rights account certificates
identifying trusted entities, such as users, groups, and services that can publish
rights-protected content. After trust has been established, users can assign usage
rights and conditions to content they want to protect. These usage rights specify
who can access rights-protected content and what they can do with it. When the
content is protected, a publishing license is created for the content. This license
binds the specific usage rights to a given piece of content so that the content can

be distributed. For example, a user can send a rights-protected document to other
users inside or outside of their organization without losing the assigned rights.
AD RMS also can be used for acquiring licenses to decrypt rights-protected content
and applying usage policies. Users who have been granted a rights account
certificate can access rights-protected content by using an AD RMS enabled client
application that allows users to view and work with rights-protected content to
preserve that contents integrity and to apply usage policies. When users attempt to
access rights-protected content, requests are sent to the AD RMS system to access,
or consume, that content. When a user attempts to consume the protected
content, the AD RMS licensing services on the AD RMS server issues a unique use
license that reads, interprets, and applies the usage rights and conditions specified
in the publishing licenses. The content is decrypted by using the electronic keys
from the content and applications, and the certificates of the trusted entities. The
usage rights and conditions are persistent and automatically applied everywhere
the content goes.
AD RMS can be used for creating rights-protected files and templates. Users who
are trusted entities in an AD RMS system can create and manage protection-
enhanced files by using familiar authoring applications and tools in an AD RMS-
enabled application that incorporates AD RMS technology features. In addition,
AD RMS enabled applications can use centrally defined and officially authorized
usage rights templates to help users efficiently apply a predefined set of usage
policies.
Additional Reading
AD RMS Documentation Roadmap:
http://go.microsoft.com/fwlink/?LinkID=163878&clcid=0x409

Lesson 4
Implementing Active Directory in the Physical
Network
An AD DS site topology is a logical representation of the physical network.

Designing an Active Directory site topology involves planning for domain
controller placement and designing sites, subnets, site links, and site link bridges
to ensure efficient routing of query and replication traffic.
Objectives
Describe the function of a domain controller.
Plan the appropriate placement for your domain controllers.
Configure sites.
Describe the functionality of a Read-Only Domain Controller (RODC).
Deploy an RODC.

What Is a Domain Controller?
Key Points
Domain controllers host the AD DS. Domain controllers provide the following
functions on the network:
Authentication. Domain controllers store the domain accounts database, and
provide authentication services.
Optionally host operations master roles (formerly known as Flexible Single
Master Operations (FSMO) roles). There are five operations master roles; two
forest-wide roles and three domain roles. The forest-wide rolesthe schema
master and domain naming masterare both held on the first domain
controller in the forest. The domain rolesthe primary domain controller
(PDC) emulator, the relative identity (RID) master, and the infrastructure
masterare all held by the first domain controller in each domain. You can
transfer these roles as you require.
Optionally hosts the global catalog. You can designate any domain controller
as a global catalog server.

Supports group policies and SYSVOL. Group policies consist of group policy
containers, stored in Active Directory, and group policy templates, stored in
the SYSVOL folder in the file system of all domain controllers. The domain
controller that hosts the PDC emulator operations master role acts as a single
master for the creation and modification of group policies.
Replication. Active Directory is a distributed directory service. Objects such as
users, computers, organizational units, and services are distributed across all
domain controllers in the forest, and can be updated on any domain controller
in the forest. Active Directory replication is the process by which the changes
that originate on one domain controller are automatically transferred to other
domain controllers. You can exert some control over this process by creating
sites and site links, and configuring replication bridgeheads between these
sites.
Note: Some changes can only be made on a domain controller that holds the
appropriate operations master role. For example, changes to the schema can only be
made on the schema operations master.

Determining the Placement of Domain Controllers
Key Points
An AD DS site topology is a logical representation of the physical network.
Designing an Active Directory site topology involves planning for domain
controller placement and designing sites, subnets, site links, and site link bridges
to ensure efficient routing of query and replication traffic.
Create a Location Map

The first step in designing an effective Active Directory site topology is to collect
information about the organizations physical network topology. This can be done
by creating a location map that represents the physical network infrastructure of
the organization. The location map should identify the geographic locations that
contain groups of computers with internal connectivity of 10 megabits per second
(Mbps) or greater. After creating a location map, the type of communication link,
its link speed, and the available bandwidth between each location needs to be
documented. This information will be used to create site links later in the site
topology design process.

Determine the Domain Controller Placement
The next step is to plan where to place domain controllers, including regional
domain controllers, forest root domain controllers, operations master role holders,
and global catalog servers.
Forest root domain controllers are needed to create trust paths for clients that need
to access resources in domains other than their own. Forest root domain
controllers should be placed at locations that host datacenters and in hub
locations. If users in a given location need to access resources from other domains
in the same location, and the network availability between the datacenter and the
user location is unreliable, then there is the option to either add a forest root
domain controller in the location or create a shortcut trust between the two
domains. It is more cost efficient to create a shortcut trust between the domains
unless there are other reasons to place a forest root domain controller in that
location.
Plan the Site Design

Next in the site topology design process is to create a site design. Creating a site
design involves deciding which locations will become sites, creating site objects,
creating subnet objects, and associating the subnets with sites.
Site Links and Site Link Bridges

The site link design connects sites with site links. Site links reflect the intersite
connectivity and method used to transfer replication traffic. Sites must be
connected with site links so that domain controllers at each site can replicate
Active Directory changes. The Active Directory site links will mirror the WAN links
between geographic sites.
A site link bridge connects two or more site links. A site link bridge connects two
or more site links and enables transitivity between site links.
Each site link in a bridge must have a site in common with another site link in the
bridge. The Knowledge Consistency Checker (KCC) uses the information on each
site link to compute the cost of replication between sites in one site link and sites
in the other site links of the bridge. Without the presence of a common site
between site links, the KCC also cannot establish direct connections between
domain controllers in the sites that are connected by the same site link bridge.

By default, the site link bridge setting is transitive due to the default setting bridge-
all-site-links. It should only be necessary to change this default if:
Not all site links are fully routed. In this case, you can build the site link bridge
topography to match the actual routes of your network.
You need to control the replication behavior of Active Directory Domain
Services Traffic. For instance, in a hub and spoke network topology, it might
not be desirable to allow replication traffic between the satellite sites should
the hub site domain controllers fail. Similarly, if some sites replicate through a
firewall, disabling bridge-all-site-links allows control of replication, limiting
traffic through the firewall by creating site link bridges between sites on one
side of the firewall.

Demonstration: Creating a Site
Key Points
Create a new site.
Configure the replication interval and schedule between the new site and the
existing site.
High-level steps:
Create a site object.
Configure the inter-site replication interval.
Configure the inter-site replication schedule.
Question: What is the default replication schedule and interval for the
DEFAULTIPSITELINK object?

What Is a Read-Only Domain Controller?
Key Points
A read-only domain controller (RODC) is a new type of domain controller in the
Windows Server 2008 operating system. With an RODC, organizations can easily
deploy a domain controller in locations where physical security cannot be
guaranteed. An RODC hosts a read-only replica of the database in AD DS for a
given domain. The RODC is also capable of functioning as a global catalog server.
Beginning with Windows Server 2008, an organization can deploy an RODC to
address scenarios with limited wide area network (WAN) bandwidth or poor
physical security for computers. As a result, users in this situation can benefit from:
Improved security
Faster logon times
More efficient access to resources on the network

RODC Feature Explanation
Read-only Active Except for account passwords, an RODC holds all the Active
Directory database Directory objects and attributes that a writable domain
controller holds. However, changes cannot be made to the
replica that is stored on the RODC. Changes must be made
on a writable domain controller and replicated back to the
RODC.
Unidirectional Because no changes are written directly to the RODC, no

replication changes originate at the RODC. Accordingly, writable
domain controllers that are replication partners do not have
to pull changes from the RODC. This reduces the workload
of bridgehead servers in the hub and the effort required to
monitor replication.
Credential caching Credential caching is the storage of user or computer

credentials. Credentials consist of a small set of
approximately 10 passwords that are associated with
security principals. By default, an RODC does not store user
or computer credentials. The exceptions are the computer
account of the RODC and a special krbtgt (Kerberos key
distribution service center account) account that each RODC
has. You must explicitly allow any other credential caching
on an RODC.
Administrator role You can delegate the local administrator role of an RODC to
separation any domain user without granting that user any user rights
for the domain or other domain controllers. This permits a
local branch user to log on to an RODC and perform
maintenance work on the server, such as upgrading a driver.
However, this does not give the branch user the right to log
on to any other domain controller or perform any other
administrative task in the domain.
Read-only Domain You can install the Domain Name System (DNS) Server
Name System service on an RODC. An RODC is able to replicate all
application directory partitions that DNS uses, including
ForestDNSZones and DomainDNSZones. If the DNS server is
installed on an RODC, clients can query it for name
resolution as they would query any other DNS server.

The following points help summarize the RODC role:
The domain controller that holds the PDC emulator operations master role for
the domain must be running Windows Server 2008. This is necessary for
creating the new krbtgt account for the RODC and for ongoing RODC
operations.
The RODC needs to forward authentication requests to a global catalog server
running Windows Server 2008 in the site that is closest to the site with the
RODC. The Password Replication Policy is set on this domain controller to
determine if credentials are replicated to the branch location for a forwarded
request from the RODC.
The domain functional level must be Windows Server 2003 so that Kerberos
constrained delegation is available. Constrained delegation is used for security
calls that need to be impersonated under the context of the caller.
The forest functional level must be Windows Server 2003, so that linked-value
replication is available. This provides a higher level of replication consistency.
You must run adprep /rodcprep one time in the forest. This will update the
permissions on all of the DNS application directory partitions in the forest to
facilitate replication between RODCs that are also DNS servers.
Multiple RODCs for the same domain in the same site are not supported
because RODCs in the same site do not share information with each other.
Therefore, deploying multiple RODCs for the same domain in the same site
can lead to inconsistent logon experiences for users, if the writable domain
controllers cannot be reached on the network.
An RODC cannot hold operation master roles or function as a replication
bridgehead server.
You can deploy an RODC on Server Core for additional security.

Demonstration: Deploying an RODC
Key Points
Prepare the forest for an RODC.
Deploy an RODC into a new site.
Configure and verify the password replication policy for the RODC.
High-level steps:
1. Prepare the forest with the adprep /rodcprep command.
2. Deploy the domain controller role on the SEA-SVR1 server.
3. Configure the RODC password replication policy for SEA-SVR1.
Question: Why is it desirable to not cache administrator passwords on an RODC?


Lab: Planning for Active Directory
Adatum Corporation has recently acquired Contoso, a company with a range of

compatible products. Allison Brown, the IT Manager, has asked you to create a
document with recommendations about how best to incorporate the Contoso
network infrastructure into that of Adatum. Adatum has a large, wholly U.S.-based
network, with offices across the United States. Contoso has operations in the U.S.,
but also in Europe and the Far East.
The following table summarizes the high-level information:
Adatum Contoso
Total number of computers 10,000 10,000
Number of countries 1 5
Current directory service Windows Server 2008 Windows NT 4.0 single-master

AD DS domain model

(continued)
Adatum Contoso
Number of forests 1 0
External DNS name Adatum.com Contoso.com
Number of domains 1 5
Exercise 1: Selecting a Forest Topology

Scenario
You begin to conduct a survey and exchange a number of e-mails with colleagues
that have been on-site at Contoso. You determine that Contoso currently uses a
Windows NT 4.0 domain infrastructure consisting of five domains with
appropriate trust relationships connecting the domains.
Answer the questions in the Contoso Domain Migration document.

f Task 2: Update the Contoso Domain Migration document with your

planned forest topology

E-mail thread of correspondence with Alan Steiner:
Gregory Weber
Sent: 31 July 2009 14:50
Subject: Re: Contoso Domain Migration
Attachments: Windows NT4.0 Single-Master Model.doc
Greg,
Ive attached a document I located in an old TechNet library CD. It provides some
useful tips. The only comment Id make is that the single-master domain model is
usually implemented in order to keep all the user accounts in one account-holding
domain, and all the resources in multiple resource-holding domains. These days,
youd probably want to use organizational units within a domain to hold the
resourceslike computers and so forth. Youd almost certainly need to reduce the
number of domains.
Regards,
Alan
Sent: 31 July 2009 14:45
To: Alan@adatum.com
Subject: Contoso Domain Migration
Hello Alan,
Allison has asked me to draw up a proposal for a migration of the Contoso
network into our network infrastructure. I understand its running Windows NT
4.0. Im simply trying to determine the number and configuration of forests at this
point, but dont have much experience with these older Windows NT 4.0 domain
models. Do you have any guidance or general advice?
Regards,
Greg

Windows NT4.0 Single-Master Model.doc
Windows NT supports four domain models:
Single domain. In this model, there is only one domain. The domain holds
both user/group accounts and resources. There is a single administrator for
both resources and user/group accounts.
Single-master domain. In this model, there is an account-holding domain and
as many resource-holding domains as required to support an organizations
requirements. There is separation of administration because the account-
holding administrator has no administrative control on the resource-holding
domains, and the administrators in the resource-holding domains do not have
administrative control over the account-holding domain, nor each others
resource-holding domain. One-way trusts are established between the
resource-holding and account-holding domains so that users and group from
the account-holding domain (trusted) can be granted permissions, through the
trust, to resources in the resource-holding domain (trusting) at the discretion
of the resource-holding administrator.
Multimaster domain. Windows NT 4.0 supports a maximum of around
15,000 user accounts in a single domain. Where organizations require the
administrative separation of the single-master domain model, but have a large
user base, they opt for the multimaster model. Additional trusts are required to
facilitate this model.
Complete trust. In this model, all domains trust all other domains. This
provides for the ability for users in any domain potentially to gain access to
resources held in any other domain. This model is the most similar to what AD
DS provides.

Gregory Weber
Sent: 04 August 2009 08:45
Subject: Re: Details of Contoso domain model
Attachments: Adatum AD DS Overview.vsd; Contoso NT 4 Domain
Overview.vsd
Greg,
I do, and Ive attached ittogether with one of the Adatum.com domains. As you
know, we have a single AD DS domain, and use organizational units to manage
resources and sites for replication control. Contoso, of course, cannot use
organizational units or sites, as Windows NT 4.0 domains do not support them.
This is probably why they have several domainsto better control Windows NT
4.0 domain replication. Its possibly why they have four resource domains, too.
Regards,
Alan
Sent: 03 August 2009 09:10
To: Lan@adatum.com
Subject: Details of Contoso domain model
Alan,
Thanks for that Windows NT 4.0 document; it was very helpful. Do you happen to
have any diagrams of the actual domain infrastructure?
Thanks,
Greg

Adatum AD DS Overview.vsd
Contoso NT 4 Domain Overview.vsd


Contoso Domain Migration

Date 5th August
To devise an appropriate forest and domain topology for the merged companies.
The new company will continue to operate with dual names; that is, the Adatum and
Contoso brands are equally important.
It is anticipated that the existing Windows NT 4.0 domain controllers and server will be
replaced as part of the migration process.
Proposals
1. Do you intend to upgrade the domain controllers in the Contoso network to
Windows Server 2008?
2. How many forests do you anticipate?
3. How many domains do you plan to implement?
4. How many trees do you envisage?
5. What trust relationships, aside from those created automatically, will you require?

(continued)
Proposals (continued)
6. Provide a sketch of the completed forest.
Results: After this exercise, you should have a completed Contoso Domain Migration
document.

Exercise 2: Planning Active Directory for a Branch Network
Scenario
Adatum has a number of new sales offices in the western region. Allison Brown has
asked you to determine the appropriate Active Directory configuration for them,
and to document your proposals.
Answer the questions in the Branch Office Planning document.
E-mail thread of correspondence with Alan Steiner:
Gregory Weber
Sent: 24 August 2009 14:02
Subject: Re: Branch Office Plan
Attachments: Sales Office Details.doc
Greg,
Take a look at the attached document. Get back to me with any questions. I got
this from Joe Healy, the Sales manager.
Alan
Sent: 24 August 2009 13:30
To: Alan@adatum.com
Subject: Branch Office Plan
Alan,
What can you tell me about these new sales offices?
Thanks,
Greg

Sales Office Details.doc
In the sales offices, we have a number of line-of-business applications, including a
Microsoft SQL Serverbased database. The local sales office updates and
replicates back to the head office overnight. The SQL Server database needs access
to a directory of customers.
In the western region, we have three offices, each with around 100 computers. We
have a routed connection back to the head office.
Alan Steiner tells me that name resolution is provided by WINS and DNS, as we
have a legacy NetBIOS application.
There was some talk of creating a separate name space for sales, such as
Sales.adatum.com, but we have implemented this only as an e-mail domain. The
computers are all part of the Adatum.com domain.
Weve had some issues in the past with security; we often have members of the
public in our sales offices, and consequently security is a critical factor. We dont
always have the option of a secure computer room, and so our laptops are locked
to the desks. Servers are often to be found in a closet, or small office.
Each branch office consists of a number of subnets; two for hosting the sales staff
laptops and another for branch network servers.

Branch Office Planning

Date 1st September
To determine the placement and configuration of domain controllers and related
services at the western region sales offices.
It is important that in the event of a link failure between the head office and branch
offices, users are still able to log on to the network and access services.
Proposals
1. Do you intend to deploy a domain controller(s) in the branch offices?
How many?
2. Will you deploy an RODC(s)?
3. How will you optimize the directory replication for the branches?
4. How will domain controllers know in which branch they are located?
5. Do you anticipate the need for global catalog services?
6. How will you configure global catalog and DNS?
7. What additional Active Directoryrelated services are required to support the

branch office line-of-business applications?

f Task 2: Update the Branch Office Planning document with your

proposals
Results: After this exercise, you should have a completed Branch Office Planning
document.

Exercise 3: Deploying a Branch Domain Controller
Scenario
You have been tasked with performing the deployment of the new domain
controller at the Redmond sales branch office.
1. Start the virtual machines and log on.
2. Raise the domain and forest functional level.
3. Create a new site and subnet object.
4. Configure the replication interval for the new site.
5. Prepare the forest for the new RODC.
6. Deploy the new RODC.
7. Configure the password replication policy and prepopulate the password
cache.

Pa$$w0rd.
Pa$$w0rd.
f Task 2: Raise the domain functional level

2. Open Active Directory Users and Computers.

3. Raise the domain functional level to Windows Server 2008.
4. Close Active Directory Users and Computers.
f Task 3: Raise the domain forest level

1. Open Active Directory Domains and Trusts.
2. Raise the forest functional level to Windows Server 2008.
3. Close Active Directory Domains and Trusts.
f Task 4: Create the Redmond site

1. Open Active Directory Sites and Services.
2. Create a new site with the following properties:
Name: Redmond
Associated site link: DEFAULTIPSITELINK
f Task 5: Configure the replication interval

1. In Active Directory Sites and Services, expand Inter-Site Transports, expand
IP, and then click IP.
2. Modify the replication interval for DEFAULIPSITELINK:
Replicate every: 15 minutes
f Task 6: Create the 10.10.0.0/16 subnet

1. In Active Directory Sites and Services, in the console, right-click Subnets, and
click New Subnet.
2. Create a new subnet with the following properties:
Prefix: 10.10.0.0/16
Site Name: Redmond
3. Close Active Directory Sites and Services.

f Task 7: Prepare the forest for the RODC
1. Open the Command Prompt.
2. At the command prompt, type each of the following commands, and then
press ENTER:
D:
Cd\Labfiles\Mod03\adprep
Adprep /rodcprep
3. Close the command prompt.
f Task 8: Promote a new domain controller for the branch office

2. Run dcpromo with advanced mode installation.
3. Use the following options to complete the process:
Operating System Compatibility page: default.
Choose a Deployment Configuration page: Existing forest.
Network Credentials page: default.
Select a Domain page: default.
Select a Site page: default.
Additional Domain Controller Options page: select the Read-only domain
controller (RODC) check box. (Note: Leave the other check boxes
selected.)
In the Static IP assignment dialog box, click Yes, the computer will
use a dynamically assigned IP address (not recommended).
Specify the Password Replication Policy page: default.
Delegation of RODC Installation and Administration page: default.
Install from Media page: default.
Source Domain Controller page: default.

Location for Database, Log Files, and SYSVOL page: default.
Directory Services Restore Mode Administrator Password page:
Password: Pa$$w0rd.
Confirm: Pa$$w0rd.
In the Active Directory Domain Services Installation dialog box, select
the Reboot on completion check box.
f Task 9: Configure the password replication policy

1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as
ADATUM\administrator with a password of Pa$$w0rd.
3. Open Active Directory Users and Computers.
4. Locate SEA-SVR1 in the Domain Controllers folder.
5. View the Password Replication Policy page of the SEA-SVR1 Properties
dialog box.
6. Grant the SalesGG global group the Allow passwords for the account to
replicate to this RODC permission.
7. Click Apply, and then click Advanced.
8. From the Resultant Policy tab of the Advanced Password Replication Policy
for SEA-SVR1 dialog box, verify that Joes account is allowed to cache its
password.

f Task 10: Prepopulate the password cache
1. From the Policy Usage tab of the Advanced Password Replication Policy for
SEA-SVR1 dialog box, click Prepopulate Passwords.
2. Prepopulate the following user accounts passwords:
Joe; Jim; Parul; Heiko; Claus
Results: After this exercise, you should have successfully deployed an RODC for the
Redmond sales office.

(VMRC) window.

Review Questions
1. In a multidomain network, why is the global catalog server important?
2. From a security perspective, what is the difference between implementing a

forest with two trees, and implementing two forests with forest trusts
established between them?
3. Why would you implement shortcut trusts between domains?
4. What domain functional level is required to support the redirection of the

default Users and Computers containers?

5. You are concerned about the reliability of using FRS to replicate the SYSVOL
folder between domain controllers. What domain functional level must you
select in order to use DFS?
6. During the creation of a site object, with which other object must you associate
it?
Planning for Group Policy 4-1

Module 4
Planning for Group Policy
Contents:
Lesson 1: Planning Group Policy Application 4-3
Lesson 2: Planning Group Policy Processing 4-13
Lesson 3: Planning the Management of Group Policy Objects 4-24
Lesson 4: Planning the Management of Client Computers 4-37
Lab: Planning for Group Policy 4-52

Module Overview
Group Policy is an essential part of any Windows Server 2008 network. It can be
used as a centralized management tool to distribute settings and applications to
computers. For servers, group policy is typically used to distribute security
settings. For client computers, group policy is used to configure the user
environment and distribute applications.
Objectives
Plan group policy application.
Plan group policy processing.
Plan the management of group policy objects.
Plan the management of client computers.

Lesson 1
Planning Group Policy Application
Group Policy objects contain a wide variety of settings that can be applied to users
or computers. An effective plan for implementing group policy needs to take into
account how and when these settings are applied. This ensures that the application
of group policy objects is predictable.
Objectives
Describe the types of group policy settings.
Describe the considerations for group policy application.
Describe the considerations for group policy application exceptions.
Describe the new group policy features in Windows Server 2008.

Demonstration: Reviewing and Modifying Group
Policy Settings
Key Points
A Group Policy Object (GPO) contains thousands of settings that you can use to
control servers and client computers. However, individual settings are restricted in
how they can be applied.
The settings in a GPO that apply to a computer are limited by the operating system
of the computer. For example, some settings will apply to Windows Server 2008
but not Windows Server 2003. Windows Server 2003 ignores a setting that is
specific to Windows Server 2008.
A GPO has both user and computer settings. The user settings apply based on the
location of the user object in Active Directory directory services. The computer
settings apply based on the location of the computer object in Active Directory.

A GPO also contains preferences. Unlike settings, which cannot be changed by the
user, preferences are a default configuration that can be modified by the user.
Preferences are new in Windows Vista and Windows Server 2008. They are used
to configure things such as Open Database Connectivity (ODBC) data sources,
printers, and mapped drive letters.
To review or modify the settings in a GPO:
1. Open Group Policy Management.
2. Browse to the Group Policy Objects container.
3. To modify a GPO, right-click it, and then select Edit.
4. To review the settings in a GPO, double-click the setting, and then select the
Settings tab.
Additonal Reading
Windows Server Group Policy page on the TechNet Web site:
http://go.microsoft.com/fwlink/?LinkId=99449

Considerations for Group Policy Application
Key Points
Clients initiate Group Policy application by requesting GPOs from Active Directory
Domain Services (AD DS). When Group Policy is applied to a user or computer,
the client component interprets the policy, and then makes the appropriate
environment changes. These components are known as Group Policy client-side
extensions. As GPOs are processed, the Winlogon process passes the list of GPOs
that must be processed to each Group Policy client-side extension. The extension
then uses the list to process the appropriate policy, when applicable.
Consider the following:
Computer settings are processed when the computer starts. To apply new
computer settings immediately, you may need to reboot the system.
User settings are processed when a user logs on. To apply new user settings,
you may need to log off and log back on.

You can speed up Group Policy processing by disabling unnecessary parts of a
Group Policy. For example, if a GPO is linked to an organizational unit (OU)
that contains only user accounts, you can disable the computer portion of the
GPO.
Group policy objects are cached locally and updated at timed intervals. The
default configuration refreshes GPOs on workstations and member servers
every 90 minutes. GPOs on domain controllers are refreshed every 5 minutes.
You can force an update of GPOs by running gpupdate.

Group Policy Application Exceptions
Key Points
Typically, all settings from a GPO are applied during the startup and logon
process. However, there are exceptions that need to be considered.
Slow Link Detection
If Group Policy detects a slow link, specific Group Policy settings will not be
processed. The default slow link speed is 500 kilobits per second (Kbps), but this
is configurable.
Slow link detection is useful for controlling how Group Policy is processed at
branch offices and for roaming users with a virtual private network (VPN)
connection. For example, you may not want to automatically install software over a
VPN connection.

Cached Credentials
When a Windows XP or Windows Vista computer is experiencing network
connectivity issues, a user may still log on by using cached credentials. Cached
Group Policy settings will still apply to this user. However, new Group Policy
settings will not be applied until the computer connects to the network and
downloads the updated GPO. You can disable cached credentials if this is a
concern.
Remote Access Connections
When a user logs on over a VPN connection, both user and computer settings are
copied to the computer as limited by slow link detection, but may not be applied
immediately. Most computer settings will not be applied immediately because they
must be applied before the user logs on. User settings are applied as part of the
logon process if the user initiates the VPN connection as part of the logon process.
If the user logs on to the computer and then initiates the VPN connection, then
Group Policy process is performed as a background process.
Moved Computer or User Objects
When a computer or user object is moved in Active Directory, the new Group
Policy settings are not applied immediately. It takes up to 30 minutes for the
Group Policy client to update and use the new object location. Then Group Policy
still needs to be refreshed at approximately 90 minutes.
For more information about Group Policy processing exceptions see

Controlling Client-Side Extensions by Using Group Policy on the TechNet
Web site at http://go.microsoft.com/fwlink/?LinkId=99452.

New Group Policy Features in Windows Server 2008
Key Points
The new features in Group Policy enhance functionality of Group Policy and make
it easier to manage.
New Policies
If you are using Windows Vista as a desktop operating system, there are several
new categories of settings in Group Policy.
Power management settings. You can centrally control power management
for Windows Vista computers. This can be used to save money by putting
computers to sleep at night when they are not in use.
Blocking device installation. You can control the use of removable storage
devices. This allows you to prevent users from removing corporate data on
USB storage devices.
Firewall and IPSec settings. The settings for Windows Firewall and IPSec are
now combined. This reduces confusion where settings could potentially
conflict.

Internet Explorer settings. The way Microsoft Internet Explorer settings are
applied has been modified to reduce the risk of unexpected behavior when
combined with local settings.
Location-based printing. You can now assign printers to users based on
location. This allows roaming users to have the correct printers for the location
they are in. For example, a laptop user would have one set of printers in the
head office and another set of printers when at a branch office.
Delegation of printer driver installation. There is now a setting to enable
non-administrators to install new printer drivers. This is important for roaming
users that may need to install a printer driver at a client site.
Note: Windows 7 also includes these categories of settings.
ADMX Templates
The administrative templates in previous versions of Windows were ADM files.
You have the option to replace these with ADMX files in Windows Server 2008.
The main benefits are easier editing, multi-language support, and greater efficiency.
Note: More information about ADMX files is provided in the topic Administering Group
Policy Objects.
Network Location Awareness

Windows Vista includes Network Location Awareness to accurately determine
network conditions. Group Policy uses this information to determine appropriate
actions. For example, if there is no connectivity to a domain controller, Group
Policy will not wait to time out, resulting in a faster startup.

The two primary scenarios where this is a benefit are:
Connecting over VPNs. A background refresh of Group Policy is initiated
when users connect to the VPN.
Processing Group Policy through a firewall. If a firewall is configured to
block ICMP packets, Network Location Awareness still functions properly.
Slow link detection in Windows XP required the use of ICMP packets.
For more information about new features in Windows Server 2008

Group Policy see the Group Policy page in the TechNet Web site

Lesson 2
Planning Group Policy Processing
Group Policy objects are processes primarily based on where the GPO is linked in
Active Directory. However, there are additional options available that modify the
default processing. Filtering lets you control Group Policy processing based on the
group membership of users or Windows Management Instrumentation (WMI)
settings on computers. You can block group policy inheritance to stop settings
from being applied to the lower OUs. Alternatively, you can enforce group policy
inheritance to ensure that settings are applied to all users or computers. Loopback
processing can be used to apply user settings based on the computer you log on at.
Objectives
Describe the considerations for Active Directory structure.
Describe the considerations for using filtering.
Describe the considerations for modifying inheritance.
Describe the considerations for using loopback processing.

Considerations for Active Directory Structure
Key Points
GPOs can be created and linked to several locations. The GPOs are processed in a
specific order with the last processed GPO having the highest precedence. The
setting with the highest precedence is effective when there are conflicts between
the GPOs.
The processing order is: local group policy, site level GPOs, domain level GPOs,
first level organizational unit GPOs, second level organizational unit GPOs.
When planning the Active Directory structure, keep the followings GPO
considerations in mind:
Local group policy is typically only used when a setting needs to be applied to
only a single computer such as a kiosk.
Site level GPOs are useful for enforcing policies at a single physical location
that has multiple domains. Also, software distribution can be performed at the
site level to ensure that a local source is used for the installation. In general,
Microsoft recommends linking GPOs to domains and OUs rather than sites.

A site-linked GPO exists in only one domain. If the GPO is being applied to
users or computers in another domain, it may slow down Group Policy
processing.
Domain-level GPOs are useful for applying standardized settings to an entire
domain. Also, there are some settings such as password polices that must be
configured at the domain level.
Note: Windows Server 2008 introduces fine-grained password polices that allow you to
configure password policies for groups of users rather than the entire domain.
Organizational unit GPOs are useful for applying standardized settings to

workgroups.
Create your OU structure to support group policy. For example create OUs for
various workgroups or classes of users to support applying different policies to
each workgroup. The same applies to computer objects.
When multiple GPOs are linked at the same level, you can configure a priority
level for each GPO. The GPO with the lowest link order has the highest
precedence.
GPOs cannot be linked to the default Users or Computers containers. Only
GPOs linked at the domain level apply to users and computers in those
containers. Consider moving user and computer objects into OUs to provide
more flexibility.
Multiple local GPOs can be applied only to local users and groups. This is
typically used only when a local user logs on. For example, a kiosk computer
where users do not log on to the Active Directory domain and you want to
differentiate between the user settings applied to standard users and the local
Administrator.
For more information about group policy processing, see group

policy processing and precedence on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkId=99456.

Considerations for Using Filtering
Key Points
There are two ways in which filtering can be applied to group policy processing.
Security filtering controls which GPOs are processed based on user membership in
security groups. WMI filters control GPO processing based on the WMI queries to
a workstation. WMI queries can be used to determine most hardware and software
configuration information.
When using filtering, consider the following:
The use of security filtering can simplify OU planning for a domain. For
example, you can create an OU for the accounting department with one
generic GPO for all users and then have additional GPOs filtered by security
group membership for workgroups such as payables within the accounting
department.
The use of WMI filtering can ensure that new software is installed only to
appropriate computers. For example, a new application could be provided
only to computers with a specific amount of memory or a specific operating
system.

Filtering is performed for each GPO. If a GPO is linked to multiple levels or
OUs, the filters apply to all links. This allows filtering to be centrally
controlled.
Security Filtering
Security filtering is based on the fact that GPOs have access control lists (ACLs)
associated with them. These ACLs contain access entries for different security
principals. In order for a GPO to be applied to a security principal in an OU, the
security principal requires at a minimum the following permissions set to:
Allow Read
Allow Apply Group Policy
By default, the Authenticated Users group has these permissions. By denying or

granting the Apply Group Policy permission, you can control which users, groups,
or computers actually receive the GPO settings.
WMI Filtering
WMI is a set of technologies for managing Windows-based environments. WMI
provides access to properties of almost every hardware and software object in the
computing environment. Through WMI scripts, these properties can be evaluated,
and decisions about the application of group policy are made based on the results.
For example, a WMI query could check for a minimum amount of RAM, or a
specific service pack, to determine if a group policy should be applied. You must
be a member of Domain Administrators, Enterprise Administrators, or Group
Policy Creator Owners groups to create WMI filters in the domain.
For more information about security filtering, see Security filtering using
GPMC on the TechNet Web site at http://go.microsoft.com/fwlink
For more information about WMI filtering, see WMI filtering using
GPMC on the TechNet Web site at http://go.microsoft.com/fwlink

Considerations for Modifying Inheritance
Key Points
You have the option to modify the default group policy processing by blocking
inheritance and enforcing the application of specific GPOs. Using block
inheritance prevents the child level from automatically inheriting GPOs linked to
higher sites, domains, or organizational units. Enforcement prevents the settings in
a parent GPO from being blocked or overridden by settings in a child GPO.
When modifying inheritance, keep in mind the following key points:
Blocking inheritance is not selective. You cannot select specific policies to
block. When you block inheritance, it blocks the inheritance of all policies. To
reapply specific settings after the point of blocked inheritance, you need to link
a GPO with those settings after the point of blocked inheritance. This GPO can
be a new GPO with the specific setting required or an already exiting GPO that
is also linked elsewhere. Settings that you may want to reapply after
enforcement include security configuration or software disc.

Use enforcement to enforce organization-wide standards. If you link a GPO at
the domain level and enforce it, then it prevents administrators with delegated
authority from overriding the enforced settings. This could be used for specific
desktop configuration settings such as security settings that have been
centrally determined.
You cannot enforce a filtered GPO. Filtering for a GPO is done on the GPO,
while enforcement is performed on the link. If a GPO is filtered, then the link
cannot be enforced. As a result, you should be careful when applying filtering
to a GPO that is enforced anywhere. This also means that you can use filtering
to stop enforcement for a specific group of users or computers.
For more information about modifying inheritance, see

Managing inheritance of group policy on the TechNet Web site at

Considerations for Using Loopback Processing
Key Points
User policy settings are normally derived entirely from the GPOs associated with
the user account, based on its AD DS location. However, loopback processing
directs the system to apply the user settings from the GPOs that apply to the
computer to any user who logs on to a computer affected by this policy.
When planning for loopback processing, consider the following:
Loopback processing is typically enabled for special use computers where you
want different user settings to apply based on the computer that the user is
logged on at. For example, a computer used to run manufacturing equipment
may have more restrictive user settings in place.
When you want to apply additional restrictions to users based on the
computer they are logging on at, use merge mode. Merge mode combines the
settings from the user and the computer. The merged settings from the
computer will override settings from the user.

When you want all users to have consistent user settings, use replace mode.
Replace mode uses only settings from the computer and ignores settings from
the user.
When you want to apply less restrictive settings to users based on the
computer they log on at, use replace mode. For example, in a training room,
you could have less restrictive policies than the standard office computers. The
computers in the training room would have user policy settings that are less
restrictive.
Use loopback processing to secure Terminal Servers. In most cases, you want
users to have a different configuration when connecting to a terminal server
rather than a regular office computer.
For more information about loopback processing, see Loopback

processing with merge or replace on the TechNet Web site at

Demonstration: Modifying Group Policy Processing
All group policy management is performed by using the Group Policy Management
console. The steps for individual tasks vary.
To enforce a policy:
Right-click the policy link and select Enforced.
To block policy inheritance:

Right-click the OU and select Block Inheritance.
To perform security filtering on a policy:

1. View the Scope tab of the GPO.
2. Modify the list of users able to apply the GPO.

To perform WMI filtering on a policy:
1. Create a WMI filter in the WMI Filters container.
2. Select the WMI filter on the Scope tab of the GPO.
To enable loopback processing:

1. Edit the GPO.
2. Set Computer Configuration\Policies\Administrative Templates
\System\Group Policy\User Group Policy loopback processing mode to
Enabled.
3. Select Replace or Merge Mode.

Lesson 3
Planning the Management of Group Policy
Objects
There are a variety of options available when you are managing GPOs. You need to
consider whether you should introduce ADMX templates for group policy settings
or continue using ADM templates. You also have the option to use starter GPOs as
a base for building new GPOs. You must determine whether you will link GPOs to
multiple locations or create multiple GPOs. To ensure that you can recover GPOs if
necessary, you also need to consider how GPOs will be backed up. Finally, you can
delegate the management of GPOs in several ways.

Objectives
Describe the considerations for administering GPOs.
Describe starter GPOs.
Describe the considerations for reusing or copying GPOs.
Describe the considerations for backing up and restoring GPOs.
Describe the considerations for delegating GPO management.

Considerations for Administering Group Policy Objects
Key Points
When administering group policy objects, consider the following:
The tool for administering GPOs is the Group Policy Management Console
(GPMC). This tool is included as a feature in Windows Server 2008. You can
install GPMC on Windows Vista SP1 by downloading and installing the
Remote Server Administration Tools.
A GPO is composed of a group policy container and group policy template.
The group policy container is stored in Active Directory. The group policy
template is stored in the SYSVOL share on domain controllers.
When a new GPO is created, it must be replicated to other domain controllers.
Until replication is complete, the GPOs applied to a user or computer may be
inconsistent. Application of GPOs may also be inconsistent if there are
problems with Active Directory replication or the replication of SYSVOL in the
GPOs.

The new ADMX format for Administrative Templates reduces the overall size
of a GPO by up to 4 MB because the ADMX files are located in a central store
rather than copied into the folder for each GPO as ADM templates were. This
makes group policy processing faster, reduces the size of SYSVOL, and
reduces network traffic generated by replication of SYSVOL between domain
controllers.
You should create a central store for ADMX files. This is not done
automatically during installation. A central store eliminates the need to copy
ADMX files to a computer where editing of a GPO is being performed.
ADMX files are easier to extend than ADM files because ADMX files are XML
files. This allows you to add new settings into a group policy. The new settings
can be used to set registry keys that control an application.
ADMX files can be used only by Windows Server 2008 and Windows Vista. If
you have down-level clients and servers, you must continue to use ADM
templates for those computers.
You can migrate customized ADM files to ADMX format by using the ADMX
Migrator.
When you are troubleshooting the application of group policy settings, use the
Group Policy Reporting feature in GPMC or GPResulte.exe. These display the
settings applied to a user or computer.
When you are planning the implementation of group policy, use the Group
Policy Modeling Wizard in GPMC. This allows you to view the effects of
changing site membership, security group membership, WMI filters, slow
links, loopback processing, and the movement of user and computer objects to
a new OU.
For more information about ADMX files see Managing Group Policy
ADMX Files Step-by-Step Guide on the TechNet Web site at
For more information about how to create a central store for ADMX
files see How to create a Central Store for Group Policy Administrative
Templates in Windows Vista on the Microsoft Help and Support Web site

What Are Starter GPOs?
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. When you
create a new GPO from a starter GPO, the new GPO has all the Administrative
Template settings that the starter GPO defined. In this way, starter GPOs act as
templates for creating GPOs.
The GPMC stores starter GPOs in a folder named StarterGPOs, which is located in
SYSVOL. Individual starter GPOs can be exported into .cab files for easy
distribution. You then can import these .cab files back into the GPMC.

Scenarios for using starter GPOs:
Use starter GPOs to standardize GPO creation. For example, the starter GPOs
could contain standardized organizational settings. Delegated administrators
for OUs could create their own GPOs by copying the starter GPOs and adding
their own settings.
Use starter GPOs to move GPOs easily between domains. You can export
a starter GPO as a .cab file and then import into another domain. In a
multidomain environment, this simplifies standardization between domains.
Use starter GPOs to distribute customized settings to partners. For example, a
software developer could create a starter GPO with recommended settings for
their software. Customers could download the starter GPO and apply it to
their servers or workstations running the software.

Considerations for Reusing or Copying GPOs
Key Points
When you create a GPO, it is stored as part of the domain structure. Some data is
stored in Active Directory and some data is stored in the SYSVOL share. That
content is then replicated to all domain controllers in the domain. To apply a GPO
to a domain or OU, you link the GPO to a domain or OU. You can link a single
GPO to multiple locations.
When considering reusing or copying GPOs, keep the following points in mind:
When you link a single GPO to multiple locations, it allows you to centrally
control the GPO. When the GPO is updated with new settings, the new
settings are applied to all users or computers affected by the GPO.
If a single GPO is linked to multiple locations, you should carefully control
which administrators have permissions to modify the GPO. A departmental
administrator could modify the central GPO while thinking that he was only
modifying settings for a single OU.

When you have multiple copies of a GPO, it can be difficult to synchronize the
settings between them.
To simplify administration, use a single GPO linked to multiple locations for
common settings. Use individual GPOs linked to an OU to apply unique
settings.

Considerations for Backing Up and Restoring GPOs
Key Points
When backing up and restoring GPOs, consider the following:
GPOs are backed up as part of a system state backup on a domain controller.
However, it is difficult to recover a GPO from a system state backup.
You can create a GPO backup at anytime by using the GPMC. GPMC allows
you to backup one or all GPOs. It is a good idea to back up GPOs before
making changes.
You can use scripts to schedule GPO backups. Then GPO backups are
available as a file that can be easily restored if required. The script
BackupAllGPOs.wsf is located in C:\Program Files\GPMC\Scripts.
Only read permissions are required to perform a backup of GPOs. This makes
it easy to delegate the backup of GPOs.
A starter GPO is not useful as a backup. A GPO backup contains all GPO
settings, not just administrative templates. This differentiates them from starter
GPOs.

To recover a GPO and include security attributes for security filtering and
WMI filtering, you need to restore from backup. However, restoring the GPO
from backup will not recover or modify links. This means that enforcement,
which is configured on the link, will not be recovered.
To recover only GPO settings and not include security attributes for filtering or
WMI filtering, you need to import the settings from backup. In most cases, you
only need to recover settings and not security attributes.
After a GPO has been restored or settings have been imported from backup,
the changes must be replicated to other domain controllers before they are
effective for all users.

Considerations for Delegating Management of GPOs
Key Points
When delegating management of GPOs, consider the following:
By default, only members of Domain Admins and Group Policy Creator
Owners are able to create GPOs. In most cases, you will want to delegate the
creation of GPOs without making users a member of Domain Admins.
You can delegate permission to create GPOs in a domain by making users a
member of the Group Policy Creator Owners group. Also, you can delegate
this permission from within GPMC at the Group Policy Objects folder.
By default, only members of Domain Admins, Enterprise Admins, and the
domain local Administrators can link GPOs with the domain or an OU. In
most cases, you will want to delegate the linking of GPOs without making
users a member of these groups.
You can delegate permission to link GPOs to domains and OUs within the
GPMC at the domain or OU. This is useful to allow departmental
administrators to link GPOs to their own OU.

By default, only members of the Domain Admins and Enterprise Admins can
edit, delete, and modify security on a GPO. However, you can delegate these
permissions for specific GPOs. This can be useful for a departmental
administrator to be given the ability to manage the GPOs relevant to OUs for
his department.
You can delegate permission to use Group Policy Modeling and Group Policy
Results for individual OUs or the domain in GPMC. This is useful for
performing troubleshooting by using an account with lower permissions than
an administrative account. By using an account with lower permissions for
troubleshooting, you avoid the risk of accidentally modifying a GPO.
In addition to using GPMC, you can also delegate permissions for managing
GPOs by using Active Directory Users and Computers. However, using GPMC
simplifies the process.
For more information about delegating management of GPOs,

see Delegating Group Policy on the TechNet Web site at

Discussion: Managing Group Policy
Key Points
Question: Who is responsible for managing group policy in your organization?
Question: Does your organization back up GPOs?
Question: Does your organization have a need to standardize GPOs by using

starter policies?

Lesson 4
Planning the Management of Client Computers
Centralized management of client computers is a requirement in all but the

smallest computer networks. Group policy is one way that client computers can be
managed. You can use group policy to configure the user environment, distribute
applications, run logon scripts, and redirect folders. Each of these should be
planned carefully to ensure that they function as expected.
Objectives
Describe why client computers need to be managed.
Describe the methods for managing client computers.
Describe the considerations for using group policy preferences.

Use group policy preferences.
Describe the considerations for deploying software by using group policy
objects.
Describe the considerations for using logon scripts.
Describe the considerations for using folder redirection.

Why Manage Client Computers?
Key Points
Many network administrators consider servers to be the most important part of the
network. They are high-profile computers because many users are affected when
they do not function properly. However, client computers are just as important as
server computers. Each user on a network is working with a client computer and a
poorly configured client computer affects the productivity of that user.
Managing client computers includes:
Distributing applications. Installing applications on client computers is a
time-consuming process when performed manually on each computer. Even if
applications are included in an image used during initial configuration,
application updates still need to be applied. Applications and updates should
be installed by using an automated method. Using an automated method to
install applications and updates saves time and money for the organization.

Enforcing security settings. Manually configuring security settings on each
client computer is a time-consuming and error prone process. To prevent users
from circumventing security guidelines, the users should not have control over
the security settings. The enforcement of security settings should be
automated to ensure that it is performed consistently.
Enforcing application settings. Some applications can affect the security of
your organization. There are a number of Internet Explorer settings such as
ActiveX Control settings that can make a computer less vulnerable to attack
when configured properly. Other configuration options such as the location of
a database server are important to ensure that applications are functional for
users. The ability to configure these settings centrally results in more reliable
performance for users and greater productivity.
Standardizing the user environment. In addition to technical considerations,
it is useful to standardize the user environment simply to make it consistent
from one computer to the next. This can include standardized desktop
configuration, standardized applications, and standardized drive letter
mappings to network shares. Standardizing the user environment makes it
easier for users to move from one computer to another and remain productive.
It also makes it easier to perform troubleshooting and provide help desk
support.

Methods for Managing Client Computers
Key Points
Group policy is one of the easiest and most inexpensive methods you can use for
managing client computers. It can be used to perform software distribution,
enforce security settings, enforce application settings, and standardize the user
environment.
To manage client computers, you can use:
Group policy settings. Group policy settings include software distribution,
security settings, and administrative templates. The software distribution can
be used to distribute applications, application updates, and operating system
updates. The security settings control a wide variety of operating system
settings such as which users are allowed to perform Remote Desktop
operations and whether digital signing is required for network
communication. The administrative templates let you configure a wide variety
of settings for Windows components. Also, administrative templates can be
customized to deliver registry settings that control applications. Some vendors
provide administrative templates for their applications.

Group Policy settings modify registry keys that standard user accounts are not
able to modify and are enforced. Group Policy settings are available for
Windows 2000 and newer operating systems.
Group policy preferences. Group policy preferences enable you to configure,
deploy, and manage operating system and application settings that were not
manageable using group policy. Examples include mapped drives, scheduled
tasks, and Start menu settings.
Scripts. By using a script, you can configure almost any aspect of an operating
system or application. The most common use of scripts is to map drive letters.
You can specify a logon script in the properties of each user account.
Group policy scripts. By using Group policy, you can run scripts that apply to
computer or user accounts. For computer accounts, there are startup and
shutdown scripts. For user accounts, there are logon and logoff scripts.
Windows Server Update Services (WSUS). WSUS is a solution from
Microsoft for applying updates to operating systems and application software.
Updates are downloaded from Microsoft Update and stored on the WSUS
server. Updates are only applied to clients and servers after they have been
approved.
System Center Configuration Manager (SCCM). SCCM is a solution for
configuration management, software distribution, and applying software
updates. SCCM can also be used for operating system deployment and asset
management.

Considerations for Using Group Policy Preferences
Key Points
Considerations for using group policy Preferences include:
You can use both group policy settings and group policy preferences. There is
no conflict between group policy settings and group policy preferences. The
settings in group policy preferences are not available in group policy settings.
Preference settings are not enforced and can be modified by the user. You
should not consider preferences as a security enforcement mechanism.
Application of group policy preferences is supported for Windows XP with
SP2, Windows Vista, Windows Server 2003 with SP1, and Windows Server
2008. If you have Windows 2000 clients, you must use another mechanism to
standardize the user environment.
Use the Data Sources node to easily add or modify ODBC data sources for
applications. This is useful during application deployment or when a Microsoft
SQL Server database has been moved to a new server.

Use the Drive Maps node as an alternative to mapping drive letters by using a
logon script. Writing a logon script is typically more complex than configuring
group policy preferences.
Use the Start Menu and Shortcuts node to standardize the ways of starting
applications. By standardizing the look of both the Start menu and Desktop
shortcuts, users will be able to easily move from one computer to another.
Also, it will be easier for the help desk to provide documentation.
Use the Internet Settings node to standardize the configuration of Internet
Explorer. This includes defining a home page, managing trusted sites, and
other options available in Internet Options.
Use targeting to determine which users and computers a preference item will
apply to. This allows you to simplify group policy application and have a single
GPO with many preference settings. The application of each preference item in
the GPO can be controlled individually. This avoids the need to use security or
WMI filtering GPO objects to implement group policy preferences.

Demonstration: Using Group Policy Preferences
To configure group policy preferences:

1. Open the group policy Management console.
2. Create a new GPO.
3. Configure the User or Computer Preferences in the GPO.
4. Link the GPO to the appropriate OU.

Considerations for Deploying Software by Using
Group Policy
Key Points
The considerations for software deployment by using group policy include the
following:
To place an application shortcut in the Start Menu, assign the application to a
computer or user. An application assigned to a computer will be available to all
users. An application assigned to a user will be available only for that user.
To allow users to access an application quickly on first use, assign the
application to the computer. Assigning an application to a computer installs
the application in the background on computer startup. Then when the user
accesses the application for the first time, it is already installed.
To limit disk space usage, assign applications to users or publish applications
to users. When an application is assigned or published to a user, the
application is not installed until first use or until installation is selected from
Control Panel.

To install applications when required to view a document, enable document
activation for published applications. Assigned applications are always
installed as required to view documents based on the file extension of the
document.
To enable software distribution over a wide area network (WAN), use
Distributed File System (DFS) to replicate the installation files. Users will
automatically install the application from the closest replica of the files.
Restrict user permissions to the software installation files. Users require only
read access to the installation files. Allowing greater permissions may result in
installation files being accidentally deleted or infected with viruses.
Use categories to organize applications. When you publish applications, users
can install them from a list. Assigning the applications to categories organizes
the list and makes it easier for users to find the application they are looking
for.
Create transform (MST) files to customize the installation of applications. A
transform file is created by using an MSI editor. By including an MST file as
part of an application package, you can create a silent installation and modify
various installation options. The exact options that you can modify are
application dependent.
Use mandatory upgrades to keep consistent versions of applications in your
organization. Having consistent versions of applications simplifies support.
Use forced removal to remove applications from computers. This is useful
when the license for software is no longer valid or has been moved to a
different computer. An optional removal prevents new software installation,
but does not remove the software from computers where it is already installed.
For best practices on the use of group policy for software installation, see
Best practices for group policy Software Installation on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkId=99486.

Considerations for Using Scripts
Key Points
A script for managing client computers can be written in any scripting language
supported by the client computer. The two most common languages for scripts are
batch files and Microsoft Visual Basic scripts. By using a script, you can configure
almost any aspect of an operating system or application.
You can specify a logon script in the properties of each user account. By using
group policy, you can run scripts that apply to computer or user accounts. For
computer accounts, there are startup and shutdown scripts. For user accounts,
there are logon and logoff scripts.
Considerations for using scripts:
Logon scripts are the most commonly used type of script. The most common
use of logon scripts is to map drive letters. If your environment supports the
use of group policy preferences, you may no longer need logon scripts.
Specifying the logon script in the properties of each user account is awkward
because it must be done for each account. It is simpler to use logon scripts in
group policy.

Startup and shutdown scripts can be used to perform computer-specific
operations. For example, in a teaching classroom, a shutdown script could be
used to delete user profiles or temporary files.
Scripts can be stored in any network-accessible location. However, for logon
scripts specified in the properties of each user account, the preferred location
is the NETLOGON share. For group policy scripts, the preferred location is the
SYSVOL share. Both the NETLOGON and SYSVOL share are automatically
replicated between domain controllers. Replication between domain
controllers avoids the need to manually update logon scripts in multiple
locations and provides a backup in case a domain controller fails.

Considerations for Using Folder Redirection
Key Points
The considerations for using folder redirection include:
You can redirect folders in addition to the My Documents folder (which
includes My Pictures). In Windows XP and Windows Vista, you can also
redirect the Application Data, Desktop, and Start Menu folders. In Windows
Vista only, you can also redirect Contacts, Downloads, Favorites, Searches,
Links, Music, Video, Saved Games, and Pictures.
Folder redirection makes it possible to back up user data without backing up
client computers. For example, many applications store configuration data and
templates in Application Data. If this folder is redirected to a network server,
then it can be backed up on the server without backing up the client
computer.

Folder redirection reduces the size of user profiles. When roaming user
profiles are used to allow users to move between computers and retain their
settings, a common problem is large profiles resulting in extended logon
and logoff times. One of the primary reasons for this is files stored in My
Documents. When folders are redirected to a server, the files in those folders
are not downloaded with the roaming user profile.
If you want My Documents to be private storage space, redirect My Documents
to the user home folder. This provides easy access to the user home folder and
prevents most users from storing files locally.
If you want My Documents to be shared storage space, redirect My Documents
to a departmental share. This provides easy access to the department share
and prevents most users from storing files locally.
Allow folder redirection to automatically configure the necessary permissions
when creating a folder for each user under the root path. This will ensure that
the correct NTFS permissions are configured. However, the share and share
permissions need to be configured manually first.
When there is an interruption in network services, users with folder
redirection will experience problems. To mitigate this, use offline files in
conjunction with folder redirection. This ensures that users have access to files
during network interruptions. Remember to enable the Offline Files option to
synchronize all offline files before logging off.
It is a best practice to control what appears on the Start menu by using group
policy rather than by redirecting the Start Menu. Group policy preferences
control what is in the Start Menu.
It is possible to use Encrypting File System in conjunction with folder
redirection. However, to make this possible, the server must be trusted for
delegation. Also, files will not be encrypted while in transit over the network.

Lab: Planning for Group Policy
A. Datum has never implemented group policy other than for basic password
configuration in the domain using the default GPOs. After attending a recent
seminar, the IT manager wants to use group policy more effectively for the
organization.
Exercise 1: Creating a Group Policy Plan

Scenario
You have been tasked with creating a plan for implementing group policy. Your IT
manager has provided you with a list of requirements that must be met by your
plan.
2. Create an OU structure.
3. Create a list of required GPOs.

E-mail thread of correspondence with Allison Brown:
Gregory Weber
From: Allison Brown [Allison@adatum.com]
Sent: 21 July 2009 17:30
Subject: group policy implementation
Greg,
As we discussed in the meeting this morning, Id like you to take the lead on
planning our implementation of group policy. At this time, we have only the
default GPOs in place for the domain and domain controllers.
Here are some of the requirements that have come up that I believe can be
addressed best by using group policy:
Read and write access to removable drives should be blocked for all office
computers, including servers. Since weve upgraded all of the computers to
Windows Vista and Windows Server 2008, this should be no problem. We
must ensure that another GPO does not override this setting.
Due to the creation of the three new branch offices, we are hiring a new person
to manage those offices. Wed like the new person to be able to manage group
policy for those remote offices, but not the head office.
Id like to start using group policy preferences for drive mappings, rather than
logon scripts. We want the drive letters to be consistent in each location, but
the server names will vary in each location.
Application installation and updates for the branches will be done by using
group policy. In the branch offices, the sales staff and office staff will have
different applications. We need to be able to roll applications out one location
at a time during initial deployment. However, later updates can be done for all
branches at once. Application installation files should be stored in DFS and
replicated to each branch.

The computer training lab in the head office should not be subject to the
restriction on removable drives. Well be using USB drives to configure these
computers for various courses.
The user desktops on the Terminal Server running Windows Server 2003 need
to be locked down. The Desktop and Start Menu should be simplified to
display only the application that users have access to. All users should have the
same configuration when logged on to the Terminal Server regardless of the
OU they are located in.
At minimum, I need to you to figure out how these can be implemented. As part of
your plan, please create an OU structure and define where each group policy will
be linked.
Let me know if you require any clarification.
Regards,
Allison

2. On SEA-DC1, use Active Directory Users and Computers to review the existing
Active Directory structure.
3. Use the group policy Management Console to review the existing Active
Directory configuration.
f Task 2: Create an OU structure

Draw a diagram of an OU structure that will allow you to meet the
requirements given to you by Allison.

f Task 3: Create a list of required GPOs
Create a list of GPOs required to implement the requirements given to you by
Allison.
GPO Name Settings Linked to Filters
Results: After this exercise, you should have a completed group policy plan for
A. Datum.

Exercise 2: Implementing Group Policy
Scenario
After completing the group policy plan, you must now implement it.
1. Start the virtual machine and log on.
2. Create the OU structure.
3. Create the GPO for enforced security.
4. Create the GPO for Branch 1 preferences.
5. Create the GPOs for applications.
6. Create the GPO for Terminal Servers.
7. Verify application of policies for Branch1 sales staff.
8. Verify application of policies for Branch1 sales staff on the Terminal Server.

Pa$$w0rd.
f Task 2: Create the OU structure

1. On SEA-DC1, open Active Directory Users and Computers.
2. Create an organizational unit named Head Office in the root of the
Adatum.com domain.
3. Create an organizational unit named Branches in the root of the Adatum.com
domain.
4. Create an organizational unit named Branch1 in the Branches OU.

7. Create an organizational unit named Terminal Servers in the root of the
Adatum.com domain.
f Task 3: Create the GPO for enforced security

1. Use Active Directory Users and Computers to create a new global security
group in the Head Office OU.
Group name: Lab Computers
2. Use Active Directory Users and Computers to create a new computer
account in the Head Office OU.
Computer name: Lab1
3. Add Lab1 as a member of the Lab Computers group.
4. Use group policy Management to create the enforced security GPO.
Name: Enforce Security
Computer Configuration\Policies\Administrative
Templates\System\Removable Storage Access\Removable Disks: Deny
read access, Enabled
Computer Configuration\Policies\Administrative
Templates\System\Removable Storage Access\Removable Disks: Deny
write access, Enabled
Linked to Adatum.com
5. On the Enforced Security link to Adatum.com, make the policy Enforced.
6. On the Delegation tab of Enforced Security, use the Advanced button to
Deny Read permission for the Lab Computers group.

f Task 4: Create the GPO for Branch1 preferences
1. Use Group Policy Management to create a new GPO in the Group Policy
Objects container.
Name: Branch1 Preferences
User Configuration\Preferences\Windows Settings\Drive Maps Map
drive letter S to \\Branch1Srv\Shared.
2. Link Branch1 Preferences to the Branch1 OU.
f Task 5: Create the GPOs for applications

1. Use Active Directory Users And Computers to create a new global security
group in the Branches OU.
Group name: Sales Staff
2. Use Active Directory Users And Computers to create a new global security
group in the Branches OU.
Group name: Office Staff
Objects container.
Name: Sales Applications
Objects container.
Name: Office Applications
5. Configure security filtering for the Sales Applications GPO on the Scope tab:
Remove the Authenticated Users group from the Security Filtering area.
Add the Sales Staff group to the Security Filtering area.
6. Configure security filtering for the Office Applications GPO on the Scope tab:
Remove the Authenticated Users group from the Security Filtering area.
Add the Office Staff group to the Security Filtering area.
7. Link the Sales Applications GPO to the Branch1 OU.
8. Link the Office Applications GPO to the Branch1 OU.

f Task 6: Create the GPO for Terminal Servers
Use Group Policy Management to create a new GPO that is linked to the
Terminal Servers OU.
Name: TS Lockdown
Computer Configuration\Policies\Administrative Templates
\System\Group Policy\User Group Policy loopback processing mode,
Enabled, Replace mode
User Configuration\Policies\Administrative Templates\Start Menu
and Taskbar\Remove and prevent access to the Shut Down, Restart,
Sleep, and Hibernate commands, Enabled
and Taskbar\Remove Run menu from Start Menu, Enabled
and Taskbar\Add Logoff to the Start Menu, Enabled
f Task 7: Verify application of policies for Branch1 sales staff

1. Use Group Policy Management to model the application of policies for
Branch1 sales staff.
Use any domain controller
User container: Branch1
Computer container: Branch1
Advanced Simulation Options: none
User Security Groups: add the Sales Staff group
Skip to the final page after entering the User Security Groups information
2. Review the applied and denied GPOs for the computer.
3. Review the applied and denied GPOs for the user.

f Task 8: Verify application of policies for Branch1 sales staff on the
Terminal Server
1. Use Group Policy Management to model the application of policies for
Branch1 sales staff.
Use any domain controller
User container: Branch1
Computer container: Terminal Servers
Advanced Simulation Options: Loopback processing, Replace
User Security Groups: add the Sales Staff group
Skip to the final page after entering the User Security Groups information
2. Review the applied and denied GPOs for the computer.
3. Review the applied and denied GPOs for the user.
Results: After this exercise, you should have successfully implemented group policy.

(VMRC) window.

Review Questions
1. What are some of the ways you can speed up group policy processing?
2. How can you modify how group policy is processed and applied?
3. Is it possible to delegate group policy management for just an OU?


Common Issues Related to a Particular Technology Area in the Module
Identify the causes for the following common issues related to a particular
technology area in the module and fill in the troubleshooting tips. For answers,
refer to relevant lessons in the module.
Issue Troubleshooting tip

A GPO is not being applied Run GPupdate.exe on the client to force GPOs to be
after creation updated. This avoids the potential 90-minute refresh
interval on non-domain controllers.
Group policy is not applying Use Group Policy Results in Group Policy Management
as expected to view the GPOs that are being applied.
You are unsure how changes Use Group Policy Modeling in Group Policy
will affect group policy Management to view the results of potential changes
application to network speed, loopback processing, site, security
group membership, and WMI filters.

1. You have configured a kiosk with an application for controlling manufacturing
equipment. You would like all users on the kiosk to have the same
configuration regardless of the organizational unit that their user object resides
in. How will you accomplish this?
2. In the past, you have created customized ADM templates and they were
automatically included with the GPO on SYSVOL. This allowed the GPO to be
properly edited from any location. You have now created a customized ADMX
template and realize that it is stored locally. Others will not be able to edit the
GPO. How can you resolve this?
3. Your organization has no formal plan in place for backing up GPOs. Only a
full backup, including system state, is being performed each day. How can you
improve this?

Best Practices Related to a Particular Technology Area in This Module
Use group policy to manage settings on computers rather than manually
configuring each computer.
Disable unnecessary parts of GPOs to increase processing speed.
Plan your Active Directory OU structure with group policy in mind.
Use security filtering and WMI filtering for more flexible GPO application.
Use loopback processing for special use computers such as kiosks and
Terminal Servers.
Use starter GPOs to simplify the creation of new GPOs with similar settings.
Back up GPOs before modifying them.
Delegate the management of GPOs to OU administrators that are affected by
them. For example, delegate the management of GPOs for a region to an
administrator for that region. This can include linking and modifying the
GPOs.
Redirect folders to a server to simplify recovery if a client computer fails.
Tools
Tool Use for Where to find it

Group Policy Creating and Administrative Tools
Management managing GPOs
GPResult.exe Troubleshooting GPO C:\Windows\System32

application
ADMX Migrator Converts customized http://go.microsoft.com/fwlink

ADM templates to /?LinkID=164211&clcid=0x409
ADMX templates
BackupAllGPOs.wsf Script that can be used C:\Program Files\GPMC\Scripts

to create scheduled
backups of GPOs
Planning Application Servers 5-1

Module 5
Planning Application Servers
Contents:
Lesson 1: Overview of Application Servers 5-3
Lesson 2: Supporting Web-Based Applications 5-17
Lesson 3: Supporting SQL Server Databases 5-30
Lesson 4: Deploying Client Applications 5-48
Lesson 5: Planning Terminal Services 5-55
Lab: Planning Application Servers 5-64

Module Overview
This module focuses on the support that Windows Server 2008 provides for
Application Servers. When supporting an application server, you first need to
understand the characteristics of the application, whether it is Web-based or
traditional. Microsoft SQL Server databases have unique support requirements
that are very different from infrastructure servers. Finally, part of planning
application servers is determining how remote users will access applications.
Terminal Services is an excellent method for providing remote access to
applications for roaming users and remote offices.
Objectives
Describe application servers.
Plan support for Web-based applications.
Plan support for SQL Server databases.
Plan the deployment of client applications.
Plan the implementation of Terminal Services.

Lesson 1
Overview of Application Servers
An application server is a computer that is dedicated to running network-aware

application software. Examples of such software include SQL Server, Microsoft
Exchange Server, Internet Information Services (IIS), and Terminal Services. The
design of network-aware application software can be Web-based, or it may have a
client-server architecture. The system requirements of each application, including
its architecture, must be considered when configuring the computers that will host
them.
Windows Server 2008 includes features to support the application server role,
regardless of whether the application to be hosted has a Web-based or a client
server type of architecture.

Objectives
Describe an application server.
Describe the types of authentication for traditional applications.
Describe the considerations for supporting traditional applications.
Describe the considerations for Web-based applications.
Describe Windows Server 2008 features and roles that support application
servers.
Describe considerations for maintaining application servers.

What Is an Application Server?
Key Points
When computer networks became a common part of corporate environments, they
were initially used primarily for file sharing and printing. File sharing allowed
organizations to more easily control access to files and back them up. Shared
printing allowed many users to share a single printer and save on printing costs.
After file sharing and shared printing were common, application servers began to
be added to networks.
An application server is a server that runs user applications. They have more
intensive processing and memory requirements than file and print servers because
they perform more complex tasks. Some examples of application servers are Web
servers and e-mail servers.

The applications that run on application servers are typically divided into two
categories:
Traditional applications. A traditional application may also be called a client
server application. Part of the application runs on a client computer and part
of the application runs on a server. Typically, the client (front end) application
serves as an end-user interface for processing requests sent to and receiving
responses from the server (back end). The bulk of data is stored on the server.
In some cases, the server portion of the application is just a SQL Server
database that all client computers communicate with. In other cases, there is a
middle tier with application logic that the client computers communicate with
and the middle tier communicates with a SQL Server database.
Web-based applications. A Web-based application uses a Web browser to
provide the user interface. The application logic is then performed on a Web
server and data is stored in a SQL Server database.

Types of Authentication for Traditional Applications
Key Points
The authentication method used by a traditional application is determined by the
application developer. However, sometimes an application will provide several
options that an administrator can choose from when installing the application.
Some of the most common options for authentication are:
Active Directory. Some applications are able to communicate with Active
Directory directory services for authentication. This allows you to use the
existing user objects to assign permissions within the application.
LDAP. Lightweight Directory Access Protocol (LDAP) can be used to access
information in a variety of directories, including Active Directory Domain
Services (AD DS) and Active Directory Lightweight Directory Services
(AD LDS). This option also allows you to use the existing user objects to
assign permissions within the application.

Internal. Some applications require user accounts to be generated within the
application. These user accounts are not linked with Active Directory user
accounts and must be managed separately. This means that users will have
one set of credentials when authenticating to Active Directory and another set
of credentials when logging on to the application.

Considerations for Supporting Traditional Applications
Key Points
Some of the considerations for supporting traditional applications are:
Active Directory or LDAP authentication simplifies user logons. Either of
these authentication options allows users to log on using a single set of
credentials. This also simplifies user management.
Client software for traditional applications may be difficult to update. In
most cases, when you update the client software for a traditional application,
you must update the software on all client computers at the same time. This
may be a requirement to prevent older client software from corrupting data
used by the new client software. If you are unable to update all client software
in a timely way, some users may not be able to access the application for
several hours or even days.

Traditional applications are difficult to regulate through firewalls. Many
traditional applications use remote procedure calls (RPC) for communication.
RPC uses random port numbers for communication and is therefore difficult
to control by using network firewalls. Although, host-based firewalls, such as
Windows Firewall, can control communication based on the process
generating the communication, which is not a problem.
Traditional applications are difficult to access over the Internet. Most
traditional applications are designed to use RPC, which is difficult to allow
through the firewalls between a corporate network and the Internet. Also, most
traditional applications are designed for local area networks (LANs) and
generate large amounts of network communication. You can operate
traditional applications over a virtual private network (VPN) connection to
accommodate RPC through a network firewall, but the application
performance is typically poor.
Note: When running a traditional application over the Internet, performance may be
slow even if only small amounts of data are transferred. Frequent communication
combined with high latency will result in slow performance.
Many traditional applications require NetBIOS name resolution. If a

traditional application required the NetBIOS name resolution, you may need
to maintain WINS servers or LMHOSTS files. This is an additional
administrative load.

Considerations for Web-Based Applications
Key Points
Web-based applications use a Web-browser on client computers instead of
application software. The Web browser on the client is responsible only for
formatting and displaying processed data on the client computer. The Web server
sends all of the necessary data to the client. All of the application logic is
maintained in software executed on a Web server instead. The software on the
Web server typically communicates with a SQL Server database back-end for data
storage.
Some considerations for Web-based applications are:
Web-based applications are well suited for use over the Internet and by remote
locations. The amount of data passed between the Web server and the client is
relatively small when compared to traditional applications. All of the data
processing is performed before the information to display is transferred to the
Web browser on the client.

Web-based applications require no additional infrastructure on most
networks. Unlike traditional applications, which may require older
infrastructure, such as NetBIOS name resolution, Web-based applications use
standard infrastructure already available on corporate networks such as
Domain Name System (DNS) name resolution and TCP/IP.
Web-based applications are easier to update than traditional applications.
When you update a Web-based application, it is done on the Web server.
Therefore, you update the application for all users in a single step. This can be
more complex if there are multiple Web servers in use as part of the
application.

Windows Server 2008 Features and Roles That Support
Application Servers
Key Points
Windows Server 2008 has a number of features and roles that support the use of
Windows Server 2008 as an application server. The requirements vary depending
on the application. Individual application servers may require none or all of these
features and roles. Most applications will include the requirements in the
installation documentation.
.NET Framework 3.0 features. The Microsoft .NET Framework is used by
applications to access operating system services through application
programming interfaces (APIs). Version 3.0 includes the APIs necessary to
support the .NET Framework 2.0 applications and additional elements. This
means that a computer with the .NET Framework 3.0 installed can run
applications built for the .NET Framework 2.0 or the .NET Framework 3.0.
Earlier versions of the .NET Framework can be downloaded from the
Microsoft Web site if required and run in parallel with the .NET Framework
3.0.

Desktop Experience feature. This feature contains applications and features
that are typically used by users on desktop computers such as desktop themes
and Windows Media Player. In some cases server applications will require
these components. For example, a streaming media encoder application may
require the installation of Windows Media Player.
Windows PowerShell feature. This feature provides a command shell that can
be used for scripting. Some server applications can be managed by using
Windows PowerShell. For example, Microsoft Exchange Server 2007
includes the Exchange Management Shell, which is used to administer
Exchange Server 2007.
Application Server role. This role is used to select the necessary features for
supporting applications built with the .NET Framework 3.0. The .NET
Framework 3.0 is installed as part of this role. You also have the option to
install the Web Server, COM+ Network Access, Windows Process Activation
Services, TCP Port Sharing, and Distributed Transactions.
Web Server (IIS) role. This role is used to provide support for basic Web sites
or Web-based applications. Various role services, such as authentication
options, can be configured during the installation process. The Web server
installed is IIS version 7. However, there are backward compatibility tools for
IIS version 6 that can be installed and are required for some applications.
Windows SharePoint Services 3.0. Windows SharePoint Services (WSS) can
be downloaded from the Microsoft Web site and installed on Windows Server
2008. WSS is a platform for creating collaborative Web sites, managing
documents, and managing events.

Considerations for Maintaining Application Servers
Key Points
The maintenance of application servers is different than the maintenance of
infrastructure servers. Infrastructure services like Active Directory or DNS are
designed to be highly available. When one domain controller is down, clients and
applications automatically direct their Active Directory requests to other functional
domain controllers. Application servers may not have this type of redundancy.
Considerations for maintaining applications servers include:
Define a maintenance window for each application server. A maintenance
window is regularly scheduled time when users do not expect the application
server to be functional. During this time you can perform system updates or
other maintenance tasks. The maintenance window is scheduled at a time
when user activity would normally be minimal, such as late at night. If unusual
maintenance needs to be performed outside of that window, it must be
negotiated with the users of the application server.

Understand the business impact of an application server. Knowing how your
organization uses an application server, rather than just the technical details,
allows you to recommend improvements for the application server to meet
those needs. For example, a critical application may benefit from the
implementation of high availability by using failover clustering or network
load balancing.
Enhance the availability of an application server by carefully planning updates
and version upgrades. An application server typically has a direct business
impact when it is not available. To avoid downtime, all updates should be
tested in a lab environment before being applied to the live server. Then, even
if testing was successful, you should have a rollback plan during the actual
update in case something goes wrong.
Understand the ramifications before implementing system changes. Many
server administrators understand the details of exactly how changes to
network infrastructure will affect their systems. However, an application may
only be understood in depth by the vendor that created the application. To
mitigate the risk of adverse effects, you should carefully read product
documentation or consult the vendor. You should also follow the change
management process of your organization to reduce the likelihood of
unexpected impacts.

Lesson 2
Supporting Web-Based Applications
Web-based applications are well suited for remote offices and even users over the
Internet. However, when you configure Web-based applications, you need to
consider how users are authenticated and whether Secure Sockets Layer (SSL) will
be used to secure communication. If SSL is used to secure communication, you
need to determine from where you will obtain the SSL certificate and how it will be
configured. IIS provides application and application pools to control how Web-
based applications are processed on the server.

Objectives
Describe the considerations for authenticating to Web-based applications.
Describe SSL.
Describe the considerations for selecting an SSL certificate.
Describe the considerations for dynamic Web content.
Describe the considerations for IIS applications.
Describe how to configure IIS to support a Web-based application.

Authentication Considerations for Web-Based Applications
Key Points
When IIS is used as the Web server for a Web-based application, there are several
authentication options you can choose from. Which option you select will depend
on your scenario and the options supported by the application vendor.
Some authentication considerations for Web-based applications are:
Basic authentication is supported by all Web browsers and has no difficulty
traversing firewalls. However, it transmits credentials in clear text, which could
be viewed as they travel over the network or Internet. For this reason, basic
authentication is seldom used alone.
Basic authentication with SSL is the most commonly used authentication
methods. SSL is used to encrypt the credentials while they are in transit
between the Web browser and Web server. This makes the authentication
process secure and compatible with all Web browsers and Web servers. When
SSL is used to secure authentication, it is also normally used to secure all other
application data while in transit.

Windows integrated authentication is useful for authenticating users on an
internal network. It allows the credentials from the workstation to be
automatically passed to the Web server without any user interaction. This
simplifies logons for users. However, in some cases, Internet firewalls can
prevent Windows integrated authentication from functioning properly and is
therefore not well suited to authentication over the Internet. Credentials are
encrypted during transit. You will always be prompted for credentials unless
the Web site you are accessing is part of the local intranet zone in Microsoft
Internet Explorer. Some Web browsers do not support Windows integrated
authentication.
Web sites accessed by using a single label name are considered part of
the local intranet zone. For more information, see How to use security
zones in Internet Explorer on the Microsoft Help and Support Web site at
Digest authentication encrypts credentials similar to Windows integrated

authentication, but is based on an Internet standard for wider compatibility.
However, digest authentication is only available when using Windows Server
2008 Enterprise Edition. It is not commonly used.
Certificate authentication allows client computers to present a certificate for
authentication rather than a username and password. This is considered more
secure than a username and password because it is more difficult to re-create
or guess. However, when compared with a username and password, the
configuration process for certificates is more complex, and certificates are
therefore used for authentication only when a high level of security is
important.
Multi-factor authentication is used to enhance the security on public Web sites.
Users are required to enter a username and password and also have a physical
component to log on. One of the most common ways the physical component
is implemented is a small device with a number that changes every one or two
minutes. Users are required to enter the number along with their credentials to
log on. This is commonly implemented in cases where a high level of security
is required, such as banking Web sites.

What Is SSL?
Key Points
For Web-based applications, SSL is used to encrypt communication between a
Web browser and a Web server. The entire communication process between the
client and server is encrypted. This protects authentication credentials and
application data.
To enable SSL on a Web server, you must obtain a certificate for the Web server.
The public key and private key that are part of the certificate are used during the
communication process.
The SSL communication process is:
1. The client sends a request to the server by using HTTPS.
2. The server responds by providing the client with the public key of the server.
3. The client generates a symmetrical key for encryption.

4. The client encrypts the symmetrical key by using the public key of the server
and transmits the encrypted symmetrical key to the server.
5. The server decrypts the symmetrical key by using its private key.
6. The symmetrical key is then used by both client and server to encrypt and
decrypt data sent between them.
TLS (Transport Layer Security) is a newer security protocol that includes

SSL and is used for generic TCP/IP encryption, not just Web servers. It
functions approximately the same way. For more information, see
Introduction (SSL/TLS in Windows Server 2003) on the TechNet Web site

Considerations for Selecting an SSL Certificate
Key Points
The certificate used to secure SSL communication is used to verify the identity of
the Web server in addition to securing communication. The certificate contains a
subject name that identifies the server and must be trusted by the clients. You can
generate a certificate by using an internal CA (certification authority) or an external
CA.
Some considerations for selecting an SSL certificate are:
Certificates generated by an internal CA are not trusted by clients outside your
organization. An untrusted certificate generates warnings on the client
computers. Only use an internal CA for generating certificates for internal
clients where you can configure the clients to trust certificates issued by the
internal CA. Windows Server 2008 includes CA functionality and can generate
certificates at no cost.

The cost of certificates generated by external CAs varies widely, but the
functionality is the same. The justification of cost variance between CAs is
typically based on the verification performed on the identity of the
organization requesting the certificate. Internet Explorer uses different colors
in the address bar to identify a level of trust based on how the identity was
validated.
The subject name in a certificate must match the name used in the URL
to access the Web site. If the subject name in the certificate is
webapp.contoso.com and you access the Web site by using https://webapp
or https://192.168.100.50, then the certificate will not be trusted. If you have
internal and external users accessing the Web site by using different DNS
names, then you can get a subject alternative name (SAN) certificate with
multiple names. However a SAN certificate is significantly more expensive than
a regular server certificate. You can also get wildcard certificates for a subject
name such as *.contoso.com. However, some clients and applications do not
function properly with wildcard certificates.

Considerations for Dynamic Web Content
Key Points
Dynamic Web content is content on a Web server that requires processing beyond
just retrieving a static Web page from a disk. Dynamic Web content typically
includes some type of script embedded in the Web page that is processed by the
Web server before the content is delivered to the client. A very simple example of
dynamic Web content is a page footer that is inserted into each page delivered by a
Web server. Full Web applications that track user state during processes are more
complex.
Some considerations for dynamic Web content:
There a variety of ways that dynamic content can be implemented. They
include: ASP, ASP.NET, CGI, and service side includes. To avoid potential
security risks, you should enable only those methods that are required.

A Web server with dynamic content requires significantly more processing
power and memory than a Web server with static content. As you add dynamic
content to a Web server, ensure that you monitor memory and processor
utilization to ensure that they are sufficient. This is particularly important if
you have a large number of users.
Running programs on a server with dynamic content introduces security risks.
For example, server-side scripts that do not properly verify content submitted
from forms can be susceptible to buffer overflow attacks. If your organization
develops Web-based applications, they should be carefully tested for security
flaws.
Default scripts meant to demonstrate server features and scripting are a
common source of security problems on Web servers. You should remove all
default scripts that are not required.

Considerations for IIS Applications
Key Points
One of the concerns with Web-based applications is how one application on a Web
server will affect another. IIS uses the concept of applications and application pools
to control how dynamic content is processed.
An application is a URL (http://www.contoso.com/accounting/app.aspx) or
section of URL namespace (http://www.contoso.com/accounting/). For each
application you can define the credentials used to access the physical files on the
server. The default configuration passes the user credentials through. Each
application is also part of an application pool.
Application pools contain one or more applications. Each application pool is
treated as a single processing unit with its own memory space. There are a wide
variety of settings available to control CPU utilization limits, application pool
recycling,

Considerations for IIS applications include:
Use the identity of an application pool to control permissions. For each
application pool, you must define the identity. The identity is the user account
used when executing the application code. The identity must have sufficient
permissions to access any necessary files. By default, the identity is the
Network Service account that has limited rights to the local system and has
permission to communicate on the network. If you have multiple application
pools and want them to remain completely separate, you can create an Active
Directory user to control permissions instead.
To prevent a failure in one application from affecting another, the two
applications should be placed in separate application pools. By default, there is
only one application for the entire Web site. You may need to create multiple
applications if you want to prevent one application from affecting another.
Creating multiple application pools may prevent user state information in the
application from being passed between parts of a Web-based application.
When creating new Web application pools, document the original
configuration so that you can roll back your changes if required.
Use application pool recycling to prevent manual stopping and starting of an
application pool. Some Web-based applications begin to experience problems
when they have been running for an extended period of time. This is typically
because they have not been programmed properly. In such a case, application
pool recycling automatically restarts the application. Application pool
recycling can be based on factors such as time, number of requests received, or
a scheduled time. Depending on the application, recycling may cause user
state information to be lost. Correcting the faulty application is preferred to
recycling.

Demonstration: Configuring IIS
Key Points
In this demonstration, you will see how to configure IIS.
High-level steps:
1. Open IIS Manager.
2. Review bindings and the SSL certificate.
3. Create a new application.
4. Review application configuration.
5. Review application pool configuration and the recycling settings.

Lesson 3
Supporting SQL Server Databases
Many application servers, such as SharePoint and Microsoft Project Server, use
SQL Server as a back end for data storage. It is essential that you understand the
basics of SQL Server operation and support to be able to properly support an
application server. There are multiple editions of SQL Server 2008 and the one you
need depends on the scenario it is being used in. Transaction logs are an integral
part of how SQL Server maintains databases and need to be considered when you
decide on a backup and restore strategy for a SQL Server database.
Objectives
Describe why database knowledge is required by administrators
Describe SQL Server.

Describe SQL Server editions.
Describe SQL Server authentication options.
Use SQL Server management tools.
Describe how SQL Server uses transaction logs.
Describe the backup and restore options for SQL Server.
Select appropriate options for supporting SQL Server.

Why Do Administrators Need to Understand Databases?
Key Points
As the administrator of a Windows network, you need to understand the basics
of how databases work. Databases are used as a back end to store data and
configuration information for a wide variety of applications. End-user applications
that store data in a database include most Web-based applications, SharePoint,
Microsoft Project server, and Exchange Server. Administrator utilities that use a
database include System Center Operations Manager and System Center Virtual
Machine Manager. To support these applications, you need to understand the
basics of database administration.
Managing the databases associated with an application is different from managing
files such as Microsoft Office Word documents or Microsoft Office Excel
spreadsheets. Some of the important differences are:
Databases have constantly changing data and the database files are constantly
open. To back up a database, special procedures are required. If you back up a
live database by using an open file agent for backup, the backup will be
inconsistent and you may not be able to restore it.

Databases use transaction logs that grow over time. You need to ensure that
those transaction logs are truncated (cleared) so that disk space is not wasted.
Databases have their own internal security system. In most cases, applications
configure all of the necessary security. However, you may need to look at
security as part of troubleshooting an application.
Typically, it is not necessary for an administrator to understand the details of how

data is stored inside of a database. That is the responsibility of the application
developer. For example, databases consist of tables of information. An
administrator does not directly modify any of the data in the tables.
There are many different database vendors. The database vendor you select will be
based on the application. Each application vendor will define a list of databases
that can be used and how that database needs to be configured. Some applications
with limited data requirements will include the database installation as part of the
application installation. One of the most commonly used databases in Windows
networks is SQL Server.
Note: Exchange Server does not use SQL Server for data storage. Exchange Server uses a
different type of database called Microsoft Extensible Storage Engine (ESE).

What Is SQL Server?
Key Points
Microsoft SQL Server 2008 is a database that can be used for a variety of purposes,
such as business intelligence or data warehousing. However, a common use for
SQL Server is as back-end data storage for applications. Both traditional client-
server applications and Web-based applications often use SQL Server to store
application data.
When applications query, modify, and add data to a SQL Server database, they use
Structured Query Language (SQL). SQL is a standard language that is used for
communication with databases. In some cases, it can be useful for server
administrators to be familiar with SQL, but it is not required to perform basic
management of Microsoft SQL Server.
Reporting Services is an optional feature of SQL Server that is used to
automatically generate reports from a SQL Server database. Some applications
require Reporting Services to be installed for full functionality. For example,
System Center Operations Manager requires Reporting Services to generate system
reports showing the health of monitored computers.

When SQL Server is installed, there is a single instance by default. This instance is
unnamed and accessed by using the name of the server. Within each instance there
can be multiple databases. Each application will have its own database on a SQL
Server, but they can be in the same instance.
In addition, to the default instance, you can create named instances that are
accessed by using servername\instancename. This is required if applications
require databases with the same name or if settings between instances must be
different. For example, the applications may require a different sort order setting.
The communication settings for a database are often implemented as an Open
Database Connectivity (ODBC) connection. ODBC connections are stored on each
client computer and contain the location of the database. Applications use an
ODBC connection to locate the database.

SQL Server Editions
Key Points
There are several editions of SQL Server 2008. Each edition has different features.
You should select the edition that meets the requirements of your applications.
Free editions of SQL Server 2008:
Express. This is an entry level database that is suitable for learning and
applications with limited data requirements. It supports only 1 CPU and 1 GB
of RAM. The maximum database size is 4 GB.
Compact. This edition is designed for use on mobile devices. There are no
limits on CPU and memory use. The maximum database size is 4 GB.

Core editions of SQL Server 2008:
Standard. This edition is designed for use as a departmental database. It is
well suited to use as a back-end data store for departmental applications. It
supports 4 CPUs and has no limit on memory. There are no limits on the
database size, but is limited to 16 instances.
Enterprise. This edition is designed to support enterprise applications. It has
no limits on CPU or memory utilizations. It also has no limits on database size,
supports up to 50 instances, and can run on Itanium-based systems.
Enterprise edition also includes additional features for high availability,
security, data mining, data warehousing, and analysis services.
Specialized editions of SQL Server 2008:

Workgroup. This edition is designed for a remote office that needs a local
instance of company data. It is capable of synchronizing data from the main
office server running Standard or Enterprise Edition. It is limited to 2 CPUs
and 4 GB of RAM. Database size is unlimited.
Web. This edition is designed for Internet facing applications. It supports 4
CPUs, with unlimited memory support and database size. Licensing is per
processor per month.
Developer. This edition is has the same features are Enterprise Edition, but is
licensed only for development, testing, and demonstration. This edition may
not be used in production.
For detailed information about SQL Server 2008 editions and their
features, see Compare Edition Features on the Microsoft Web site at
For a pricing overview of SQL Server 2008 editions, see SQL Server 2008
Pricing on the Microsoft Web site at http://go.microsoft.com/fwlink

SQL Server Authentication Options
Key Points
The data in a SQL Server database is protected by permissions, similar to how
NTFS permissions are used to protect data in the file system. For SQL Server to
appropriately determine permissions, the user must authenticate to SQL Server.
SQL Server 2008 authentication modes:
Windows authentication. In this authentication mode, all permissions are
linked to Active Directory or local Windows user accounts. In most cases, this
is easier for users and administrators. Users may be automatically
authenticated to an application based on the credentials cached in the local
workstation, or at least do not need to remember a second set of credentials.
Administrators do not need to maintain a second set of credentials.

Mixed authentication. In this authentication mode, permissions can be linked
to Active Directory user accounts, local Windows user accounts, or local user
accounts created in SQL Server. This provides flexibility for situations where
you do not want users to be Active Directory users. For example, you may
want the administration of users for a database to be administered by the
database administration group rather than Active Directory administrators.
Before selecting an authentication mode, you need to determine the authentication

modes supported by your application. Some applications require the use of Active
Directory accounts, while others require the use of local users in SQL Server.
When you use mixed authentication, both the local SQL account sysadmin and sa
have full rights to the system. These accounts are used to provide administrative
access to the databases. The sa account is considered legacy and may be removed
in future versions. When you configure mixed authentication, you must provide a
password for the sa and sysadmin accounts. In previous versions of SQL Server,
this password was blank by default.

Demonstration: SQL Server Management Tools
Key Points
There are a number of tools available to manage SQL Server 2008. Graphical tools
are the most commonly used by network administrators. More advanced database
administrators can use SQL commands directly to perform server management
tasks.
SQL Server Management Studio is a graphical utility for managing SQL Server
2008. With this utility, you can manage almost any aspect of SQL Server 2008
or previous versions of SQL Server. You can create databases, modify security,
configure backups, and many other features. You can also enter SQL
commands directly through SQL Server Management Studio.
SQL Server Configuration Manager is a graphical utility that performs a few
specific SQL Server management tasks. It can start and stop SQL services,
modify and manage the accounts used by SQL services, modify network
protocols.

Command prompt utilities are provided to perform many tasks. These are
provided primarily to allow automation through scripting. The osql command
allows you to type SQL commands at a prompt and have them sent to a SQL
Server. The sqlcmd command allows you to send sql scripts to a SQL Server.
For more information about SQL Server 2008 management tools, see
Features and Tools Overview (SQL Server 2008) on the MSDN Web site
High-level steps:
1. Open SQL Server Management Studio.
2. Review the list of databases.
3. Review the properties of a database.
4. Review the authentication mode settings.
5. Review the instance level security accounts
6. Review the database level security accounts.

How SQL Server Uses Transaction Logs
Key Points
Each action performed in a SQL Server 2008 database is referred to as a
transaction. Each transaction may have multiple steps, such as modifying multiple
tables. For example, a transaction may remove money from one account and then
add money to another account. It is important that all steps in a transaction are
completed successfully. To increase the reliability of transactions and prevent
problems with inconsistent databases, SQL Server 2008 uses transaction logs.
Each database has a transaction log. When a transaction is initiated, the transaction
is written to the transaction log before any modifications are performed in the
database. Then if there are any errors during the transaction, such as a power
failure or disk error, the transaction can be rolled back or completed to keep the
database consistent.
You can set a recovery model for a database that controls how logging is
performed. These are called recovery models because they control how you
perform recovery from a backup and how you perform backups.

The recovery models for SQL Server 2008 are:
Simple recovery. This model uses circular logging for the transaction log. This
means that as transactions are written to the database, they are not kept in the
transaction log. As long as a transaction is complete, that transaction may be
deleted by SQL Server 2008. The main benefit of the simple recovery model is
that less disk space is used by transaction logs. However, recovery is limited to
the point in time that the backup was taken.
Full recovery. This model keeps transaction logs until they are backed up.
This uses more disk space than the simple recovery model, but allows you to
restore the database back to the point in time of database corruption. First, you
restore the database, and then replay the transaction logs. It is possible to only
replay the transaction logs back to a specific point in time if desired.
Bulk-logged recovery. This model is used only when a large amount of
transactions are being performed, typically as part of a maintenance routine or
data import. Bulk logging is more efficient on disk space than full recovery
mode, but does not allow recovery to a specific point in time.
For more information about recovery models in SQL Server 2008,

see Recovery Model Overview on the MSDN Web site at

Backup and Restore Options for SQL Server
Key Points
Databases are not backed up in the same way as the file system of a server. You can
still perform full, differential, and incremental backups. However, each of these
options is working with the database and transaction logs.
When the full recovery mode is being used, you have the following options for
backup:
Full backup. When you perform a full backup, the database and transaction
logs are backed up. The transaction logs are also truncated. Truncating the
transaction logs frees up disk space.
Incremental backup. When you perform an incremental backup only the
transaction logs are backed up. The transaction logs are also truncated after
they are backed up. If you are performing a daily incremental backup, it
includes a single data of transaction logs.

Differential backup. When you perform a differential backup, only the
transaction logs are backed up. The transaction logs are not truncated. So, the
second day you perform a differential backup, the transaction logs from day
one and day two are backed up.
When the simple recovery mode is being used, it is not possible to perform
incremental or differential backups because the log files contain only current
transactions. You can only perform full backups on a database by using simple
recovery mode.
When you recover a SQL database, you first restore the database and all of the
transaction logs; then the transaction logs are replayed to bring the database up to
a current state. Replaying transaction logs reapplies the transactions to the
database. If any transaction log is missing or corrupt, the replay will stop and you
cannot recover past that point.

Support Considerations for SQL Server
Key Points
Some considerations for supporting SQL server are:
The transaction log file never shrinks in size automatically. When you truncate
a transaction log, the file size stays the same, but data is removed from the file.
You can manually shrink the file if required.
The database file never shrinks in size automatically. When you delete data
from a database, the file size stays the same, but data is removed from the file.
You can manually shrink the file if required.
To enhance recoverability, use full recovery mode. If you use simple recovery
mode, then you can only restore back to the point in time of the backup.
To enhance recoverability, store database files on a separate physical disk from
transaction logs. Then if a disk is lost or corrupted, you can restore the
database and replay the transaction logs up to the current point.

When using incremental backups, ensure that your backup system is reliable.
A corrupted incremental backup will stop replay of all transactions, which
could result in losing data from multiple days.
Use a maintenance plan to automatically backup databases. A maintenance
plan in SQL Server 2008 allows you to create a schedule for database backups
and maintenance.
If your backup software does not have an agent for SQL Server, configure SQL
Server 2008 to backup the database to a file on disk that can be backed up by
your backup software. This avoids the need to stop the database for backups,
which would impact application availability.
The database for an application is only one part of the application. Consider all
servers that are part of an application when performing backups. For example,
an application on a Web front-end server may need to be the correct version to
work with a database that has been restored. This could be an issue after a
recent upgrade.

Lesson 4
Deploying Client Applications
When you deploy a new operating system, you need to consider application
compatibility with that operating system. Even when a new operating system is not
being used, each organization needs to determine the best way to deploy
applications. In this lesson, you will learn about these topics and learn how to
deploy an application by using Group Policy.
Objectives
Describe considerations for application compatibility.
Describe the methods for deploying applications.
Deploy an application by using group policy.

Considerations for Application Compatibility
Key Points
For commercial software, the best way to ensure that a desktop application is
compatible with a new desktop operating system is to verify with the application
vendor. If the application is supported on the new operating system, then you can
safely use it with the new operating system. If the application is not supported, it
may still work, but you should do extensive testing. Alternatively, you can wait for
the vendor to provide an updated version of the application for the new operating
system.
To simplify, Microsoft provides a list of applications that are compatible with
Windows Vista and Windows 7 on the TechNet Web site. This is an alternative to
verifying individually with each vendor.

If an application has been developed internally or was custom developed, then you
can use the Application Compatibility Toolkit (ACT) to identify and resolve
compatibility issues before deploying a new operating system. ACT assists in the
collection of application inventory data. Then you can use ACT to organize and
analyze compatibility issues that are identified. After issues are identified, you can
test and verify that compatibility issues exist and attempt to mitigate them. ACT
includes tools to monitor.
Some applications have compatibility problems with User Account Control (UAC)
in Windows Vista and Windows 7. The Standard User Analyzer (SUA) Tool in ACT
helps to identify these issues. SUA also provides mitigation for UAC related
problems and saves it as an MSI file. The Compatibility Administrators is a tool in
ACT that is used to apply the MSI file to other computers in your organization.
For more information about application compatibility, see the

Application Compatibility page on the TechNet Web site at

Application Deployment Methods
Key Points
Traditionally, applications were deployed by going from computer to computer
with a CD-ROM and installing the application manually by running setup.
However, this was a time consuming process and led to non-standard
configurations because each technician performing the software install may have
been selecting different options.
Other ways to deploy applications include:
Inclusion in an operating system image. When applications are included in
an operating system image, they do not need to be configured after a computer
is updated. However, this is only suitable for applications that are deployed to
all users. It also does not address the need to update applications when
updates become available.

Group Policy. You can deploy applications by including them in a GPO that is
associated to users or computers. The application must be packaged as an MSI
file. You can add transform files (MST) to automate the installation of
applications. You can add updates (MSP) to update existing applications. This
is a good option for small and mid-sized organizations to deploy applications.
Larger organizations should consider System Center Configuration Manager
for easier manageability and additional features.
System Center Essentials. This product is designed to help manage clients
and servers for mid-sized organizations with up to 500 clients and 30 servers.
It is a centralized solution for software inventory, hardware inventory, health
monitoring, issue resolution, software deployment, and Windows update
deployment. For application deployment, it can deploy non-MSI applications
and control the installation of applications.
System Center Configuration Manager. System Center Configuration
Manager is an enterprise-level tool for managing the configuration of clients
and servers. It is a centralized solution for software inventory, hardware
inventory, software deployment, operating system deployment, Windows
update deployment, and computer configuration.
Application Virtualization (App-V). This product allows applications to be
delivered to a computer without being installed on that computer. Application
components are delivered to the computer on demand as required to speed up
delivery of the applications. The environment for the application is virtualized
to eliminate conflicts between applications such as DLL version
incompatibility. Application updates are performed centrally and used by each
computer the next time the application is used.
Terminal Services. This Windows Server 2008 role runs applications centrally
on a server. Only screen draw commands are sent to the client computer. This
results in fast connectivity over slow networks and allows you to centrally
control the application. Users can access either a full desktop remotely or just
the application in its own window.

For more information about System Center Essentials, see the System
Center Essentials 2007 SP1 Overview white paper on the TechNet Web
site at http://go.microsoft.com/fwlink/?LinkID=89185.
For more information about the capabilities of System Center

Configuration Manager, see Capabilities on the Microsoft Web site at
For more information about Application Virtualization, see Microsoft

Application Virtualization 4.5 Release to Manufacturing on the
Microsoft Web site at http://go.microsoft.com/fwlink

Demonstration: Deploying an Application by Using Group
Policy
Key Points
High-level steps:
1. Open Group Policy Management.
2. Create a new GPO.
3. Add the application to the new GPO.
4. Test delivery of the application.

Lesson 5
Planning Terminal Services
Terminal Services is a solution for providing users with access to applications

remotely. Windows Server 2008 includes features that significantly enhance
Terminal Services functionality for local and remote users. When you implement
Terminal Services, the licensing for both Terminal Services and the applications
must be carefully planned.
Objectives
Describe the purpose of Terminal Services.
Describe the new Terminal Services feature in Windows Server 2008.
Describe the considerations for using Terminal Services licensing.
Describe considerations for using Terminal Services.

What Is Terminal Services?
Key Points
Terminal Services is a Windows Server 2008 role that provides access to
applications that run centrally on a server. When clients connect to a Terminal
Server the amount of network traffic is very small. All application processing
occurs on the Terminal Server. The Terminal Server sends screen draw commands
to the client and the client sends mouse and keyboard input to the Terminal
Server.
The client accessing a terminal server can be a desktop computer running the
Remote Desktop client or a Windows terminal. A Windows terminal is a device
that only runs the Remote Desktop client and does not provide functionality to run
other applications.
When the Remote Desktop client is used to access a Terminal Server, file and
printer redirection can be implemented. File redirection allows the remote client to
save files from the Terminal Server to a local disk on the client. Printer redirection
allows the remote client to print from terminal server applications but have the
print job created on a local printer.

A client connected to a terminal server can have a full desktop displayed or just a
single application window. The full desktop is useful for providing access to
remote users that need access to data and applications. The single application
window is useful for centralizing line-of-business applications in a single location.
For detailed information about Terminal Services, see Terminal

Services in Windows Server 2008 on the TechNet Web site

New Terminal Services Features in Windows Server 2008
Key Points
Terminal Services in Windows Server 2008 has been updated with many useful
features. Some of the new features are:
Single sign-on. This simplifies logon over internal networks by allow the
credential from a client computer to be automatically passed to the terminal
server. When used to control a single application window, it makes the
process similar to opening a local application.
Easy Print. This simplifies printing to local computers on the client. It avoids
the need to install printer drivers on the terminal server that match the printer
on the client computer. All print jobs are created in XPS format on the
Terminal Server and rendered for the appropriate printer locally.
TS RemoteApp. This allows clients to open a window with a single application
when connecting to a Terminal Server rather than an entire desktop. This
simplifies the process for users and is very useful for line-of-business
applications that have been centralized on a Terminal Server.

TS Web Access. This allows clients to begin a Terminal Services connection
from a Web page. This can be used to deploy a full desktop terminal services
experience or RemoteApp programs. Users can also use this functionality to
connect to their regular desktop computer when outside the office if they have
remote desktop access to it. The primary benefit is simplifying the connection
process for users.
TS Gateway. This allows clients to connect to internal terminal servers
through firewall and network address translation (NAT). The Remote Desktop
Protocol (RDP) communication is tunneled in HTTPS packets on port 443.
This is often used together with TS Web Access for remote users over the
Internet.

Considerations for Terminal Services Licensing
Key Points
Terminal Services require client access licenses (CALs) in addition to the CALs
required for accessing Windows. Terminal Server CALs can be per device or per
user. Roaming users often access a terminal server from many devices. In such a
case, user-based licensing is more cost effective. For internal computers shared by
multiple users and accessing a line-of-business application device-based CALs will
be more cost effective.
Each Terminal Server must be configured to use per user or per device licensing. A
single Terminal Server cannot mix the two licensing modes. To use per user and
per device licensing, you must have at least two Terminal Servers.

Application licensing is also a concern. When an application is installed on a client
computer, it is used by a single person at a time that typically requires a single
license fee. On a Terminal Server, the licensing varies depending on the policies of
the vendor. Some vendors include the rights to access an application by using
Terminal Services when a license has already been obtained for users on a desktop
computer. Some vendors require an application license to be purchased for each
concurrent user on a Terminal Server. Other vendors require an application license
to be purchased for every potential Terminal Server user.
Note: When a Terminal Server is installed, it will function for 120 days without
communicating with a licensing server. However, after 120 days, a Terminal Server will
stop allowing connections.

Considerations for Using Terminal Services
Key Points
When planning for the Terminal Services role, keep the following considerations in
mind:
Use Terminal services to provide remote offices with access to centralized
applications. Accessing an application or data by using Terminal Services has
much better performance over a wide area network (WAN) than remotely
accessing application data.
Use Terminal Services to provide remote users with access to data and
applications. Accessing an application or data by using Terminal Services has
much better performance than using a VPN.
Centralize the deployment of line-of-business applications on a Terminal
Server. It is much easier to update a central copy of an application on a
Terminal Server than on multiple client computers.
Use RemoteApp to simplify access to applications on a terminal server. This
provides users with a desktop icon that is simpler to understand than using a
full Remote Desktop.

Use the Web access gateway and TS Web access to support clients over the
Internet. The combination of these two features ensures that clients can access
Terminal Services applications from anywhere with an Internet connection,
even when the only access allowed is through a Web proxy.
Consider allowing remote users to remotely connect to their own desktop
computers. This provides users with a familiar environment and ensures that
all of their necessary applications are available.
Be aware that the loss of a Terminal Server will affect many users. Use network
load balancing and the Terminal Service Session Broker to provide high
availability for Terminal Services.

Lab: Planning Application Servers
A. Datum has recently identified the need to implement new applications to meet
the needs of a growing organization. The first is a portal for collaborating on
projects. Windows SharePoint Services has been selected for this purpose. The
second need is a new financial application that will be deployed by using Terminal
Services.
Exercise 1: Creating a Plan for Application Servers

Scenario
You have been tasked with creating a plan for implementing Windows SharePoint
Services for collaboration and Terminal Services to support a financial application.
You determine how these application servers will be implemented based on
requirements provided by the IT manager.

E-mail thread of correspondence with Allison Brown:
Gregory Weber
From: Allison Brown [Allison@adatum.com]
Sent: 30 July 2009 14:25
Subject: Group Policy implementation
Greg,
As we discussed in the meeting this morning, Id like you to take the lead on
planning our implementation of the new application servers.
The first application server is for Windows SharePoint Services. We are
implementing this only as a pilot project at this point. A new server
(sharepoint.adatum.com) has been allocated for this task and has SQL Server 2008
Express already installed with an instance named SQLEXPRESS. If we move this
project out of the pilot phase, then well consider updates for better performance.
Windows SharePoint Services creates two Web sites on the server. One Web site is
for managing WSS and the other is for accessing content. The content that users
enter for the pages is stored in the SQL Server database.
Some of the things I need your input on are:
What server roles and features do you think will be required?
Do you have any concerns about hardware specifications?
What sort of maintenance schedule will this application require?
How will we ensure that this server and application are secure?
How can we simplify access to this application for internal users?
How should this be backed up?
The second application server is a Terminal Server that will be used by the new
financial application. This is also a pilot project that we need to test before rolling it
out to other users.
Some of the users are at head office and some others are at remote branches that
will be accessing over the WAN. I really need your input as to what benefits using
Terminal Services provides to us. I have to admit, Im not entirely clear as to why
we want to do it this way. However, the vendor recommended it.

In addition, I need your input on:
Are there any benefits to using Windows Server 2008 for Terminal Services
rather than Windows Server 2003 in our scenario?
What are our licensing requirements?
What will the overall system look like from a user perspective when it is
implemented?
Let me know if you require any clarification.
Regards
Allison

2. Create a plan for implementing Windows SharePoint Services.
3. Create a plan for implementing Terminal Services.

Determine if you need any more information and ask your instructor to clarify
if required.
f Task 2: Create a plan for implementing Windows Share Point Services

What server roles and features do you think will be required for implementing
WSS?
Do you have any concerns about hardware specifications for the WSS server?
How can increasing workloads be accommodated?
What sort of maintenance schedule will WSS require?
How will we ensure that this server and WSS are secure?
How can we simplify access to WSS for internal users?
How should WSS be backed up?

f Task 3: Create a plan for implementing Terminal Services
What are the benefits of using Terminal Services for the financial application?
Are there any drawbacks to using Terminal Services?
rather than Windows Server 2003 in our scenario.
implemented?
Results: After this exercise, you should have created a plan for implementing WSS and
Terminal Services.

Exercise 2: Implementing Windows SharePoint Services
Scenario
After planning how WSS will be supported, you need to install it and review the
installed components. You will also perform a backup of WSS.
1. Start the virtual machines and then log on.
2. Install Windows SharePoint Services.
3. Review the Web site configuration.
4. Configure Internet Explorer for Windows Authentication.
5. Back up Windows SharePoint Services.

Pa$$w0rd.
4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch.
f Task 2: Install Windows SharePoint Services

1. Browse to D:\Labfiles\Mod05 and run SharePoint.exe.
2. Perform a Basic installation.
3. When installation is complete, run the SharePoint Products and Technologies
Configuration Wizard.
4. When the configuration is complete, log on to the SharePoint site as
Adatum\Administrator with a password of Pa$$w0rd.
Question: What is the URL of the SharePoint site?


f Task 3: Review the Web site configuration
1. Open Internet Information Services (IIS) Manager.
2. View the application pools.
3. View the Web sites.
4. View the Authentication for the SharePoint - 80 Web site.
f Task 4: Configure Internet Explorer for Windows Authentication

1. Open the Internet Options dialog box.
2. Add http://sea-dc1 to the Local Intranet zone.
3. Use Internet Explorer to access the SharePoint site at http://sea-dc1.
Question: Were you prompted for credentials?
f Task 5: Back up Windows SharePoint Services

1. Create the folder C:\SPBackup.
2. From Administrative Tools, open SharePoint 3.0 Central Administration.
3. On the Operations tab, perform a full backup of the farm to C:\SPBackup.
Results: After this exercise, you should have successfully implemented Windows
SharePoint Services and verified the configuration.

Exercise 3: Implementing Terminal Services
Scenario
After planning how Terminal Services will be supported, you need to install
Terminal Services and deploy an application by using TS RemoteApp.
1. Install Terminal Services.
2. Install the financial application.
3. Prepare the financial application for distribution as a RemoteApp program.
4. Test the new application.
f Task 1: Install Terminal Services

1. On SEA-DC1, open Server Manager.
2. Add the Terminal Services role with the Terminal Server role service and the
following options:
Authentication method: Do not require Network Level Authentication
Licensing mode: Configure later
Users and groups allowed to access Terminal Server: Administrators
3. Restart the server to complete the installation.
f Task 2: Install the financial application

1. On SEA-DC1, browse to D:\Labfiles\Mod05 and run CalcPlus.msi.
2. Install to the default location.
3. Make the application available to Everyone.

f Task 3: Prepare the financial application for distribution as a
RemoteApp program
1. On SEA-DC1, open TS RemoteApp Manager, and then add Microsoft
Calculator Plus as a RemoteApp program.
2. Select Microsoft Calculator Plus and then Create Windows Installer
Package.
Location to save packages: C:\Program Files\Packaged Programs
Other package setting: default
Create a shortcut on the Desktop and Start menu folder in Remote
Programs
3. Share the C:\Program Files\Packaged Programs folder with default settings.
4. Use Group Policy Management to edit the Default Domain Policy and create
a new user policy for software installation:
Package: \\SEA-DC1\Packaged Programs\CalcPlus.msi
Deployment type: Assigned
Install this application at logon (in Properties or by using Advanced)
f Task 4: Test the new application

1. On SEA-CL1, log on as Adatum\Administrator with a password of
Pa$$w0rd.
2. If the application shortcut does not appear on the desktop, run gpupdate and
then log on again.

3. Configure single sign-on for Terminal Services by using the local group policy
editor.
Start gpedit.msc.
Browse to Computer Configuration\Administrative Templates\System
\Credentials Delegation.
Enable Allow Delegating Default Credentials and add termsrv/SEA-
DC1.adatum.com.
4. Start the Microsoft Calculator Plus application.
Results: After this exercise, you should have successfully implemented Terminal
Services and distributed a Terminal Services application.

(VMRC) window.

Review Questions
1. How can you provide access to a client server application over the Internet and
still have acceptable performance?
2. Why do you need to consider transaction logs when planning backup and
recovery for SQL Server?
3. How can you isolate Web applications so that a programming error in one
does not affect another?

Common Issues Related to Terminal Server Licensing
Identify the causes for the following common issues related to Terminal Server
licensing and fill in the troubleshooting tips. For answers, refer to relevant lessons
in the module.
Issue Troubleshooting tip

A Windows Server 2008 Terminal
Server stops allowing connections
after 120 days.
User CALs are not being consumed by

a Terminal Server.
Device CALs are not being consumed

by a Terminal Server.

1. A Web-based application is considered critical for your organization. How can
you increase the availability of this application?
2. Your organization does not have backup software with an agent for SQL
Server. The agent for SQL Server has been ordered, but will not arrive for
several weeks. In the meantime, how can you backup the SQL Server database
without stopping the database?
3. Your organization has implemented a Web-based application. Authentication

for this application is based on Active Directory accounts. When users access
the application, they are prompted for credentials. How can you eliminate the
prompt for credentials?

Best Practices Related to Supporting Traditional Applications
Simplify user logons by integrating authentication with Active Directory when
possible.
Use Terminal Services with RemoteApp to avoid the need to install a client
application on each computer.
Use Terminal Services to provide access to an application for roaming users or
remote offices.
Understand the business impact of an application when planning
maintenance.
Lab: Planning a Windows Server 2008 Deployment L1-1

Module 1: Planning Windows Server 2008
Deployment
Lab: Planning a Windows Server
2008 Deployment
Exercise 1: Creating a Planning Flowchart for a Windows
Server 2008 Deployment
f Task 2: Create the flowchart

1. On a piece of paper, generate a list of relevant criteria that must be considered
during the upgrade or migration process.
Is new hardware available?
Does downtime window allow for data to be migrated to a new server?
Is testing of the new server required before placing into production?
Is the hardware 64-bit?
Are there 64-bit drivers for the hardware?
Is the existing operating system 32-bit or 64-bit?
Is server core being implemented?
Are there applications running on the server?
Are the applications compatible with Windows Server 2008?
Are the applications compatible with a 64-bit environment?
Is cross-file Distributed File System (DFS) replication required?
Is failover clustering required?
L1-2 Module 1: Planning Windows Server 2008 Deployment

Is hot add memory required?
How much RAM is required?
Will this be a virtualization host with more than four guests?
whether to upgrade or migrate.
which edition of Windows Server 2008 you should use.


Use the list of criteria you have generated to create a flowchart for determining
whether to use a 32-bit of 64-bit operating system.


Results: After this exercise, you should have created flowcharts to help to determine
how to upgrade or migrate an existing server to Windows Server 2008.

Exercise 2: Planning a Windows Server 2008 Deployment
f Task 1: Create a deployment plan for the archive file server
Answer the questions in the Deployment Plan for the archive server.
Deployment Plan: Archive File Server

Date 20th July
This server is to be upgraded or migrated to Windows Server 2008 to take
advantage of the more efficient file-sharing protocols in Windows Server 2008.
The archive file server is used to store older data that is accessed only occasionally.
Extended outages are possible with notification.
The hardware is relatively new, and no new hardware has been allocated for this
server.
This server is currently running a 32-bit version of Windows Server 2003 R2.
Proposals
1. Will this server be upgraded on existing hardware or migrated to new
hardware?
Answer: Because no new hardware has been allocated, this server must be
upgraded. The file server role is a limited risk for upgrading. It should be
recognized by the upgrade process.
Answer: Windows Server 2008 Standard can be used. There are no
requirements that necessitate the use of Windows Server 2008 Enterprise or
Datacenter.
Answer: A 32-bit version of Windows Server 2008 will be used, because you
cannot upgrade between processor architectures.

f Task 2: Create a deployment plan for the main file server
Answer the questions in the Deployment Plan for the main file server.

Date 20th July
advantage of the more efficient file-sharing protocols in Windows Server 2008.
The main file server is mission critical and cannot be taken out of production during
business hours. Downtime must be limited to less than one day.
This server should support cross-file replication for DFS. This may be implemented in
the future to support remote offices, and the cross-file replication will reduce
synchronization traffic on the WAN.
Data for this file server is stored on a Fiber Channel Storage Area Network (SAN).
New hardware has been allocated for this server if required.
Clients access this file server through mapped drive letters that are created by a
logon script.
Proposals
hardware?
Answer: New hardware has been allocated, so this server should be migrated.
Answer: This server will use Windows Server 2008 Enterprise to support the
use of cross-file replication for DFS.

(continued)
Answer: There is no indication of any reason not to use 64-bit, so a 64-bit
operating system should be used.
4. How will downtime be minimized?
Answer: Even though there is a large amount of data, the migration of this
data is not a concern. The data is stored on a SAN, and the new server can
point at the existing storage on the SAN. Clients can be directed to the new
server by updating their logon script.

f Task 3: Create a deployment plan for the antivirus server
Answer the questions in the Deployment Plan for the antivirus server.
Deployment Plan: Antivirus Server

Date 25th July
This server is to be upgraded or migrated to Windows Server 2008 to standardize
the server operating systems.
The antivirus server can experience an outage of 24 hours without impacting
clients.
New hardware has been allocated for this server.
The antivirus application has not been tested by the vendor in 64-bit environments
and is not supported in 64-bit environments.
Proposals
hardware?
Answer: New hardware has been allocated for this server. So, it should be
migrated.
Answer: Windows Server 2008 Standard can be used because there are no
requirements that necessitate the use of Windows Server 2008 Enterprise or
Datacenter.
Answer: A 32-bit version of Windows Server 2008 should be used, because
the antivirus application is not supported on a 64-bit operating system. When
64-bit support is available, an upgrade to a 64-bit version of Windows Server
2008 can be considered.

f Task 4: Create a deployment plan for the human resources application
server
Answer the questions in the Deployment Plan for the human resources
application server.

Date 25th July
advantage of the performance improvements in IIS 7.
The existing server is consistently short on memory, and a new server with 8GB of
memory has been allocated to address this.
The application data is also stored on this server and must be taken into account.
There can be no downtime during business hours.
The new server should support failover clustering, as it is being considered for the
future.
None

(continued)
Proposals
hardware?
Answer: A new server has been allocated with additional memory. A
migration should be performed.
Answer: The memory requirement is 8 GB. This is possible with a 64-bit
version of Windows Server 2008 Standard. However, Windows Server 2008
Enterprise is required to support failover clustering.
Answer: A 64-bit version of Windows Server 2008 should be used to best
access the 8 GB of memory.
4. What process will you use to minimize downtime?
Answer: To minimize downtime, the new server should be implemented in
parallel with the existing server. After the new server has been thoroughly
tested, then you can perform a final data migration. Downtime is only
required for the final data migration.
Results: After this exercise, you should have created a deployment plan for the archive
file server, the main file servers, the antivirus server, and the human resources
application server.
Lab: Planning Network Infrastructure for Windows Server 2008 L2-13

Module 2: Planning Network Infrastructure for
Windows Server 2008
Lab: Planning Network
Infrastructure for Windows Server
2008
Exercise 1: Determining an Appropriate Network
Addressing Scheme

action
Answer the questions in the Update the Branch Office Network Infrastructure
Plan: IPv4 Addressing document.

Date 25th July
Design an IPv4 addressing scheme for the Adatum western regional branch sales
offices, shown in the exhibit.
The block address 10.10.32.0/21 has been reserved for this region.
You must devise a scheme that supports the required number of subnets, the
required number of hosts, and provide for 25% growth of hosts in each branch.
For each branch, provide the subnet addresses you plan to use, together with the
start and end IP addresses for each subnet.
L2-14 Module 2: Planning Network Infrastructure for Windows Server 2008

(continued)
You do not need to concern yourself with the IP addressing for the corporate side
of the router at each branch.
Proposals
1. How many subnets do you envisage requiring for this region?
Answer: There are 300 computers in the region. The specification states that
around 50 computers should be deployed in each subnet. We also need to
plan for growth of around 25%. Six subnets are required in the region to host
computers, but an additional subnet per location should be planned for to
host the growth in computers. This is a total of nine subnets.
2. How many hosts will you deploy in each subnet?
Answer: The specification states we must deploy a maximum of 50 host
computers per subnet.
3. What subnet mask will you use for each branch?
Answer: The current network address for the region is 10.10.32.0/21. This
leaves 11 bits to allocate to subnets and hosts. To express 9 subnets, we would
require 4 bits, as 3 bits only provides for 8 subnets. 4 bits actually provides for
16 subnets, which is plenty. This is a decimal mask of 255.255.255.128.
4. What are the subnet addresses for each branch?
Answer:
Branch 1:
10.10.32.0/25
10.10.32.128/25
10.10.33.0/25
Branch 2:
10.10.33.128/25
10.10.34.0/25
10.10.34.128/25
Branch 3:
10.10.35.0/25
10.10.35.128/25
10.10.36.0/25

(continued)
5. What range of host addresses are in each branch?
Answer:
Branch 1:
10.10.32.1 > 10.10.32.126
10.10.32.129 > 10.10.32.254
10.10.33.1 > 10.10.33.126
Branch 2:
10.10.33.129 > 10.10.33.254
10.10.34.1 > 10.10.34.126
10.10.34.129 > 10.10.34.254
Branch 3:
10.10.35.1 > 10.10.35.126
10.10.35.129 > 10.10.35.254
10.10.36.1 > 10.10.36.126
Results: After this exercise, you should have a completed IP addressing plan for the
western region branch offices.

Exercise 2: Planning the Placement of Network Servers

action


Date 25th July
Specify which network services are required in each sales office, and any changes
that might be required in the head office to facilitate your proposals.
It is important that any router, server, or communications link failure does not
adversely affect users.
Proposals
1. How many DHCP servers do you propose to deploy in the region?
Answer: Assuming that the routers are all RFC-compliant, there is no need to
deploy DHCP servers in each subnet. Perhaps one DHCP server in each
location would be sufficient. For fault tolerance, duplicate scopes configured
at the head office DHCP server, with appropriate exclusions to support the
80/20 rule, would provide for addressing fault tolerance.
2. Where do you propose to deploy these servers?
Answer: One DHCP server in each regional office.
3. What name resolution services are required?
Answer: Both DNS and NetBIOS name resolution are required.

(continued)
4. To support the DNS name space in the sales division, how would you propose
to configure DNS?
Answer: There are two choices:
a. Configure a subdomain for sales in the existing Adatum.com DNS name
space. Then create sufficient DNS servers for deployment to the region as
secondary servers of the Adatum.com zone.
b. Create a delegation for the sales.adatum.com zone in the Adatum.com
zone. Provide at least two name servers to support this delegated zone.
5. Will you require WINS?
Answer: Possibly.
6. If so, how many WINS servers will you require for the region?
Answer: Probably two, configured as replicas.
7. If not, how do you propose to support single-label names?
Answer: Instead of WINS, the GNZ could be used.
Results: After this exercise, you should have a completed plan for the deployment of
network services in the western regional branch offices.

Exercise 3: Implementing the Planned Network Services
Pa$$w0rd.
Pa$$w0rd.
f Task 2: Deploy the DHCP Server role on SEA-SVR1

2. Click Start, and then click Server Manager.
3. In Server Manager, in the console, click Roles.
4. In the results pane, under Roles Summary, click Add Roles.
5. In the Add Roles Wizard, click Next.
6. On the Select Server Roles page, in the Roles list, select the DHCP Server
check box, and then click Next.
7. On the DHCP Server page, click Next.
8. On the Select Network Connection Bindings page, click Next.
9. On the Specify IPv4 DNS Server Settings page, in the Preferred DNS Server
IPv4 Address box, type 10.10.0.10, and then click Next.
10. On the Specify IPv4 WINS Server Settings page, click Next.
11. On the Add or Edit DHCP Scopes page, click Next.
12. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6
stateless mode for this server, and then click Next.

13. On the Authorize DHCP Server page, click Next.
14. On the Confirm Installation Selections page, click Install.
15. On the Installation Results page, click Close.
f Task 3: Configure the primary DHCP scope for subnet 1

1. Click Start, click Administrative Tools, and then click DHCP.
2. In the DHCP Console, expand sea-svr1.adatum.com, expand IPv4, and then
click IPv4.
3. Right-click IPv4, and then click New Scope.
4. In the New Scope Wizard, click Next.
5. On the Scope Name page, in the Name box, type Branch 1 subnet 1 scope 1,
and then click Next.
6. On the IP Address Range page, in the Start IP address box, type 10.10.32.1.
7. In the End IP address box, type 10.10.32.125.
8. In the Length box, type 25, and then click Next.
9. On the Add Exclusions page, in the Start IP address box, type 10.10.32.100.
10. In the End IP address box, type 10.10.32.125, click Add, and then click Next.
11. On the Lease Duration page, click Next.
12. On the Configure DHCP Options page, click Next.
13. On the Router (Default Gateway) page, in the IP address box, type
10.10.32.126, click Add, and then click Next.
14. On the Domain Name and DNS Servers page, click Next.
15. On the WINS Servers page, click Next.
16. On the Activate Scope page, click Next, and then click Finish.

f Task 4: Configure the secondary DHCP scope for subnet 2
1. Right-click IPv4, and then click New Scope.
2. In the New Scope Wizard, click Next.
3. On the Scope Name page, in the Name box, type Branch 1 subnet 2 scope 2,
4. On the IP Address Range page, in the Start IP address box, type
10.10.32.129.
5. In the End IP address box, type 10.10.32.253.
6. In the Length box, type 25, and then click Next.
7. On the Add Exclusions page, in the Start IP address box, type 10.10.32.129.
8. In the End IP address box, type 10.10.32.229, click Add, and then click Next.
9. On the Lease Duration page, click Next.
10. On the Configure DHCP Options page, click Next.
11. On the Router (Default Gateway) page, in the IP address box, type
10.10.32.254, click Add, and then click Next.
12. On the Domain Name and DNS Servers page, click Next.
13. On the WINS Servers page, click Next.
14. On the Activate Scope page, click Next, and then click Finish.
f Task 5: Create a subdomain in DNS

2. Click Start, click Administrative Tools, and then click DNS.
3. In DNS Manager, expand Forward Lookup Zones, and then expand
Adatum.com.
4. Right-click Adatum.com, and then click New Domain.
5. In the New DNS Domain dialog box, in the text box, type sales, and then
click OK.

f Task 6: Configure zone transfers for the Adatum.com zone
1. Right-click Adatum.com, and then click Properties.
2. Click the Zone Transfers tab.
3. Select the Allow zone transfers check box, and then click OK.
f Task 7: Deploy the DNS role on SEA-SVR1

2. Switch to Server Manager.
3. In Server Manager, click Add Roles, and then click Next.
4. On the Select Server Roles page, in the Roles list, select the DNS Server check
box, and then click Next.
5. On the DNS Server page, click Next.
f Task 8: Configure a secondary zone on SEA-SVR1

1. Click Start, click Administrative Tools, and then click DNS.
2. In DNS Manager, expand SEA-SVR1, and then expand Forward Lookup
Zones.
3. Right-click Forward Lookup Zones, and then click New Zone.
4. Click Next, and on the Zone Type page, click Secondary zone, and then click
Next.
5. On the Zone Name page, in the Zone name box, type Adatum.com, and then
click Next.
6. On the Master DNS Servers page, in the IP Address list, type 10.10.0.10, and
then press ENTER.
7. Click Next, and then click Finish.
8. In DNS Manager, expand the Adatum.com zone.

f Task 9: Enable the WINS feature, and configure DNS/WINS integration
1. Switch to Server Manager.
2. In the console, click Features.
3. In the results pane, click Add Features.
4. In the Features list, select the WINS Server check box, and then click Next.
8. In DNS Manager, right-click Adatum.com, and then click Properties.
9. Click the WINS tab, and then select the Use WINS forward lookup check
box.
10. In the IP address box, type 10.10.0.100, press Add, and then click OK.
12. In DNS Manager, right-click Adatum.com, and then click Transfer from
Master.
Note: You might need to wait a few moments before you see the WINS record. Press
Refresh if needed.
f Task 10: Configure DHCP options to support the deployed services

1. Switch to the DHCP console.
2. Right-click Server Options, and then click Configure Options.
3. In the Available Options list, select the 006 DNS Servers check box.
4. In the IP address box, type 10.10.0.100, and then click Add.
5. In the Available Options list, select the 015 DNS Domain Name check box.

6. In the String value box, type sales.adatum.com, and then click Apply.
7. In the Available Options list, select the 044 WINS/NBNS Servers check box.
8. In the IP address box, type 10.10.0.100, click Add, and then click OK.
Results: After this exercise, you should have successfully deployed branch office
network services.

For each running virtual machine, close the Virtual Machine Remote Control
(VMRC) window.
In the Close box, select Turn off machine and discard changes. Click OK.
Lab: Planning for Active Directory L3-25

Lab: Planning for Active Directory
Exercise 1: Selecting a Forest Topology
f Task 2: Update the Contoso Domain Migration document with your

planned forest topology

Date 5th August
To devise an appropriate forest and domain topology for the merged companies.
The new company will continue to operate with dual names; that is, the Adatum and Contoso
brands are equally important.
It is anticipated that the existing Windows NT 4.0 domain controllers and server will be replaced as
part of the migration process.
Proposals
1. Do you intend to upgrade the domain controllers in the Contoso network to Windows Server
2008?
Answer: Answers will vary. It seems sensible to base the plan on the assumption that the
domain controllers will be upgraded. This means that an AD DS solution can be implemented.
If you do not intend to upgrade the domain controllers, it will be necessary to establish
multiple external trust relationships between the AD DS domains in Adatum and the Windows
NT 4.0 domain in Contoso.
L3-26 Module 3: Planning for Active Directory

(continued)
2. How many forests do you anticipate?
Answer: Answers will vary; either one or two forests. You could implement a single forest that
supports two trees: Adatum.com and Contoso.com. Alternatively, you could implement two
forests, one for each organization. The choice largely depends on how administration is to be
effected in the merged organization; if the two parts of the organization are to be separately
administered, then opt for two forests; otherwise, select one forest.
3. How many domains do you plan to implement?
Answer: Answers will vary. Currently, Adatum has a single domain. There is no compelling
reason the existing Windows NT 4.0 resource domains in Contoso could not be merged into a
single AD DS domain, and use organizational units to manage resources.
4. How many trees do you envisage?
Answer: Answers will vary. Either a single tree per forest if you select two forests, or else two
trees in a single Adatum.com forest: Adatum.com and Contoso.com.
5. What trust relationships, aside from those created automatically, will you require?
Answer: Answers will vary. Assuming that you opt for a single forest, no additional trusts are
required. If you opted for two forests, then a pair of forest root trusts would be required. If you
opted to remain in Windows NT 4.0 mode, then many trusts would be required; without
additional information, it is difficult to assess precisely how many. Remember that in Windows
NT, trusts are one-way and non-transitive.
6. Provide a sketch of the completed forest.
Answer: A possible solution consisting of a single forest of two trees:
Results: After this exercise, you should have a completed Contoso Domain Migration
document.

Exercise 2: Planning Active Directory for a Branch Network
f Task 2: Update the Branch Office Planning document with your

proposals


Date 1st September
To determine the placement and configuration of domain controllers and related
services at the western region sales offices.
It is important that in the event of a link failure between the head office and branch
offices, users are still able to logon to the network and access services.
Proposals
1. Do you intend to deploy a domain controller(s) in the branch offices? How
many?
Answer: Yes, one domain controller per branch.
2. Will you deploy an RODC(s)?
Answer: The need for security is important; an RODC provides for a more
secure way of deploying a domain controller.
3. How will you optimize the directory replication for the branches?
Answer: Each branch will be represented in Active Directory by a site object.
4. How will domain controllers know in which branch they are located?
Answer: Subnet objects should also be created and associated with a site. The
domain controllers, and other computers, use their IP configuration to
determine their site location in Active Directory.

(continued)
5. Do you anticipate the need for global catalog services?
Answer: Yes. Many services require access to global catalog.
6. How will you configure global catalog and DNS?
Answer: An RODC can support the global catalog and DNS role.
7. What additional Active Directoryrelated services are required to support the
branch office line-of-business applications?
Answer: A line-of-business application requires access to a directory service.
AD LDS might be suitable.
Results: After this exercise, you should have a completed Branch Office Planning
document.

Exercise 3: Deploying a Branch Domain Controller
Pa$$w0rd.
Pa$$w0rd.
f Task 2: Raise the domain functional level

2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. In the console, right-click Adatum.com, and then click Raise domain
functional level.
4. In the Raise domain functional level dialog box, in the Select an available
domain functional level list, click Windows Server 2008, and then click
Raise.
5. In the Raise domain functional level dialog box, click OK.
6. In the subsequent Raise domain functional level dialog box, click OK.

f Task 3: Raise the forest functional level
Domains and Trusts.
2. In the console, right-click Active Directory Domains and Trusts [SEA-
DC1.Adatum.com], and then click Raise Forest Functional Level.
3. In the Raise forest functional level dialog box, in the Select an available
forest functional level list, click Windows Server 2008, and then click Raise.
4. In the Raise forest functional level dialog box, click OK.
5. In the subsequent Raise forest functional level dialog box, click OK.
6. Close Active Directory Domains and Trusts.
f Task 4: Create the Redmond site

1. On the SEA-DC1 virtual machine, click Start, point to Administrative Tools,
and then click Active Directory Sites and Services.
2. In the console, expand Sites, right-click Sites, and then click New Site.
3. In the New Object Site dialog box, in the Name box, type Redmond.
4. In the Link Name list, click DEFAULTIPSITELINK, and then click OK.
5. In the Active Directory Domain Services dialog box, click OK.
f Task 5: Configure the replication interval

1. In the console, expand Inter-Site Transports, expand IP, and then click IP.
2. In the results pane, in the list, right-click DEFAULTIPSITELINK, and then
click Properties.
3. In the DEFAULTIPSITELINK Properties dialog box, in the Replicate every
list, type 15 and then click OK.

f Task 6: Create the 10.10.0.0/16 subnet
1. In the console, right-click Subnets, and then click New Subnet.
2. In the New Object Subnet dialog box, in the Prefix box, type 10.10.0.0/16.
3. In the Site Name list, click Redmond, and then click OK.
4. Close Active Directory Sites and Services.
f Task 7: Prepare the forest for the RODC

1. ON SEA-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type D:, and then press ENTER.
3. At the command prompt, type cd\labfiles\Mod03\adprep, and then press
ENTER.
4. At the command prompt, type adprep /rodcprep, and then press ENTER.
f Task 8: Promote a new domain controller for the branch office

2. Click Start, and in the Start Search box, type dcpromo, and then press
ENTER.
3. In the Active Directory Domain Services Installation Wizard, select the Use
advanced mode installation check box, and then click Next.
4. On the Operating System Compatibility page, click Next.
5. On the Choose a Deployment Configuration page, click Existing forest, and
then click Next.
6. On the Network Credentials page, click Next.

7. On the Select a Domain page, click Next.
8. On the Select a Site page, click Next.
9. On the Additional Domain Controller Options page, select the Read-only
domain controller (RODC) check box, and then click Next.
Note: Leave the other check boxes selected.
10. In the Static IP assignment dialog box, click Yes, the computer will use a
dynamically assigned IP address (not recommended).
11. On the Specify the Password Replication Policy page, click Next.
12. On the Delegation of RODC Installation and Administration page, click
Next.
13. On the Install from Media page, click Next.
14. On the Source Domain Controller page, click Next.
15. On the Location for Database, Log Files, and SYSVOL page, click Next.
16. On the Directory Services Restore Mode Administrator Password page, in
the Password box, type Pa$$w0rd.
17. In the Confirm password box, type Pa$$w0rd, and then click Next.
18. On the Summary page, click Next.
19. In the Active Directory Domain Services Installation Wizard, select the Reboot
on completion check box.
f Task 9: Configure the password replication policy

1. When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as
ADATUM\administrator with a password of Pa$$w0rd.
2. Switch to the SEA-DC1 virtual machine.
4. In the console, expand Domain Controllers.

5. In the results pane, right-click SEA-SVR1, and then click Properties.
6. In the SEA-SVR1 Properties dialog box, click the Password Replication
Policy.
7. Click Add, and in the Add Groups, Users and Computers dialog box, click
Allow passwords for the account to replicate to this RODC, and then click
OK.
8. In the Select Users, Computers, or Groups dialog box, in the Enter the
object names to select box, type SalesGG, click Check Names, and then click
OK.
9. In the SEA-SVR1 Properties dialog box, click Apply, and then click Advanced.
10. In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click
the Resultant Policy tab.
11. Click Add, and in the Select Users, Computers, or Groups dialog box, in the
Enter the object names to select box, type Joe, click Check Names, and then
click OK.
f Task 10: Pre-populate the password cache

the Policy Usage tab, and then click Prepopulate Passwords.
2. In the Select Users or Computers dialog box, in the Enter the object names
to select box, type joe; Jim; Parul; Heiko; Claus, click Check Names, and
then click OK.
3. In the Prepopulate Passwords dialog box, click Yes.
4. In the Prepopulate Password Success dialog box, click OK.
Close.
6. In the SEA-SVR1 Properties dialog box, click OK.
Results: After this exercise, you should have successfully deployed an RODC for the
Redmond sales office.

To prepare for the next module
(VMRC) window.
Lab: Planning for Group Policy L4-35

Module 4: Planning Group Policy
Lab: Planning for Group Policy
Exercise 1: Creating a Group Policy Plan
2. On SEA-DC1, click Start, point to Administrative Tools, and click Active
Directory Users and Computers.
3. Review the Active Directory structure as necessary.
5. Click Start, point to Administrative Tools, and click Group Policy
Management.
6. Review the existing Group Policy configuration as necessary.
7. Close Group Policy Management.
L4-36 Module 4: Planning Group Policy

f Task 2: Create an OU structure
Draw a diagram of an OU structure that will allow you to meet the
requirements given to you by Allison.
f Task 3: Create a list of required GPOs

Create a list of GPOs required to implement the requirements given to you by
Allison.
Enforced Security Block read and Domain - Enforced Security filter: Lab
write access to computers group
removable drives denied apply
permission
Head office Drive letter Head Office None

preferences mappings for head
office
Branch 1 Drive letter Branch 1 None

preferences mappings for
branch 1

(continued)

branch 2

branch 3
Branch Sales Applications for Branch 1 Security filter: Branch

Applications branch sales staff Branch 2 Sales Group
Branch 3
Branch Office Applications for Branch 1 Security filter: Branch

Applications branch office staff. Branch 2 Office Group
Branch 3
Terminal server Lockdown desktop Terminal Servers None

Loopback: Replace
mode
Results: After this exercise, you should have a completed Group Policy plan for
A. Datum.

Exercise 2: Implementing Group Policy
Task 1: Start the virtual machines, and then log on
Pa$$w0rd.
Task 2: Create the OU structure

2. In Active Directory Users and Computers, if necessary, expand Adatum.com,
and then click Adatum.com.
3. Right-click Adatum.com, point to New, and then click Organizational Unit.
4. In the New Object - Organizational Unit window, in the Name box, type Head
Office, and then click OK.
6. In the New Object - Organizational Unit window, in the Name box, type
Branches, and then click OK.
7. Right-click Branches, point to New, and then click Organizational Unit.
Branch1, and then click OK.

Terminal Servers, and then click OK.
Task 3: Create the GPO for enforced security

2. In Active Directory Users and Computers, right-click Head Office, point to
New, and then click Group.
3. In the New Object Group window, in the Group name box, type Lab
Computers, and then click OK.
4. Right-click Head Office, point to New, and then click Computer.
5. In the New Object Computer window, in the Computer name box, type
Lab1, and then click OK.
6. Click Head Office, right-click Lab1, and then click Add to a group.
7. In the Select Groups window, in the Enter the object names to select box,
type Lab Computers, and then click OK.
8. Click OK to close the message stating that the operation was successful.
10. Click Start, point to Administrative Tools, and then click Group Policy
Management.
11. In Group Policy Management, expand Forest: Adatum.com, expand
Domains, and then expand Adatum.com.
12. Right-click Adatum.com, and then click Create a GPO in this domain, and
Link it here.
13. In the New GPO window, in the Name box, type Enforced Security, and then
click OK.
14. Right-click Enforced Security, and then click Edit.

15. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Removable Storage Access.
16. In the right pane, double-click Removable Disks: Deny read access.
17. In the Removable Disks: Deny Read Access Properties window, click Enabled,
and then click OK.
18. In the right pane, double-click Removable Disks: Deny write access.
19. In the Removable Disks: Deny write access Properties window, click Enabled,
and then click OK.
20. Close the Group Policy Management Editor.
21. In the Group Policy Management window, right-click Enforced Security, and
then click Enforced.
22. In the left pane, click Enforced Security.
23. In the Group Policy Management Console window, select the Do not show
this message again check box, and then click OK.
24. Click the Delegation tab, and then click Advanced.
25. In the Enforced Security Settings window, click Add, type Lab Computers,
and then click OK.
26. In the Permissions for Lab Computers area, select the Deny Read check box,
and then click OK.
27. In the Windows Security window, click Yes to continue.
Task 4: Create the GPO for Branch1 preferences

1. In the Group Policy Management window, in the left pane, click Group Policy
Objects.
2. Right-click Group Policy Objects, and then click New.
3. In the New GPO window, in the Name box, type Branch1 Preferences, and
then click OK.
4. Right-click Branch1 Preferences, and then click Edit.
5. In the Group Policy Management Editor window, under User Configuration,
expand Preferences, expand Windows Settings, and then click Drive Maps.

6. Right-click Drive Maps, point to New, and then click Mapped Drive.
7. In the Location box, type \\Branch1Srv\Shared.
8. In the Drive letter area, select drive letter S, and then click OK.
9. Close the Group Policy Management Editor window.
10. In the Group Policy Management window, in the left pane, expand Branches,
and then click Branch1.
11. Right-click Branch1, and then click Link an Existing GPO.
12. In the Select GPO window, click Branch1 Preferences, and then click OK.
Task 5: Create the GPOs for applications

2. In Active Directory Users and Computers, right-click Branches, point to
New, and then click Group.
3. In the New Object Group window, in the Group name box, type Sales Staff,
and then click OK.
4. Right-click Branches, point to New, and then click Group.
5. In the New Object Group window, in the Group name box, type Office
Staff, and then click OK.
Objects.
9. In the New GPO window, in the Name box, type Sales Applications, and then
click OK.
11. In the New GPO window, in the Name box, type Office Applications, and
then click OK.
12. In the left pane, expand Group Policy Objects, and then click Sales
Applications.

13. In the Security Filtering area, click Authenticated Users, and then click
Remove.
14. Click OK to confirm.
15. Click Add, type Sales Staff, and then click OK.
16. In the left pane, click Office Applications.
17. In the Security Filtering area, click Authenticated Users, and then click
Remove.
18. Click OK to confirm.
19. Click Add, type Office Staff, and then click OK.
21. In the Select GPO window, click Sales Applications, and then click OK.
23. In the Select GPO window, click Office Applications, and then click OK.
Task 6: Create the GPO for Terminal Servers

1. In the Group Policy Management window, right-click Terminal Servers, and
then click Create a GPO in this domain, and Link it here.
2. In the New GPO window, in the Name box, type TS Lockdown, and then
click OK.
3. Right-click TS Lockdown, and then click Edit.
4. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand
System, and then click Group Policy.
5. Double-click User Group Policy loopback processing mode.
6. In the User Group Policy Loopback Processing Mode Properties window, click
Enabled. In the Mode box, select Replace, and then click OK.
7. Under User Configuration, expand Policies, expand Administrative
Templates, and then click Start Menu and Taskbar.

8. Double-click Remove and prevent access to the Shut Down, Restart, Sleep,
and Hibernate commands.
9. On the Setting tab, click Enabled, and then click OK.
10. Double-click Remove Run menu from Start Menu.
12. Double-click Add Logoff to the Start Menu.
14. Close Group Policy Management Editor.
Task 7: Verify application of policies for Branch1 sales staff

Modeling.
2. Right-click Group Policy Modeling, and then click Group Policy Modeling
Wizard.
3. In the Group Policy Modeling Wizard window, click Next.
4. On the Domain Controller Selection page, click Next to accept the default
setting of Any available domain controller running Windows Server 2003
or later.
5. On the User and Computer Selection page, in the User information area,
click Browse.
6. In the Choose User Container window, expand Adatum, expand Branches,
click Branch 1, and then click OK.
7. On the User and Computer Selection page, in the Computer information
area, click Browse.
8. In the Choose Computer Container window, expand Adatum, expand
Branches, click Branch 1, and then click OK.
9. On the User and Computer Selection page, click Next.
10. On the Advanced Simulation Options page, click Next to select no options.

11. On the User Security Groups page, click Add, type Sales Staff, and then click
OK.
12. Select the Skip to the final page of this wizard without collecting additional
data check box, and then click Next.
13. On the Summary of Selections page, click Next.
14. To view the model, click Finish.
15. In the Branch1 on Branch1 area, under Computer Configuration Summary,
expand Group Policy Objects, expand Applied GPOs, and expand Denied
GPOs.
Default Domain Policy has computer settings and is applied to computers
in Branch1.
Enforced Security has computer settings and is applied to computers in
Branch1.
Office Applications is denied due to security filtering. The computer is not
a member of the necessary group.
Sales Applications is denied due to security filtering. The computer is not a
member of the necessary group.
Branch1 Preferences is denied because there are no relevant settings for
computers. If computer settings are added to Branch1 Preferences, then
they would be applied.
16. Under User Configuration Summary, expand Group Policy Objects, expand
Applied GPOs, and expand Denied GPOs.
Branch1 Preferences has user settings and is applied to users in Branch1.
Enforced Security is denied because there are no relevant settings for
users. If user settings are added to Enforced Security, then they would be
applied.
Default Domain Policy is denied because there are no relevant settings for
users. If user settings are added to Default Domain Policy, then they
would be applied.
Office Applications is denied due to security filtering. The user is not a
member of the necessary group.
Sales Applications is denied because there are no relevant settings for
users. After the sales applications are added to the policy, then they will be
distributed to members of the Sales Staff group.

Task 8: Verify application of policies for Branch1 sales staff on the
Terminal Server
Modeling.
2. Right-click Group Policy Modeling, and then click Group Policy Modeling
Wizard.
3. In the Group Policy Modeling Wizard window, click Next.
4. On the Domain Controller Selection page, click Next to accept the default
setting of Any available domain controller running Windows Server 2003
or later.
5. On the User and Computer Selection page, in the User information area,
click Browse.
6. In the Choose User Container window, expand Adatum, expand Branches,
click Branch1, and then click OK.
7. On the User and Computer Selection page, in the Computer information
area, click Browse.
8. In the Choose Computer Container window, expand Adatum, click Terminal
Servers, and then click OK.
9. On the User and Computer Selection page, click Next.
10. On the Advanced Simulation Options page, select the Loopback processing
check box, verify that Replace is selected, and then click Next.
11. On the User Security Groups page, click Add, type Sales Staff, and then click
OK.
12. Select the Skip to the final page of this wizard without collecting additional
data check box, and then click Next.
13. On the Summary of Selections page, click Next.
14. To view the model, click Finish.

15. In the Branch1 on Terminal Servers area, under Computer Configuration
Summary, expand Group Policy Objects, expand Applied GPOs, and expand
Denied GPOs.
Default Domain Policy has computer settings and is applied to computers
in Terminal Servers.
TS Lockdown has computer settings and is applied to computers in
Terminal Servers.
Enforced Security has computer settings and is applied to computers in
Terminal Servers.
16. Under User Configuration Summary, expand Group Policy Objects, expand
Applied GPOs, and expand Denied GPOs.
TS Lockdown has user settings and is applied to Branch1 users logging on
to the Terminal Server.
Default Domain Policy is denied because there are no relevant settings for
users. If user settings are added to Default Domain Policy, then they
would be applied.
Enforced Security is denied because there are no relevant settings for
users. If user settings are added to Enforced Security, then they would be
applied.
Notice that none of the user policies that would typically apply to Branch
1 users are being applied due to loopback replace mode being used. For
example, Branch1 Preferences is not being applied.
17. Close Group Policy Management.
Results: After this exercise, you should have successfully implemented group policy.

(VMRC) window.
Lab: Planning Application Servers L5-47

Lab: Planning Application Servers
Exercise 1: Creating a Plan for Application Servers
Determine if you need any more information and ask your instructor to clarify
if required.
f Task 2: Create a plan for implementing Windows SharePoint Services

What server roles and features do you think will be required for implementing
WSS?
Answer: WSS requires: Web Server (IIS), the .NET Framework 3.0, and
ASP.NET enabled.
Do you have any concerns about hardware specifications for the WSS server?
Answer: Application servers with dynamic content such as WSS may have
high processor and memory utilization. SQL Server 2008 may also have high
processor and memory utilization. These should be closely monitored as the
workload continues to grow and this server is moved out of the pilot stage.
How can increasing workloads be accommodated?
Answer: There are two main issues: hardware capacity and database size. As
the load on the server grows, the SQL Server database can be moved to a
separate server to increase performance. Also SQL Server Express is limited to
a 4 GB database. This may not be enough to handle the data stored in WSS as
site usage begins to grow. An upgrade to SQL Server Standard Edition may be
required.
What sort of maintenance schedule will WSS require?
Answer: A maintenance window for WSS will need to be defined. The exact
time of the maintenance windows will have to be negotiated with the users of
WSS. The maintenance window should be outside of normal business hours
so that it does not interfere with use of the application.
L5-48 Module 5: Planning Application Servers

How will we ensure that this server and WSS are secure?
Answer: To secure any application server, you should ensure that only
required components are installed. In addition, an SSL certificate should be
implemented on the server to encrypt communication. The subject name for
the certificate needs to match the server name used in the URL for accessing
the SharePoint site.
How can we simplify access to WSS for internal users?
Answer: Using Windows integrated authentication allows user to authenticate
to WSS without entering their credentials. The credentials used on the
workstation will automatically be passed up to WSS. This simplifies logon for
the users.
How should WSS be backed up?
Answer: WSS stores data in a SQL Server database. You can use backup
software with a SQL Server agent to back up the database. Or you can use a
maintenance plan to back up the database to disk and then back up the file by
using your backup software. In addition, some backup software has a WSS
agent available that simplifies the restore of specific data components rather
than the whole database.
You can perform a full backup each day while the volume of data is relatively
small. When the server holds a large amount of data, you may need to start
using incremental backups to shorten the backup time.
f Task 3: Create a plan for implementing Terminal Services

What are the benefits of using Terminal Services for the financial application?
Answer: In this scenario, Terminal Services provides two benefits: ease of
updates and faster remote access. It is easier to perform application updates on
a single Terminal Server rather than many client computers. For remote users
accessing data over a WAN link, the application will run much faster from the
Terminal Server that is located close to the data.
Are there any drawbacks to using Terminal Services?
Answer: The main drawback in this scenario is the risk that the Terminal
Server will fail. This failure would affect the productivity of all users. You can
mitigate this risk by implementing network load balancing.

rather than Windows Server 2003 in our scenario?
Answer: Windows Server 2008 has several new features that are useful in this
scenario. Single sign-on allows users to access Terminal Services without
providing credentials. This simplifies the use of Terminal Services for users.
Also, Easy Print makes it much easier and more reliable to print by using
Terminal Services. Finally, TS RemoteApp allows just a single application
window to be opened rather than a remote desktop. This is less confusing for
some users.
Answer: To use Terminal Services, each user or device must have a TS CAL. If
users are not accessing the application from multiple locations, it may be
beneficial to use device-based licensing. For our server, we can use device
CALs or user CALs, but not both.
We also need to make sure that the financial application supports licensing for
Terminal Servers. Because using Terminal Services was recommended by the
vendor, it is likely. However, we should review how many licenses will be
required and their cost.
implemented?
Answer: Because access is only for a single application, TS RemoteApp and
single sign-on should be used. Users will click an icon on their desktop and
they will be connected to the application. From the user perspective, it will be
just like opening an application installed locally on their computer.
Results: After this exercise, you should have a completed plan for implementing WSS
and Terminal Services.

Exercise 2: Implementing Windows SharePoint Services
Task 1: Start the virtual machines, and then log on
Pa$$w0rd.
4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch.
Task 2: Install Windows SharePoint Services

1. On SEA-DC1, click Start, and click Run.
2. In the Open box, type D:\Labfiles\Mod05\SharePoint.exe, and then click
OK.
3. On the Read The Microsoft Software License Terms page, select the I accept
the terms of this agreement check box, and then click Continue.
4. On the Choose The Installation You Want page, click Basic.
5. Verify that Run the SharePoint Products and Technologies Configuration
Wizard now is selected, and then click Close.
6. In the SharePoint Products And Technologies Configuration Wizard, click
Next.
7. Click Yes to close the warning window. Installation may take up to 10
minutes.
8. On the Configuration Successful page, click Finish. Internet Explorer will
open automatically and prompt you for a logon.
9. Log on as Adatum\Administrator with a password of Pa$$w0rd. Initial logon
will be slow because all of the scripts start for the first time.
10. Verify that you have successfully logged on to WSS. Note that the path used to
access the server is http://sea-dc1.
11. Close Internet Explorer.

Task 3: Review the Web site configuration
1. On SEA-DC1, click Start, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
2. Expand SEA-DC1, and click Application Pools. Notice that two new
application pools have been created for SharePoint.
3. Click Sites. Notice that there are two new Web sites. SharePoint 80 is the
main SharePoint site bound to Port 80. SharePoint Central Administration is
for administering SharePoint on a random port number.
4. Double-click SharePoint 80, and then double-click Authentication. Notice
that Windows Authentication is enabled.
5. Close Internet Information Services (IIS) Manager.
Task 4: Configure Internet Explorer for Windows Authentication

1. On SEA-DC1, click Start, type Internet Options, and then press ENTER.
2. In the Internet Properties window, click the Security tab, click Local
Intranet, and then click Sites.
3. In the Add this website to the zone box, type http://sea-dc1, and then click
Add.
4. If prompted, click Yes to move the site to the Local intranet zone.
5. Click Close, and then click OK.
6. Click Start, point to All Programs, and then click Internet Explorer.
7. In the Address bar, type http://sea-dc1, and then press ENTER. Notice that
you are no longer prompted for credentials.

Task 5: Back up Windows SharePoint Services
1. On SEA-DC1, click Start, and then click Command Prompt.
2. Type md C:\SPBackup, and then press ENTER.
4. Click Start, point to Administrative Tools, and then click SharePoint 3.0
Central Administration.
5. Click the Operations tab.
6. Under Backup and Restore, click Perform a backup.
7. Select the Farm check box, and then click Continue to Backup Options.
8. Enter the following settings, and then click OK.
Backup content: Farm
Type of Backup: Full
Backup File Location: C:\SPBackup
9. Click Refresh every minute or so until the backup job is complete.
Results: After this exercise, you should have successfully implemented Windows
SharePoint Services and verified the configuration.

Exercise 3: Implementing Terminal Services
Task 1: Install Terminal Services
1. On SEA-DC1, click Start, and click Server Manager.
2. In the left pane, click Roles, and then click Add Roles.
3. In the Add Roles Wizard, click Next.
4. On the Select Server Roles page, select the Terminal Services check box, and
then click Next.
5. Read the Terminal Services page, and then click Next.
6. On the Select Role Services page, select the Terminal Server check box.
7. In the warning window, click Install Terminal Server anyway (not
recommended), and then click Next.
8. Read the Uninstall And Reinstall Application For Compatibility page, and
then click Next.
9. Read the Specify Authentication Method For Terminal Server page, click Do
not require Network Level Authentication, and then click Next.
10. On the Specify Licensing Mode page, click Configure later, and then click
Next.
11. On the Select User Groups Allowed Access To This Terminal Server page,
click Next.
14. Click Yes to restart the server.
15. Log on as Adatum\Administrator with a password of Pa$$w0rd.
16. Wait for the configuration to complete, and then click Close.
17. Close Server Manager

Task 2: Install the financial application
1. Click Start, and then click Computer.
2. Browse to D:\Labfiles\Mod05, and double-click CalcPlus.msi.
3. In the Microsoft Calculator Plus window, click Next.
4. On the License Agreement page, click I Agree, and then click Next.
5. On the Select Installation Folder page, use C:\Program Files\Microsoft
Calculator Plus\, click Everyone, and then click Next.
6. Click Close, and then close the Windows Explorer window.
Task 3: Prepare the financial application for distribution as a

RemoteApp program
1. Click Start, point to Administrative Tools, point to Terminal Services, and
then click TS RemoteApp Manager.
2. In the actions pane, click Add RemoteApp Programs.
3. In the RemoteApp Wizard, click Next.
4. Select the Microsoft Calculator Plus check box, and then click Next.
5. Click Finish.
6. In the RemoteApp Programs area, click Microsoft Calculator Plus.
7. Under Other Distribution Options, click Create Windows Installer Package.
8. In the RemoteApp Wizard, click Next.
9. On the Specify Package Settings page, click Next.
10. On the Configure Distribution Package page, select the Desktop check box,
11. Click Finish.
12. In the Packaged Programs window, browse up to C:\Program Files.
13. Right-click Packaged Programs, and then click Share.
14. Click Advanced Sharing.
15. Select the Share this folder check box, and then click OK.

16. Click Close, and then close all open windows.
17. Click Start, point to Administrative Tools, and then click Group Policy
Management.
18. In the Group Policy Management window, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, right-click Default Domain Policy,
and then click Edit.
19. Under User Configuration, expand Policies, expand Software Settings, right-
click Software installation, point to New, and then click Package.
20. Browse to \\SEA-DC1\Packaged Programs, click CalcPlus.msi, and then
click Open.
21. In the Deploy Software window, click Advanced, and then click OK.
22. In the Microsoft Calculator Plus Properties window, click the Deployment tab.
23. Under Deployment type, click Assigned.
24. Under Deployment options, select the Install this application at logon check
box, and then click OK.
25. Close all open windows.
Task 4: Test the new application

1. Log on SEA-CL1 as Administrator with a password of Pa$$w0rd.
2. If the Microsoft Calculator Plus icon does not appear on the desktop, then
perform the following steps:
a. Click Start, type cmd, and then press ENTER.
b. At the command prompt, type gpupdate, and then press ENTER.
c. Close the command prompt.
d. Restart SEA-CL1, and log on again as Administrator.
3. Click Start, type gpedit.msc, and then press ENTER.
4. Under Computer Configuration, expand Administrative Templates, expand
System, and then click Credentials Delegation.

5. Double-click Allow Delegating Default Credentials, click Enabled, and then
click Show.
6. In the Show Contents window, click Add, type termsrv/SEA-
DC1.adatum.com, and then click OK.
7. In the Show Contents window, click OK.
8. In the Allow Delegating Default Credentials Properties window, click OK.
9. Close the Local Group Policy Editor.
Note: In a production environment, you would configure the group policy setting by
using a GPO rather than the local Group Policy.
10. On the desktop, double-click the Microsoft Calculator Plus icon.

11. Select the Dont ask me again for remote connections to the computer check
box, and then click Connect.
12. Wait while the application starts. This may take a few moments to log on to
the Terminal Server.
13. Close Microsoft Calculator Plus.
Note: Opening the application a second time is much faster.
Results: After this exercise, you should have successfully implemented a Terminal
Server and distributed a Terminal Services application.

(VMRC) window.

6430B-ENU TrainerHandbook Volume1 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

6430B-ENU TrainerHandbook Volume1 PDF

Transféré par

Droits d'auteur :

Formats disponibles

OFFICIAL MICROSOFT LEARNING PRODUCT

Be sure to access the extended learning content on your

Product Number: 6430B

Part Number: X16-25882

Microsoft Certied Trainers and InstructorsYour instructor is a technical and

Certication Exam BenetsAfter training, consider taking a Microsoft Certication

Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer

Andy WarrenSubject Matter Expert

Byron WrightSubject Matter Expert

Module 2: Planning Network Infrastructure for Windows Server 2008

Module 3: Planning for Active Directory

Module 4: Planning for Group Policy

Module 5: Planning Application Servers

Lab Answer Keys

Module 7: Planning Server and Network Security

Module 8: Planning Server Administration

Module 9: Planning and Implementing Monitoring and Maintenance

Module 10: Planning High Availability and Disaster Recovery

Module 11: Planning Virtualization

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

To provide additional comments or feedback on the course, send e-mail to

MCT USE ONLY. STUDENT USE PROHIBITED

Virtual Machine Configuration

Windows Server 2008 64-bit Operating System

MCT USE ONLY. STUDENT USE PROHIBITED

Course Hardware Level

MCT USE ONLY. STUDENT USE PROHIBITED

6430B-SEA-DC1 Domain controller in the adatum.com domain 1,024

6430B-SEA-SVR1 Windows Server in adatum.com domain 1,024

6430B-SEA-SVR2 Windows Server in adatum.com domain 1,024

6430B-SEA-CL1 Windows Vista computer in the adatum.com domain 768

Estimated time to set up the classroom: 120 minutes

Virtual machine Description RAM (MB)

6430B-SEA-SVR1 Windows Server in adatum.com domain 384

6430B-SEA-SVR2 Windows Server in adatum.com domain 384

6430B-SEA-CL1 Windows Vista computer in the adatum.com domain 384

Estimated time to set up the classroom: 140 minutes

MCT USE ONLY. STUDENT USE PROHIBITED

In addition, the instructor computer must be connected to a projection display

MCT USE ONLY. STUDENT USE PROHIBITED

In addition, the instructor computer must be connected to a projection display

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

The deployment of Windows Server 2008 must be carefully planned before it is

MCT USE ONLY. STUDENT USE PROHIBITED

Change management is an essential part of information technology management

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Question: What is change?

Question: How does your organization address change management?

MCT USE ONLY. STUDENT USE PROHIBITED

Question: What are the benefits of a formal change management process?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Question: Does your organization use ITIL?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED