6430B-ENU TrainerHandbook Volume2 PDF

OFFICIAL MICROSOFT LEARNING PRODUCT
6430B
Planning for Windows Server
2008 Servers
Volume 2
Be sure to access the extended learning content on your

Course Companion CD enclosed on the back cover of the book.
ii Planning for Windows Server 2008 Servers
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront,
Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight,
SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media,
Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Product Number: 6430B
Part Number: X16-38601
Released: 11/2009
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i. Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,
de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Welcome!
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.
Microsoft Certied Trainers and InstructorsYour instructor is a technical and

instructional expert who meets ongoing certication requirements. And, if instructors
are delivering training at one of our Certied Partners for Learning Solutions, they are
also evaluated throughout the year by students and by Microsoft.
Certication Exam BenetsAfter training, consider taking a Microsoft Certication

exam. Microsoft Certications validate your skills on Microsoft technologies and can help
differentiate you when finding a job or boosting your career. In fact, independent
research by IDC concluded that 75% of managers believe certications are important to
team performance1. Ask your instructor about Microsoft Certication exam promotions
and discounts that may be available to you.
Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer

a satisfaction guarantee and we hold them accountable for it. At the end of class, please
complete an evaluation of todays experience. We value your feedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
1
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
Planning for Windows Server 2008 Servers xiii
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Andy WarrenSubject Matter Expert

Andrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience
in the IT industry, many of which have been spent in writing and teaching. He has
been involved as the subject matter expert (SME) for the 5115B course for
Windows Vista and the technical lead on a number of other courses. He also has
been involved in TechNet sessions on Microsoft Exchange Server 2007. Based in
the United Kingdom, he runs his own IT training and education consultancy.
Byron WrightSubject Matter Expert

Byron Wright is a partner in a consulting firm, where he performs network
consulting, computer systems implementation, and technical training. Byron is also
an instructor for the Asper School of Business at the University of Manitoba,
teaching management information systems and networking. Byron has authored
and coauthored a number of books on Windows servers, Windows Vista, and
Exchange Server, including the Windows Server 2008 Active Directory
Resource Kit.
Planning for Windows Server 2008 Servers xv
Contents
Volume 1
Module 1: Planning Windows Server 2008 Deployment
Lesson 1: Overview of Change Management 1-3
Lesson 2: Planning a Single-Server Installation 1-23
Lesson 3: Performing a Single-Server Installation 1-38
Lesson 4: Automating Windows Server Deployment 1-49
Lab: Planning Windows Server 2008 Deployment 1-60
Module 2: Planning Network Infrastructure for Windows Server 2008

Lesson 1: Planning IPv4 Addressing 2-3
Lesson 2: Planning for Name Resolution Services 2-14
Lesson 3: Determining the Need for WINS 2-27
Lesson 4: Planning a Perimeter Network 2-37
Lesson 5: Planning an IPv4 to IPv6 Transition Strategy 2-42
Lab: Planning Network Infrastructure for Windows Server 2008 2-50
Module 3: Planning for Active Directory

Lesson 1: Selecting a Domain and Forest Topology 3-3
Lesson 2: Selecting a Domain and Forest Functional Level 3-19
Lesson 3: Planning Identity and Access Services in Active Directory 3-27
Lesson 4: Implementing Active Directory in the Physical Network 3-37
Lab: Planning for Active Directory 3-48
Module 4: Planning for Group Policy

Lesson 1: Planning Group Policy Application 4-3
Lesson 2: Planning Group Policy Processing 4-13
Lesson 3: Planning the Management of Group Policy Objects 4-24
Lesson 4: Planning the Management of Client Computers 4-37
Lab: Planning for Group Policy 4-52
xvi Planning for Windows Server 2008 Servers
Module 5: Planning Application Servers

Lesson 1: Overview of Application Servers 5-3
Lesson 2: Supporting Web-Based Applications 5-17
Lesson 3: Supporting SQL Server Databases 5-30
Lesson 4: Deploying Client Applications 5-48
Lesson 5: Planning Terminal Services 5-55
Lab: Planning Application Servers 5-64
Lab Answer Keys

Module 1 Lab: Planning a Windows Server 2008 Deployment L1-1
Module 2 Lab: Planning Network Infrastructure for
Windows Server 2008 L2-13
Module 3 Lab: Planning for Active Directory L3-25
Module 4 Lab: Planning for Group Policy L4-35
Module 5 Lab: Planning Application Servers L5-47
Volume 2
Module 6: Planning File and Print Services
Lesson 1: Planning and Deploying the File Services Role 6-3
Lesson 2: Managing Storage 6-24
Lesson 3: Planning and Implementing the Distributed File System 6-44
Lesson 4: Planning and Implementing Shared Printing 6-56
Lab: Planning File and Print Services 6-66
Module 7: Planning Server and Network Security

Lesson 1: Overview of Defense-in-Depth 7-3
Lesson 2: Planning for Windows Firewall with Advanced Security 7-11
Lesson 3: Planning Protection Against Viruses and Malware 7-24
Lesson 4: Planning Remote Access 7-38
Lesson 5: Planning for NAP 7-45
Lab: Planning Server and Network Security 7-59
Planning for Windows Server 2008 Servers xvii
Module 8: Planning Server Administration

Lesson 1: Selecting the Appropriate Administration Tool 8-4
Lesson 2: Planning Server Core Administration 8-17
Lesson 3: Delegating Administration 8-27
Lab: Planning Server Administration 8-34
Module 9: Planning and Implementing Monitoring and Maintenance

Lesson 1: Planning Monitoring Tasks 9-3
Lesson 2: Calculating a Server Baseline 9-9
Lesson 3: Tools for Monitoring Server Performance 9-17
Lesson 4: Planning Software Updates 9-29
Lab: Planning and Implementing Monitoring and Maintenance 9-40
Module 10: Planning High Availability and Disaster Recovery

Lesson 1: Choosing a High-Availability Solution 10-3
Lesson 2: Planning a Backup and Restore Strategy 10-23
Lab: Planning High Availability and Disaster Recovery 10-34
Module 11: Planning Virtualization

Lesson 1: Overview of Server Virtualization 9-4
Lesson 2: Business Scenarios for Server Virtualization 9-13
Lesson 3: Overview of System Center Virtual Machine Manager 9-20
Lesson 4: Planning Host Resources 9-31
Lab: Planning Virtualization 9-42
Lab Answer Keys

Module 6 Lab: Planning File and Print Services L6-57
Module 7 Lab: Planning Server and Network Security L7-69
Module 8 Lab: Planning Server Administration L8-87
Module 9 Lab: Planning and Implementing Monitoring and
Maintenance L9-95
Module 10 Lab: Planning High Availability and Disaster Recovery L10-103
Module 11 Lab: Planning Virtualization L11-113
Planning File and Print Services 6-1
MCT USE ONLY. STUDENT USE PROHIBITED

Module 6
Planning File and Print Services
Contents:
Lesson 1: Planning and Deploying the File Services Role 6-3
Lesson 2: Managing Storage 6-24
Lesson 3: Planning and Implementing the Distributed File System 6-44
Lesson 4: Planning and Implementing Shared Printing 6-56
Lab: Planning File and Print Services 6-66
6-2 Planning for Windows Server 2008 Servers

Module Overview
In the earliest days of networking, server computers were little more than simple
files or printer sharing devices. The term file-server evolved to describe the
departmental computer to which all users connected to access their files. Over the
years, servers have evolved and provide many additional services, such as e-mail
systems, databases, and other collaborative applications; however, the need to
share files and printers is still one of the most common reasons for organizations
to implement server computers.
Objectives
After completing this module, you will be able to:
Plan and deploy the Windows Server 2008 File Services role.
Manage storage effectively.
Implement an appropriate Distributed File System infrastructure.
Implement shared printing.

Lesson 1
Planning and Deploying the File Services Role
The File Services role provides the basic features that enable you to create shared
folders and make them available in a number of ways throughout your
organization.
Objectives
After completing this lesson, you will be able to:
Describe the function of each of the File Services role services.
Implement shared folders.
Manage access to shared folders.
Describe the considerations for File Services role.
Deploy the File Services role.

What Are the File Services Role Services?
Key Points
Windows Server 2008 implements role-based deployments that enable you to
select the specific services that you want to deploy. This targeted deployment
extends to the elements that make up a role. The File Services role is comprised of
a series of separate functionalities, each of which provides a different feature set;
these functionalities are known as Role Services. The following table describes each
of the File Services Role Services.

The following table describes each of the File Services Role Services.
Role Service Description
File Server Installs the Share and Storage Management snap-in. This tool
enables you to more easily manage shared folders and
volumes.
Distributed File The Distributed File System (DFS) enables you to consolidate
System a complex and distributed file share structure into a more
navigable and manageable entity. There are two separate
elements: DFS Namespaces and DFS Replication. You do not
need to install them both. DFS Namespaces provides the
primary functionality of DFS; that is, it enables the
consolidated shared environment that users navigate and
access. DFS Replication provides the multimaster replication
engine that ensures target folders that are part of a
namespace are synchronized.
File Server Resource The File Server Resource Manager (FSRM) is a suite of tools
Manager that enable you to configure and manage storage quotas, file
screens, and generate storage reports.
Services for Network UNIX and compatible operating systems have different folder
File System sharing requirements from Windowsbased client
computers. Services for Network File System (NFS) provide
the necessary services for UNIX client computers to be able to
share files stored on a Windows Server 2008 server.
Windows Search Windows Search Service is a new indexing solution that aims
Service to speed up file searches of the more common areas of the
Windows Server file system. It replaces the Indexing Service
that was provided with earlier versions of Windows Server.
Although Windows Server 2008 provides the Windows Server
2003 Indexing Service, you cannot install both this service
and the Windows Search Service together on the same server.
Use the Indexing Service only when you have a specific
legacy application that requires it.
Note: The Select Role Services wizard prevents you from
selecting both components.

(continued)
Role Service Description
Windows Server 2003 Consists of two separate components: the File Replication
File Services Service (FRS), and the Indexing Service. The FRS provides for
file-level synchronization between file servers that are not
implementing DFS. DFS Replication offers many benefits over
FRS, so unless you need FRS for a legacy application, or to
support integration with earlier versions of Windows Server,
consider using DFS instead.
Note: By default, the SYSVOL folder is replicated by using
FRS. You can reconfigure your domain controllers to use
DFS Replication to replicate SYSVOL provided that your
domain is in Windows Server 2008 functional mode.
When you decide to deploy the File Services role, you can select only the specific
role services that you need.

Managing Shared File Resources
Key Points
Public Folder Sharing

Public folder sharing provides a simple way to make your server files available to
others. Windows Server 2008 supports the use of only one Public folder for each
server computer. You can place any files that you want to make available publicly
in the Public folder. The Public folder is located at C:\Users\Public, and contains
the following subfolders:
Public Documents
Public Downloads
Public Music
Public Pictures
Public Videos

By default, Windows Server 2008 does not enable Public folder sharing. However,
files that the Public folder hierarchy stores are available to all users who have an
account on a given computer and who can log on to it locally. You cannot access
the Public folder from the network in this default configuration.
Note: Public folder sharing does not provide for granular control over permissions to
shared resources.
Basic Sharing
Basic folder sharing enables you to share a folder quickly and easily by right-
clicking the folder, and clicking Share. Although Windows creates the share name
automatically, you must define the permissions manually. The following table lists
the four simple share permissions that you can assign in this way.
Share Associated NTFS File System

Permission Permission Description
Reader Read and Execute, List Folder This gives read-only access.
Contents, Read
Contributor Modify, Read and Execute, List This permission allows a user or group
Folder Contents, Read, Write full read and write access, but they
may not change permissions or
ownership.
Owner All (Full Control, Modify, Read The user who creates the share
and Execute, List Folder receives this permission. A share has
Contents, Read, Write) only one owner, and this permission
type grants full control of the share
and its contents.
Co-owner All (Full Control, Modify, Read The share owner can grant additional
and Execute, List Folder users Co-owner permission, which
Contents, Read, Write) entitles them to the same permissions
level as the Owner.

Advanced Sharing
If you want to exert more control over the sharing process, use Advanced Sharing.
When you use Advanced Sharing to share a folder, you must specify:
A share name. The default name is the folder name.
The maximum number of simultaneous connections to the folder. The default
limitation is for 16,777,216 concurrent users.
Shared folder permissions. The Everyone group has default Read permissions.
Caching options. The default caching option enables files and programs that
users select to be available offline. You can disable offline files and programs,
and configure files and programs to be available offline automatically.
To use Advanced Sharing, right-click the folder that you want to share, click
Properties, click the Sharing tab, and then click Advanced Sharing.
There are only four different levels of shared folder permissions: full control,
change, read, and access denied. The following table summarizes the advanced
share permissions available.
Permission Description
Full Control Allows a user or group to manage permissions, to change ownership,

and to have full Read and Write share access.
Change Allows Read and Write access, but no management permissions.
Read Allows Read-only access.
Deny Specifically denies Full Control, Change, or Read permissions to the

user or group to whom you assign this permission.
Share permissions normally combine to provide the highest share permissions

assignment. For example, if users receive both Change and Read permissions to a
share, their effective permission will be Change. The exception to this is the Deny
permission, which overrides any other permission.
Note: By default, Read permissions are assigned to the Everyone group.


Best Practices for Sharing Folders
Use the following guidelines to help establish and maintain your folder sharing
infrastructure.
Group files into a folder hierarchy. It is easier to share files if you have
grouped them logically; for example, place departmental data files into a
departmental folder, and then share that single folder.
Enable network discovery. Before you can enable folder sharing, you must
configure your computers visibility on the network. You can use the Network
and Sharing Center to configure computer visibility.
Use Advanced Sharing. Although enabling Public folder sharing or using
Basic sharing is straightforward, these mechanisms do not provide enough
administrative control for many situations; generally, it is more appropriate to
use Advanced sharing to make your files and folders available across the
network.
Consider caching carefully. Enabling caching improves file availability for
users that want to work offline. However, when large volumes of files are
synchronized, perhaps during the logon process, this can have a negative
impact on the network file servers performance. It is important to balance
availability with performance.
Change the default shared folder permission. It is usual to ensure that the
shared folder permissions match the NTFS file permissions, although if the
NTFS file system permissions have already been applied to the shared folder,
because only the agreed upon permissions apply through the share, you could
simply assign Full Control to the Authenticated Users group. This is discussed
more fully in the next topic.

Managing Access Control
Key Points
To ensure the proper protection for your files when you share them, it is important
that you understand file-system security. NTFS file system permissions enable you
to define the access level that users have to files on the network or locally at your
Windows Server 2008 computer. You grant permissions on a file or folder for a
named user or group. An Access Control List (ACL) stores these permissions, and
controls what the user or group can do to the file or folder. The Local Security
Authority (LSA) enforces these permissions each time a user accesses the file or
folder.

The following table lists the available file permissions.
File Permissions Description
Full Control Gives complete control of the file and permissions.
Modify Enables user to change file content and delete files.
Read and Execute Enables user to read files and start programs.
Read Provides Read-only access.
Write Provides Read and Write access.
The following table lists the available folder permissions.
Folder Permissions Description
Full Control Gives complete control of the folder, its contents, and
permissions.
Modify Provides Read and Write access.
Read and Execute Enables user to see folder contents and start programs.
List Folder Contents Provides no permission over files in folder, but enables user
to see them.
Read Provides Read-only access.
Write Enables user to change file content and delete files.
Permissions Inheritance
You can apply NTFS file system permissions at the file or the folder level. If you
apply permissions at the folder level, files and subfolders within the folder inherit
those permissions. If you set permissions at the file level, they apply only to that
file.
By grouping files together in folders, and assigning permissions to that folder, you
can manage permissions more efficiently. Consider an example. Alice Ciccu is in
charge of administering the Transport department files to which all other transport
users require read and write access. By setting the permissions on the Transport
Data folder so that user Alice Ciccu has Full Control permission and the Transport
group has Modify permission, inheritance will ensure that Alice and the Transport
group will receive the appropriate permissions in all the subfolders and files.

Effective Permission
When a user receives multiple NTFS file system permissions, these permissions are
normally cumulative. For example, if you assign a user both read and write
permissions from different group memberships, the users effective permissions
would be both Read and Write. The exception to this rule is the Deny permission.
Deny permissions always override any allow permissions. The Windows Vista
user interface provides an easy way to check effective permissions on the File and
Folder Properties Advanced tab.
Note: Explicitly allowed permissions take precedence over an inherited deny.
Combined Permissions
When allowing access to network resources on an NTFS volume, you should use
the most restrictive NTFS file system permissions to control access to folders and
files, and use the most restrictive shared folder permissions to control network
access.
When you create a shared folder on a partition that is formatted with the NTFS file
system, both the shared folder permissions and the NTFS file system permissions
combine to secure file resources. NTFS file system permissions apply whether
users access the resource locally or over a network.
Best Practice
Use the following guidance to help establish and maintain your NTFS file and
folder permissions.
Avoid using the Everyone group. If you enable a guest user account on your
computer, the Everyone group includes anyone. Therefore, you should remove
the Everyone group from any permission lists, and replace it with the
Authenticated Users group.
Group files into a hierarchy. This enables you to more easily rely on folder
inheritance when configuring permissions.

Only ever grant the minimum required permissions; use Full Control
permissions sparingly. In essence, aside from certain special folders that
are needed to support specific applications or features, folders fall into one
of three broad categories; these are: user home folders; data folders for
departments, or for the entire organization; and application folders. Generally,
you can assign users Full Control on their personal home folders. You should
assign only Modify permissions on departmental shared folders; this is
because assigning Full Control grants users the necessary permissions to
assign permissions, and to take ownership of files and folders. Finally, assign
only Read and Execute permissions on application folders.
Note: Be aware that if you grant your users Full Control of their home folders, it is
possible that they can remove administrator permissions; you can easily recover your
permissions, should you need to, but some administrators take the view that even on
home folders, users should only ever be assigned Modify permissions.

Planning Encrypting File System (EFS)
Key Points
Encrypting File System (EFS) is a system for encrypting data files that is included
as part of Windows 2000, Windows XP, Windows Server 2003, Windows Vista,
and Windows Server 2008. EFS generates a unique symmetrical encryption key to
encrypt each file and folder. The symmetrical key is stored in the file header.
Comparing EFS to NTFS permissions:
NTFS controls access to files and folders but these settings can be modified by
someone who did not create them if they have an appropriate set of
credentials.
EFS controls access to file contents regardless of the permissions that are set
on the file or folder and can only be accessed only by the person who has
encrypted them (or other allowed user), even if somebody has gained physical
access to the computer. It is only possible to use EFS to encrypt files when
they are stored on an NTFS formatted volume.

Comparing EFS to BitLocker:
BitLocker encrypts the whole hard drive. Any user who has credentials to
access a computer can therefore access that hard drive.
EFS encrypts individual files and folders and only the person who has
encrypted them (or another allowed user) has access to the contents of those
files and folders.
Note: EFS files can be shared with individual users, but not groups because there is no
mechanism to assign a certificate to a group.
Implementation of EFS would be suitable in a situation where the access to content

needs to be strictly controlled i.e. legal or security data for example. For example, a
legal document on a shared drive could be encrypted so that only a few users have
access to it rather than all users with NTFS permissions in the shared folder.
The process of encrypting and decrypting in EFS is completely transparent to the
user and to any applications involved. If a folder is configured for encryption any
file created in or moved to that folder will be encrypted.
By default EFS is enabled, however there are various configuration options that you
can use in Group Policies to implement EFS. To do so you should go to Computer
Configuration\Policies\Windows Settings\Security Settings\Public Key
Policies\Encrypting File System node in the Group Policy Management Editor.
The certificates required for EFS contain the necessary public and private keys.
If a Certification Authority (CA) is in place for the organization, the certificate
is requested from the CA. If a CA is not in place for the organization then EFS
automatically generates a self-signed certificate for the user. In general it is easier to
manage EFS certificates if they are generated and centrally managed by a CA. This
is particularly true for sharing EFS encrypted files. Self-signed certificates are stored
on the computer that has the encrypted file.

Keys in EFS are protected with the user password and stored in a user profile.
Therefore anyone who gains access to the password will then also be able to
decrypt any files that have been encrypted by that user. As such it is important to
enforce a strong password policy and educate users as to security best practices to
ensure the risk of credentials being exposed is reduced.
Note: When the password of a local user is reset by an administrator, Windows is unable
to read the private key stored in the users profile. The key must be recovered from a
backup or a recovery agent must be used to recover the files.
You should also consider the use of smart cards and storing keys on these cards as
part of your EFS strategy. This will require a user the insert the smart card to access
encrypted files and would add an additional layer of security.
Question: Why would EFS be used to encrypt data in addition to using NTFS
permissions?

Considerations for EFS Backup Strategy
Key Points
When encrypting data, you should be aware that, if the EFS keys are lost and there
are no recovery agents or key archival process in place, the EFS keys are not
recoverable, i.e. you also lose access to the data. There is no other solution
available to access data if keys are lost. Therefore a large part of planning for using
the EFS feature is to ensure that you can recover files in the event that keys are lost.
To allow for the recovery of encrypted files if keys are lost, EFS uses Data Recovery
Agents (DRA)s. The DRA has the ability to access and open any encrypted file. As
such it is a powerful facility and must be strictly controlled. You can use Group
Policy to specify one or more user accounts as Data Recovery Agents. By default the
Administrator account is designated as the data recovery agent in the Default
Domain group policy object.
Recovery Keys are special purpose certificates that are then used by the Data
Recovery Agents to decrypt the data when keys are lost. When an account is
designated as a recovery agent, a recovery certificate or key is then created for the
specified DRA account. You should backup the recovery keys assigned to a DRA by
exporting them to external storage and keeping them in a safe place.

When a new DRA is added, it will apply to all files encrypted after that point in
time. However, the new DRA will not be added to existing encrypted files until
they are modified and saved.
Windows Server 2008 is capable of performing key archival for certificates issued
by the CA. This is an alternative to having users manually export their certificates,
including the private key. To allow for Key archival a user must be designated as a
Key Recovery Agent. The CA must be an Enterprise CA running on Windows
Server 2008 Enterprise Edition.
How an organization utilizes data recovery and key recovery depends on the
security policies of that specific organization. Organizations may have security
policies around access to keys or access to specific data. This policy will help
determine what approach is suitable to each organization.
You can recover keys from Active Directory backups, or recover the data by using
data recovery agents. By using Windows Server 2008, you can store your keys in
Active Directory for later recovery. Your plan should include contingencies for the
expiration date of both DRA and user keys.
You should plan for key recovery as part of your backup and recovery strategy.
You should ensure that you plan, test, and regularly perform EFS recovery on your
encrypted data and ensure that you can recover encryption keys and data as part of
that recovery strategy.
Note: Users are able to open encrypted files after their certificate expires. This allows the
user to open the files and update the existing keys with new keys. However, new files
cannot be encrypted by using keys from an expired certificate.
Question: What planning documentation is there in your organization for EFS?

How can you ensure that this documentation is updated and modified?

Considerations for Planning File Services Role
Key Points
When planning for File Services, there are several key considerations that you must
keep in mind.
Performance
File-servers are by their nature fairly disk-intensive devices. Consequently, the two
critical performance-related resources in your file server are the physical disk and
the physical memory.
Remember that a Windows-based computer that has insufficient physical memory
uses the paging file to manage applications memory needs, while a computer with
more physical memory than is currently required is more favorably disposed
toward the Windows cache managers request for memory resources.
By adding memory to your file-server, you reduce paging and also ensure there is
plenty of memory for file-caching. In addition, use high-performance disk
subsystem components to help to optimize the file retrieval and storage processes.

High-Availability
Failure can occur in many different components in a file-server computer. It is
important to try to eliminate as many of these potential points of failure as
budgetary constraints will allow. For example, you can implement some or all of
the following technologies to help increase file-server availability:
Uninterruptable power supply (UPS). By implementing a UPS you can help
to protect the file system from corruption following a power-outage.
Redundant power-supply. The power-supply in a computer is one of the few
moving parts and is subject to significant wear-and-tear. In the event of failure
of this component, regardless of the installation of a UPS, the file-server will be
unavailable. By deploying servers with redundant power-supplies, you can
guard against this unavailability.
Redundant array of independent disks (RAID). There are a number of RAID
definitions that provide different fault-tolerance and performance
characteristics. Select a configuration that provides the best balance of these
factors for your organization.
File-server clustering. Ultimately, a file-server computer may fail for any
number of reasons and become unavailable. For particularly critical file-
servers, consider implementing the Windows Server 2008 Failover Clustering
feature.
Placement and Number

You must consider the number and placement of file-servers for your organization.
In small networks, a single file-server may suffice; in larger networks, especially
enterprise-level networks, many file-servers might be needed to support users file
access needs. Factors that may influence your decision include:
Whether you have users located at branch offices or other remote locations.
Generally, unless you have exceptional circumstances, you should deploy one
or more file-servers, as needed, to each location that hosts users.
The link bandwidth and reliability between those locations and your central
offices. If your users access files at remote servers, and the available bandwidth
is not high enough to support the data throughput required, or the link is
unreliable, you must consider placing local file-servers at the remote locations;
you might also need to consider implementing a replication technology to
synchronize the data stored at the remote sites; for example, DFS Replication.

The workload imposed by users activities on a server. Where your users use
of a single file-server exceeds its capacity, consider scaling out; that is, adding
additional file-servers and distributing the workload among them. Use the
Windows performance monitoring tools to help to identify the workload on a
given file-server. A comparison of current workload with previously gathered
statistics, that is trend analysis, will help you to anticipate capacity issues
before they arise.

Demonstration: Deploying the File Services Role
Key Points
Deploy the File Services role.
Create a folder and share it.
Secure the folder.
Question: What other methods can you use for configuring a shared folder and
securing it?
High-level steps:
1. Deploy the file services role at the SEA-SVR1 server.
2. Create and share the transport-data folder.
3. Secure the permissions on the transport-data folder.

Lesson 2
Managing Storage
Business in the digital age is tied to information, which must be stored. As an IT

Professional, meeting the storage requirements of your organization poses constant
challenges.
Objectives
Identify capacity and storage management challenges.
Describe the function of FSRM.
Plan FSRM quotas.
Plan FSRM file screens.
Use FSRM reports to help to manage storage.
Implement FSRM.
Describe a Storage Area Network.

Capacity and Storage Management Challenges
Key Points
Capacity Management
Capacity management is the process of planning, analyzing, sizing, and optimizing
methods that aim to satisfy an organizations increase in data storage demands. As
the data that you need to store and access increases, so does your need for capacity
management.
To enable you to meet the storage capacity requirements of your organization,
consider the following points:
Keep track of how much storage capacity is available.
Determine how much storage space you need for future expansion.
Knowing how the company is currently using storage makes planning for future
storage requirements much more predictable. You can determine who is using data
and what they are storing. Without policies and controls in place, users may often
use storage for noncompliant uses.

Storage Management
Storage management is the process of:
Identifying the misuse of storage space. Unapproved files and programs also
create storage management issues. Many users tend to store non-work-related
files and programs that can consume storage. Storage management attempts to
control this misuse of corporate space.
Understanding the regulatory requirements required of your organization.
Planning for storage growth.
Providing for high availability.
To address storage challenges, you need to:

Analyze how storage is being used.
Define storage resource management policies.
Acquire tools to implement policies.
Analyze how storage is being used.
After you analyze how storage is being used, resource management policies
become much easier to define. These policies determine the efficient and proper
use of available storage capacity, and having these policies in place allows for more
predictability when planning for future capacity. These policies should reflect the
companys needs, and any external compliance requirements. Policies might also
vary within a company. For example, some departments may require more storage
than others, and some departments may want to store files in specific ways.
Situations may occur in which a newly defined policy does not suit the needs of a
particular group of users. In these situations, it may be necessary to implement
policies that attempt to slow storage growth, and realign the groups operation
procedures with the organization.
The final step after analyzing and defining policies is to implement the policies.
Tools such as FSRM perform the tasks necessary for analyzing storage usage,
planning storage policies, and implementing the policies.

The following table describes some of these storage management solutions.
Windows-based tool or
Solution Explanation application
Capacity Management Provides disk and volume FSRM

space information
Charge-Backs Provides customer billing Indirect support through

for storage costs FSRM
Data and Media Migration Allows data movement File Server Migration Tool
from different media types (FSMT)
Performance and Provides application, System Center Operations

Availability Management server, and subsystem Manager (SCOM) (using a
information. hardware vendor pack)
Policy Management Sets and enforces polices FSRM (file screening)

for systems and users
Quota Management Manages storage usage FSRM


What Is File Server Resource Manager?
Key Points
FSRM is a complete set of tools that allows administrators to address the following
key file-server management challenges:
Capacity management. Monitors usage patterns and utilization levels. FSRM
addresses the challenge of analyzing how storage is being used in the
enterprise environment.
Policy management. Restricts which files are stored on the server. This
addresses the challenge of verifying that the stored and managed data is of an
appropriate nature, without requiring manual intervention. It also can prevent
accidental policy breaches if users inadvertently try to store noncompliant
files.

Quota management. Limits how much data can be stored on the server. This
ensures that users may not exceed an allotted amount of capacity, unless
specified differently by an administrator.
Reports. Provides storage capacity usage reports to meet regulatory
requirements that allow the administrators, security groups, and management
personnel the ability to perform oversight and auditing functions.
FSRM provides several features to accomplish storage management tasks. The

following table describes FSRM functions:
Function Description
Create quotas to limit the Allows you to set the maximum amount of space allotted
space allowed for a to a user. It also allows the administrator to be notified if
volume or folder the quota is exceeded.
Automatically generate Allows you to specify that quotas are generated

quotas dynamically when subfolders are created. This allows the
storage volume to be managed without having to apply
quotas every time a directory structure is modified.
Create file screens Enables file filtering based on file extensions. Common
file categories can be grouped together to create file
groups.
Monitor attempts to save Enables administrators to be notified when users attempt

unauthorized files to save an unapproved file type.
Define quota and file Allows you to customize and implement a detailed
screening templates company storage policy.
Generate scheduled or Allows you to create reports on a regular basis for review,
on-demand storage or create reports on demand, which allows you to quickly
reports generate a report for immediate consumption.

Planning Quotas
Key Points
You use Quota management to create quotas that limit the space allowed for a
volume or folder, and to generate notifications when quota limits are approached
or exceeded. FSRM provides quota templates that you can apply easily to new
volumes or folders and that you can use across an organization. You also can auto-
apply quota templates to all existing folders in a volume or folder, as well as to any
new subfolders created in the future.
In FSRM, you can create quotas that limit the space allowed for a volume or folder,
and then generate notifications when the quota limits are approached or exceeded.
By creating a quota for a volume or folder, you limit the disk space that is allocated
for it. The quota limit applies to the entire folder subtree.

Types of Quotas
You can create two types of quotas:
Hard quota. A hard quota prevents users from saving files after the space limit
is reached, and it generates notifications when the data volume reaches the
configured threshold.
Soft quota. A soft quota does not enforce the quota limit, but it generates
configured notifications.
Notification Thresholds
To determine what happens as users approach the quota limit, you can configure
notification thresholds. For each threshold that you define, you can:
Send e-mail notifications.
Log an event.
Run a command or script.
Generate storage reports.
For example, when a folder reaches 85 percent of its quota limit, you might want
to notify the user who saved the file and their administrator, and then send another
notification when the quota limit is reached. In some cases, you might then want to
run a script that raises the quota limit automatically when a threshold is reached.
The following table outlines the advantages of using the FSRM quota management
tools compared to NTFS disk quotas.
Quota features FSRM quotas NTFS disk quotas
Quota Tracking By folder or by volume Per user/per volume
Disk Usage Calculation Actual disk space Logical file size
Notification Mechanisms E-mail, custom reports, Event logs only

command execution, event
logs

Default Quota Templates
FSRM provides several quota templates. To view the default templates, select the
Quota Templates node in the FSRM console tree. The default quota templates
include:
100 MB Limit. This template is configured as a hard quota with a 100-
megabyte (MB) limit. It also is configured to send e-mail and event-log
notifications when the threshold reaches 85, 95, and 100 percent.
200 MB Limit Reports to User. This template is configured with a hard quota
set at 200 MB. The notification thresholds are configured similar to the 100
MB Limit template, but this template also is configured to generate reports
when the limit reaches 100 percent, based on duplicate files, large files, and
those files accessed the least recently. These reports will be sent to the user
who exceeded the threshold and will be stored in the
%systemdrive%\StorageReports\Incident folder.
200 MB Limit with 50 MB Extension. This template is configured with a hard
quota set at 200 MB. The notification thresholds are set similar to the 100 MB
Limit template, but this template is configured with an additional command
that will automatically increase the quota limit with an extra 50 MB when the
limit reaches 100 percent.
250 MB Extended Limit. This template is applied automatically from within
the command threshold configuration of the 200 MB Limit with 50 MB
Extension quota template.
Monitor 200 GB Volume Usage. This is a soft quota set at 200 gigabytes (GB),
which allows users to exceed the limit. This template is used for monitoring,
and it is configured with threshold warnings and limits set at 70, 80, 90, and
100 percent.
Monitor 500 MB Share. This is a soft quota set at 500 MB. This template is
used for monitoring disk usage with notification thresholds set at 80, 100, and
120 percent.

Planning File Screens
Key Points
Many organizations face issues with network users storing unauthorized or
personal data on corporate file servers. Not only does this misuse valuable storage
space, but it also increases the backup process duration, and might violate privacy
or security compliance issues within the company. You can use file screening to
manage the types of files that users can save on corporate file servers.
A file screen provides a flexible method to control the types of files that are saved
on company servers. For example, you can ensure that music files are not stored in
personal folders on a server, yet still allow storage of specific media file types that
support legal rights management or comply with company policies. In the same
scenario, you might want to assign special privileges to the companys vice
president, allowing storage of any file types in his or her personal folder.
You also can implement a screening process to notify you by e-mail when an
unauthorized file type has been stored on a shared folder. The e-mail message can
include information such as the name of the user who stored the file and its exact
location so that you can take appropriate precautionary steps.

Before you begin working with file screens, you must understand the role file
groups play in determining the file screening process. A file group is used to define
a namespace for a file screen, file screen exception, or storage report.
Working with File Groups

A file group consists of a set of file name patterns that are grouped into two groups:
Files to include, and files to exclude:
Files to include. These are files that should be included in the group.
Files to exclude. These are files that should not be included in the group.
For example, an Audio Files file group might include the following file name
patterns:
Files to include: *.mp*. Includes all audio files created in current and future
MPEG formats (MPG, MP2, MP3, and so on).
Files to exclude: *.mpp. Excludes files created in Microsoft Project (.mpp
files), which would otherwise be included by the *.mp* inclusion rule.
FSRM provides several default file groups. You can define additional file groups, or
change the files to be included and excluded. Any changes that you make to a file
group affect all existing file screens, templates, and reports to which the file group
has been added.
To simplify file screen management, you should base your file screens on file
screen templates. A file screen template defines the following:
File groups to block. You can select what file groups to block in the file screen
template. You also can create or modify new file groups from the File Screen
Template Properties dialog box.
Screening types to perform. You can configure two screening types in a file
screen template: Active screening does not allow users to save any files related
to the selected file groups configured with the template. Passive screening still
allows users to save files but provides notifications for monitoring.
Notifications to be generated. Similar to quota templates, file screen
templates provide the ability to configure notifications by means of e-mail
messages, event logs, and reports. You also can configure specific commands
or scripts to run when a file screening event takes place.

By creating file screens exclusively from templates, you can manage your file
screens centrally by updating the templates instead of the individual file screens.
When you make changes to a template, you can choose to apply those changes to
all file screens that are based on that template or only to those file screens whose
properties match those in the template. This feature simplifies storage-policy
change implementation, by providing one central point from where you can make
all updates.

Using Reports to Manage Storage
Key Points
To assist in capacity planning, you must be able to configure and generate
extensive reports based on current storage numbers. In this topic, you will learn
how to configure, schedule, and generate storage reports by using FSRM.
Storage reports provide information about file usage on a file server. The FSRM
Storage Reports Management feature allows you to generate storage reports on
demand and schedule periodic storage reports that help identify trends in disk
usage. You also can create reports to monitor attempts to save unauthorized files
by all users or a selected group of users.

Types of Storage Reports
The following table describes the storage report types in FSRM:
Large Files. Lists files that are larger than a specified size. Use this report to
identify files that are consuming excessive server disk space.
Files by Owner. Lists files that are grouped by owner. Use this report to
analyze server usage patterns and to identify users who use large amounts of
disk space.
Files by File Group. Lists files that belong to specified file groups. Use this
report to identify file-group usage patterns and to identify file groups that
occupy large amounts of disk space. This can help you determine which file
screens to configure on the server.
Duplicate Files. Lists duplicate files (files with the same name, size, and last-
modified date). Use this report to identify and reclaim disk space that is lost
due to duplicate files.
Least Recently Used Files. Lists files that have not been accessed for a
specified number of days. This report can help you identify seldom-used data
that could be archived and removed from the server.
Most Recently Used Files. Lists files that have been accessed within a
specified number of days. Use this report to identify frequently used data that
should be highly available.
Quota Usage. Lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage levels so that
appropriate action can be taken. This report includes quotas that were created
for volumes and folders in FSRM only. It does not include quotas applied to
volumes in an NTFS file system.
File Screening Audit. Lists file screening violations that have occurred on the
server, for a specified number of days. Use this report to identify individuals or
applications that violate the file screening policy.
You can create report tasks that schedule one or more periodic reports, or you can
generate reports optionally on demand and display the reports immediately. For
on-demand reports, as with scheduled reports, current data is gathered before the
report is generated.

Configuring Report Parameters
Most reports have configurable report parameters, which determine the content
that the report includes. The parameters vary with the report type. For some
reports, you can use report parameters to select the volumes and folders on which
to report, set a minimum file size to include, or restrict a report to files that specific
users own.
To generate a set of reports on a regular schedule, you must schedule a report task.
The report task enables you to specify the following:
The volumes and folders on which to report. You can browse to include
specific folders or volumes in your report.
Which reports to generate. By default, all of the reports are selected for a
scheduled report task.
What parameters to use. You can modify specific parameters for each of the
reports that you are generating.
How often to generate the reports. By default, when you create a new
schedule, reports are automatically set to generate at 9:00 A.M. daily, starting
the next day. You can schedule daily, weekly, or monthly reports, or generate
one-time only reports.
Which file formats to use when saving reports. Reports can be saved in
DHTML, HTML, XML, CSV, and text-file formats. By default, DHTML is the
only format enabled.
The Scheduled Report Tasks node results pane includes the report task. Tasks are
identified by the reports to be generated, the namespace on which the report will
be created, and the report schedule. You also can view the current report status
(whether the report is running), the last run time and the result of that run, and
the next scheduled run time.

Demonstration: Using FSRM to Manage Storage
Key Points
Configure FSRM quotas.
Configure FSRM file screens.
Produce an FSRM storage report.
Question: How could you benefit from using quotas in your organization?
Question: How could you benefit from using file screens in your organization?

High-level steps:
1. Configure quotas on the branch server (SEA-SVR1).
2. Configure a file screen on SEA-SVR1.
3. Configure FSRM options to enable reporting features.
4. Produce and examine a storage report.

What Is a Storage Area Network?
Key Points
Traditional file-servers have tended to rely on direct-attached storage (DAS). In this
configuration, disks are either attached internally to a file-server, or else attached
locally in a disk array. DAS provides some storage management issues. These
issues include:
Inflexible resource sharing. Despite the fact that specific servers in your
organization might have excess storage, there is no easy way for this excess
storage to be redeployed to other servers that have additional storage
requirements. After a server has no more room for additional storage, the most
common way to add storage resources is to add a new server. The
disadvantages of this approach are increased capital expenditures and greater
management complexity.

Backup complexity. As the computers in the organization proliferate,
protecting the data on them becomes more expensive and complex to
accomplish. Because backups must be done directly on the system housing the
data, IT personnel usually find themselves required to purchase additional
tape backup systems. Full backups become more difficult to schedule without
cutting into working hours.
Hardware proliferation. More equipment means less space for other business
purposes, more licensing expenses, more setup time, and more hardware to
troubleshoot and fix should a failure occur. Overbuying storage to insulate
against shortages ties up capital resources, and because storage disks are
bound to a specific server, server use remains inherently inflexible, because
servers cannot readily be repurposed for other application use.
To address these issues, a number of network-based storage technologies have

evolved. Network Attached Storage (NAS) servers are designed for ease of
deployment and can be plugged directly into the network without disruption of
services. Managing a NAS appliance is relatively simple and provides a small
learning curve for most administrators. NAS servers are typically used to
consolidate file servers and backup equipment and to expand storage capacity.
However, NAS does not support all applications, such as databases, which usually
need to be local to the database server.
Storage Area Network (SAN) solutions are ideal for database and online processing
applications that require rapid data access and block storage; however, because a
SAN is a dedicated network that can require specialized equipment, a great deal
more expertise is required to set up and maintain a SAN. In a SAN environment, a
storage volume appears local to a participating server.
Note: If the majority of documents that users must access are file based, NAS solutions
provide the most effective and low-cost networked storage solution. On the other hand,
if the greatest amount of information to be shared is produced by database applications,
SANs have been the most popular solution. For those many organizations that must
share both block-based and file-based data, a joint NAS-SAN solution can effectively
meet both needs.

SANs address the limitations of DAS in the following ways:
Highly effective resource sharing. Implementing a SAN solution facilitates
on-demand resource provisioning. Because all servers have access to the same
storage pool, accommodating peak storage needs is a matter of shifting
resources to servers on an as-needed basis, rather than systematically
overbuying storage resources for each server.
Better storage utilization. Storage capacity utilization increases from about 50
percent with DAS to about 80 percent on a SAN. This increased storage
utilization, occurring because multiple servers now access a common pool of
storage, dramatically reduces the need for the common practice of storage
over-provisioning.
Hardware consolidation and availability. SANs facilitate the sharing of
maximally up-to-date data, equipment consolidation (including shifting from
discrete tape drives to shared tape libraries), effective clustering and
redundancy solutions, high-performance I/O, and a reduction in network
traffic. The net results of deploying a SAN are more efficient storage resource
management, better data protection, high availability, and improved
performance.
SANs are designed to enable centralization of storage resources, while at the same
time overcoming the distance and connectivity limitations posed by DAS. Parallel
SCSI interconnections limit DAS devices to a distance of 25 meters and can
connect a maximum of only 16 devices. A typical SAN implementation can extend
the distance limitation to 10 kilometers or more and enable an essentially
unlimited number of devices to attach to the network. These factors allow SANs to
effectively uncouple storage from the server and to pool on a network where
storage can be shared and easily provisioned, without the problems of scaling
associated with DAS.
Note: You can find out more about SANs here:

http://go.microsoft.com/fwlink/?LinkID=163881&clcid=0x409

Lesson 3
Planning and Implementing the Distributed
File System
In the Windows Server 2008 operating system, DFS enables you to create one or
more hierarchies of shared folders from across your network and replicate the
contents of those folders between servers where necessary; these hierarchies are
known as namespaces.
Objectives
Describe DFS.
Plan a DFS namespace.
Plan DFS replication.
Use DFS to provide for data storage scenarios.

What Is DFS?
Key Points
DFS technologies in Windows Server 2008 provide a simplified way to access files
that are dispersed geographically throughout an organization. DFS also offers wide
area network (WAN)friendly file replication between servers. DFS technologies
include:
DFS Namespaces
DFS Replication
Remote Differential Compression
DFS Namespaces
DFS Namespaces allows administrators to group shared folders located on
different servers into one or more logically structured namespaces. Each
namespace appears to users as a single shared folder with a series of subfolders.
The subfolders typically point to shared folders that are located on various servers
in multiple geographical sites throughout the organization.

DFS Replication
DFS Replication (DFS-R) is a multimaster replication engine used to synchronize
files between servers for both local and WAN network connections. DFS-R
supports replication scheduling, bandwidth throttling, and uses Remote
Differential Compression (RDC) to update only the portions of files that have
changed since the last replication. DFS-R can be used in conjunction with DFS
Namespaces or can be used as a stand-alone file replication mechanism.
Remote Differential Compression

Remote Differential Compression (RDC) identifies and synchronizes the data
changes on a remote source, and uses compression techniques to minimize the
data that is sent across the network. Instead of transferring similar or redundant
data repeatedly, RDC accurately identifies changes, referred to as deltas, within
and across files, and transmits only those changes to achieve significant bandwidth
savings. RDC detects data insertions, removals, or rearrangements in files, enabling
DFS-R to replicate only the changed file blocks when files are updated.
RDC also can copy any similar file from one client or server to another, using a
feature known as Cross-File Remote Differential Compression. RDC is suitable for
WAN scenarios where the data transmission costs outweigh the CPU costs of
computing differences between files.
Note: RDC is not used on files smaller than 64 KB. In this case, the file is compressed
before it is replicated.
Additional Reading
Distributed File System Technology Center:
http://go.microsoft.com/fwlink/?LinkId=102236&clcid=0x409
Overview of the Distributed File System Solution in Microsoft Windows Server
2003 R2: http://go.microsoft.com/fwlink/?LinkId=102237&clcid=0x409
About Remote Differential Compression:

Considerations for Planning a DFS Namespace
Key Points
Domain-Based Namespace
A domain-based namespace is a DFS namespace that you create on a domain
member server, which uses the domain name in the DFS path. You can install
multiple namespace servers to host the same domain-based DFS namespace.
A domain-based namespace can be used when:
Namespace high availability is required.
You need to hide the name of the namespace servers from users. This also
makes it easier to replace a namespace server or migrate the namespace to a
different server. Users will then use the \\domainname\namespace format as
opposed to the \\servername\namespace format.

As with stand-alone servers, domain-based DFS namespace servers require the File
Server role, but they provide increased functionality if the domain is in Windows
Server 2008 mode, including:
Support for more than 5,000 folders with targets. (The limit of 5,000 folders
applies to domains at a lower functional level.)
Support for Access-Based Directory Enumeration of folders within the DFS
hierarchy.
Note: Access-based directory enumeration allows users to list only the files and folders
to which they have access when browsing content on the file server. This eliminates user
confusion that can be caused when users connect to a file server and encounter a large
number of files and folders that they cannot access.
To use Windows Sever 2008 mode, the following requirements must be met:
The domain must be at the Windows Server 2008 domain functional level.
All namespace servers must be Windows Server 2008.
Note: You can migrate a domain-based namespace from Windows 2000 Server mode to
Windows Server 2008 mode by using the DFSutil command-line tool. You also can
enable or disable Access-based Enumeration by using the Share and Storage
Management MMC.
Stand-Alone Namespace
A stand-alone namespace is a DFS namespace that you create on a single server.
The DFS namespace server may be a member of a domain or workgroup. A stand-
alone DFS namespace server only requires the File Server role. Stand-alone DFS
namespaces are not fault-tolerant, but you can install a stand-alone DFS namespace
as a cluster resource on a Windows Server 2008 server cluster.
A stand-alone namespace is used when:
Your organization has not implemented Active Directory directory service.
Your organization does not meet the requirements for a Windows Server 2008
mode, domain-based namespace, and you have requirements for more than
5,000 DFS folders. Stand-alone DFS namespaces support up to 50,000 folders
with targets.

The following table summarizes the characteristics of each namespace type.
Stand-alone namespace Domain-based namespace
Path \\ServerName\RootName \\NetBIOSDomainName\RootName

\\DNSDomainName\RootName
Namespace Server registry and Active Directory Namespace server

information storage memory cache memory cache
Minimum Active Active Directory not Windows Server 2008 to support

Directory mode required new features
Size Up to 50,000 folders with Up to 50,000 folders with targets

targets
High-availability Create as cluster resource Implement additional namespace

support on server cluster servers
Supports DFS Only when part of Active Yes

Replication Directory domain
Increasing Namespace Availability

You can increase the availability of a domain-based namespace by specifying
additional namespace servers to host it. You can add additional namespace servers
to an existing DFS namespace by using the DFS Management Console.
Stand-alone DFS namespaces exist only on a single namespace server. You can
increase the availability of a stand-alone namespace by creating it as a resource in a
server cluster.
Folders
Folders are the primary namespace elements. They appear after the namespace
root (\\server\rootname or \\domain\rootname) and help build the namespace
hierarchy. You use folders in a namespace to organize file shares and their contents
in the same way you use folders on a hard disk to organize files. When you create a
folder using the DFS Management console, you type a name for the folder and
specify whether to add any folder targets.

Folder Targets
A folder target is a Universal Naming Convention (UNC) path to one of the
following locations:
A shared folder. For example, \\server\share.
A folder within a shared folder. For example, \\server\share\folder.
A path to another namespace. For example, \\domainname\rootname.
Increasing Folder Availability

You can increase the availability of each folder in a namespace by adding multiple
folder targets. When one folder target is unavailable, the namespace server directs
users to another folder target without even knowing that a problem has occurred.
If a server that is hosting a folder target becomes available again, failback occurs,
and the client computer will access the nearest copy of the folder target. You
should also configure replication among the folder targets to synchronize the
contents.

Considerations for Planning DFS Replication
Key Points
You can increase data availability in your organization by holding two or more
copies of files on different servers and configuring the shares as folder targets for
the same DFS folder in a namespace. To ensure that the files are the same in the
two different locations, you can configure DFS Replication to synchronize the
content.
DFS-R is a state-based, multimaster replication engine that supports replication
scheduling and bandwidth control. DFS-R uses RDC to synchronize files and their
contents between computers.
RDC is an advanced compression technology that optimizes data transfers over
networks that have limited bandwidth. Instead of transferring similar or redundant
data repeatedly, RDC accurately identifies file deltas and transmits only differences
to achieve bandwidth savings. This effectively reduces the size of the data that is
sent and the overall bandwidth requirements for the transfer.

DFS Replication detects changes on the volume by monitoring the update
sequence number (USN) journal, this journal and database replication help keep
DFS current. DFS Replication is self-healing and can recover automatically from
journal loss or loss of the DFS Replication database.
As stated previously, DFS-R is a multimaster replication engine that supports
replication scheduling and bandwidth throttling. DFS-R is the successor to the File
Replication service (FRS) that was introduced in Windows 2000 Server operating
systems. When planning for DFS-R, it is important to consider the following key
points related to DFS-R:
DFS-R uses an RDC. RDC is a client-server protocol that can be used to
efficiently update files over a limited-bandwidth network. RDC detects data
insertions, removals, and re-arrangements in files, enabling DFS-R to replicate
only the changed file blocks when files are updated.
DFS-R detects changes on the volume by monitoring the update sequence
number (USN) journal, and replicates changes only after the file is closed.
DFS-R uses a staging folder to stage a file before sending or receiving it. Staging
folders act as caches for new and changed files to be replicated from sending
members to receiving members.
Note: Each replicated folder has its own staging folder, which by default is located under
the local path of the replicated folder in the DfsrPrivate\Staging folder.
DFS-R uses a version vector exchange protocol to determine which files need
to be synchronized. The protocol sends less than 1 kilobyte (KB) per file
across the network to synchronize the metadata associated with changed files
on the sending and receiving members.
When a file is changed, only the changed blocks are replicated, not the entire
file. The RDC protocol determines the changed file blocks. Using default
settings, RDC works for any type of file larger than 64 KB, transferring only a
fraction of the file over the network.
DFS-R uses a conflict resolution heuristic of last writer wins for files that are
in conflict (that is, a file that is updated at multiple servers simultaneously)
and earliest creator wins for name conflicts.

Note: Files and folders that lose the conflict resolution are moved to a folder known as
the Conflict and Deleted folder. You can also configure the service to move deleted files
to the Conflict and Deleted folder for retrieval should the file or folder be deleted. Each
replicated folder has its own Conflict and Deleted folder, which is located under the local
path of the replicated folder in the DfsrPrivate\ConflictandDeleted folder.
DFS-R is self-healing and can automatically recover from USN journal wraps,
USN journal loss, or loss of the DFS Replication database.
DFS-R uses a Windows Management Instrumentation (WMI) provider that
provides interfaces to obtain configuration and monitoring information from
the DFS Replication service.
Additional Reading
Distributed File System Replication: Frequently Asked Questions:

DFS Data Storage Scenarios
Key Points
You can configure DFS Replication groups in two ways:
You can use a multipurpose replication group for replication of data between
two or more servers for the purpose of data availability, publication, or
content-sharing scenarios. This type of replication group uses multimaster
replication.
You can use a data collection replication group for replication of data between
two or more servers in a branch office scenario to enable backup of the branch
office data at the main office (also referred to as a hub site). Data collection
replication groups also use multimaster replication. In this scenario, no users
perform backup tasks at the branch office and administrators at the main
office can back up and restore data by using the replicated folder. In this
scenario, it is recommended that you configure permissions to prevent main
office users from modifying the replicated content.

Several key scenarios can benefit from DFS Namespaces and DFS Replication.
These scenarios include:
Sharing files across branch offices
Data collection
Data distribution
Sharing Files Across Branch Offices

Large organizations that have many branch offices often have to share files or
collaborate between these locations. DFS-R can help replicate files between branch
offices or from a branch office to a hub site. Having files in multiple branch offices
also benefits users who travel from one branch office to another. The changes that
users make to their files in one branch office are replicated back to their branch
office.
Note: We recommend this scenario only if users can tolerate some file inconsistencies as
changes are replicated throughout the branch servers. Also note that DFS-R only
replicates a file after it is closed. Therefore, DFS-R is not recommended for replicating
database files or any files that are held open for long periods of time.
Data Collection
DFS technologies can collect files from a branch office and replicate them to a hub
site, thus allowing the files to be used for a number of specific purposes. Critical
data can be replicated to a hub site using DFS-R, and then backed up at the hub
site using standard backup procedures. This increases the branch office data
recoverability if a server fails, because files will be available in two separate
locations and also backed up. Additionally, companies can reduce branch office
costs by eliminating backup hardware and onsite information technology (IT)
personnel expertise. Replicated data also can be used to make branch office file
shares fault-tolerant. If the branch office server fails, clients in the branch office can
access the replicated data at the hub site.
Data Distribution
You can use DFS Namespaces and DFS-R to publish and replicate documents,
software, and other line-of-business data throughout your organization. DFS
Namespaces and folder targets can increase data availability and distribute client
load across various file servers.

Lesson 4
Planning and Implementing Shared Printing
You are undoubtedly familiar with the process of administering printers. However,
in Windows Server 2008, the new Print Services role enables you to share your
attached printers on the network and to centralize print server and network printer
management tasks.
Objectives
Describe the shared printing components.
Describe a printer server.
Manage printer drivers.
Manage shared printers with Group Policy.

Overview of Shared Printing
Key Points
To help you plan more effectively for shared printing, it is important to understand
the components and terminology of the shared printing architecture.
Print queue. A logical representation of a physical printer; it is the software
entity that links the printer that a user connects to with the print device that
their output arrives on. You can configure the print queue to handle print jobs
in a specified manner. The following table summarizes these settings.
Option Description
Always available/Available The printer always prints output or only prints
from output between times you designate.
Priority Jobs arriving at the printer are assigned a priority

level from 1 through 99, where 1 is the lowest
priority. By default, all jobs are assigned the lowest
priority.

(continued)
Option Description
Spool print documents so The print processor uses a spool folder to hold a
program finishes printing print job until the printer device is ready to process it
faster and produce the output.
Start printing immediately As the first page spools, the print device begins to
produce the output.
Start printing after last The printer produces no output until the entire print
page is spooled job spools.
Print directly to the printer This is useful only if you connect the printer locally
and it has enough memory. This option disables the
following four options: Hold mismatched jobs, Print
spooled documents first, Keep printed documents,
and Enable advanced printing features.
Hold mismatched jobs The printer does not process jobs that a user submits
after selecting the wrong paper type in the client
application.
Print spooled documents Documents that finish spooling move ahead of

first unspooled jobs in the printer queue.
Keep printed documents This option keeps a spool copy of local print jobs.
Enable advanced printing This enables Enhanced Meta File printing, which
features results in faster spooling. However, the print job may
take longer to complete. Disabling this setting results
in RAW print processing, which may be more
reliable.
New Driver You can use this button to update the printer driver.
Printing Defaults This option configures the default layout and paper
handling options for print jobs.
Print Processor This option defines the print processor for print jobs.
Separator Page You can configure a separator page to print between

jobs to help users manage their printouts.

Print spooler. A software component that is responsible for rendering print
jobs so that they can be passed to the physical print device by using the
designated printer port.
Printer ports. The port defines the way in which the physical print device is
attached. Print device may either be attached locally, for example by using a
parallel port (LPT1) or by using a USB port. Alternatively, a print device may
be attached to the network, and the port identifies the network path to the
print device; for example, the Standard TCP/IP port enables an administrator
to share a print device that is direct-attached to a network by using its IP
address.
Printer driver. The printer driver is device specific and enables the print
spooler and related components to render the output into a format
understandable by the printer.
Print server cluster. To provide for high availability of shared printers, you
can enable print server clustering.

What Is a Print Server?
Key Points
When planning print services, one of the first choices you must make is whether to
allow users to print directly to printers, or whether you want to share the printers
by using the Print Services role in Windows Server 2008. There are a number of
advantages to creating a printer server:
Printer Management. The new Print Services role provides a consolidated and
centralized management console that enables you to perform the following
tasks:
Open and manage active print queues.
Pause and restart printer jobs.
Deploy shared printers by using Group Policy.
Manage printer properties.
Add new printer drivers.

Manage existing printer drivers.
Manage printer forms.
Manage printer ports.
Job redirection. If a user submits a print job to a shared printer, and the print
device servicing that queue goes offline, you can redirect the print job to
another print device without requiring the user to resubmit the job.
Print device pools. For heavy print environments, you can create a shared
printer, and define multiple ports for the printer. The print devices attached to
these ports will share the output.
Prioritize print jobs. You can create multiple printers that point to the same
print device, each with a different priority. This enables jobs with a higher
priority to get printed more quickly.
The main disadvantage of using a printer server is that it imposes a load on the
server computer. Processing print jobs renderingcan be CPU intensive. In
addition, spooling and de-spooling print jobs imposes a load on the disk
subsystem.

Managing Printer Drivers
Key Points
Managing Driver Packages

Printer manufacturers must ensure that their drivers are available in driver
packages that are installed through an INF file. Occasionally, an INF file references
a file that is missing from the driver package. The driver store checks for file
dependencies before importing the driver package. If any of the file dependencies
are missing, the driver package does not load into the driver store.
You can preinstall printer drivers by using the Print Management snap-in on your
printer server. Users can then install these drivers with the Add Printer Wizard, or
use the Plug and Play process to install the printer. When you preinstall printer
drivers in this manner, you simplify the process of deploying approved printers,
and subsequently reduce calls to the help desk.

Managing Legacy Printer Drivers
Although Windows Server 2008 includes numerous enhancements to the printing
subsystem, the basic driver model remains unchanged since earlier versions of
Windows Server; therefore, Windows Server 2003 drivers are generally compatible
with Windows Server 2008. However, always check with the printer manufacturer
before using legacy printer drivers.
Using the Pnputil.exe Command

Use the Pnputil.exe command-line tool to manage the driver store. You can use
Pnputil to both add and remove packages from the driver store, and to list third-
party packages already in the store.
Pnputil performs the following tasks:
Add a driver to the driver store.
Add a driver to the driver store, and install the driver in the same operation.
Delete a driver from the driver store.
List all drivers in the driver store.
The Pnputil command-line syntax is listed in the following table.
Command line Details

pnputil.exe a d:\usbcam\USBCAM.inf Add a package specified by USBCAM.inf.
pnputil.exe a c:\drivers\*.inf Add all packages in C:\drivers.
pnputil.exe i a a:\folder\device.inf Add and install a driver package.
pnputil.exe e List all third-party packages.
pnputil.exe d oem0.inf Delete package oem0.inf.
pnputil.exe f d oem0.inf Force deletion of package oem0.inf.


Managing Printers with Group Policy
Key Points
Publishing
When you create and share a printer, you can optionally decide to list the printer
in Active Directory; this is known as publishing. Publishing makes it easier for
users to locate printers by searching for them.
Printer Locations
When you publish a printer, you can associate the printer with a location; this is a
multipart name that defines the physical location of the printer. In order to use
printer location strings, you must also define locations for your site and subnet
objects in Active Directory; this enables a client computer to determine its physical
location based on its IP configuration.

Names should be representative of the physical locations. Additionally, when
planning your naming structure, remember the following facts:
Location names are in the form name/name/name/name/. The forward slash
is the separator for each element of the name.
A name can consist of any characters except for forward slash.
The number of levels to a name is limited to 256.
The maximum length of a name element is 32 characters.
The maximum length of an entire location name is 260 characters.
For example, if you have configured a site with the location string of Head
Quarters, and it contains a subnet called Floor6, and you have a printer in room3,
you might associate the location string Head Quarters/Floor6/room3 with the
printer. Users can now search by location, but you can also modify group policy
settings to prepopulate the printer location search dialog box with the current
computer location.
Deploying Printers
Rather than install and configure the printer onto each client computer, you can
also use group policy to deploy shared printers. You can achieve this either by
using the Group Policy Management console, or else by using the Printer
Management snap-in. Deploying printers enables you to make the printer available
easily on the client computer.

Lab: Planning File and Print Services
Note: Your instructor may run this lab as a class discussion.
Adatum has a number of new sales offices in the western region. Allison Brown, the
IT manager, has asked you to look into deploying the necessary server roles to
support users in the region. The sales department users access a number of shared
folders at the head office location, and want access to that content in the regional
branch offices. In addition, you determine that storage management is a concern in
the regions; the branch servers will be deployed with DAS, and ensuring that they
do not run out of disk space is an important factor in your plans.

Exercise 1: Planning File and Print Services for a Branch
Office
Scenario
Your colleague, Alan Steiner, has been in discussion with Joe Healy, the Sales
manager. You communicate with Alan with some additional questions.
The main tasks for this exercise are as follows:
Read the supporting documentation.
Update the Sales Branch Offices: File and Print Services document with your
proposals.
f Task 1: Read the supporting documentation

f Task 2: Update the Sales Branch Offices: File and Print Services
document with your proposals
Answer the questions in the Sales Branch Offices: File and Print Services
document.

Supporting Documentation
E-mail thread of correspondence with Alan Steiner:
Gregory Weber
From: Alan Steiner [Alan@adatum.com]
Sent: 11 October 2009 08:41
To: Gregory@adatum.com
Subject: Re: Sales offices: file and print services
Attachments: Requirements.doc
Greg,
Yes, Joe and I had a meeting and he sent over the attached document. Ive added
my comments, so it should have all the information you require.
Regards
Alan.
----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 10 October 2009 17:10
To: Alan@adatum.com
Subject: Sales offices: file and print services
Alan,
Im trying to determine which server roles I need to deploy to the regional sales
offices. I know youve been talking to Joe Healy. Rather than me repeat all the same
questions, what information did he provide about the way the department shares
its data?
Regards,
Greg

Requirements.doc
Alan,
As promised an overview of what we require at the branches.
We have a sales database, and thats in the process of being consolidated;

currently, its distributed across a couple of disparate systems.
We also have some shared folders on the main sales server in the head office. Wed
like to get local copies of the content in these shared folders out to the regional
offices. In addition, any changes made at either end should be synchronized in
some way.
These shared folders have been getting quite a headache of late, and users are
having problems remembering the UNC names; it would be great if we could have
a single UNC to access all shared content from.
Recently, users have been copying all sorts of inappropriate files into the shared
folders; I dont think its malicious, just ill informed. The result is a badly
structured folder hierarchy. Id like to impose limitations on what type of files can
be stored, and where.
Weve been running short on server storage space. I know youre planning a SAN
for each branch office as the sales teams move out to the regions; but thats not
going to help us short-term. We need to be efficient in disk consumption, so Id
like a way of preventing users consuming too much space.
Joe Healy, Sales Manager
Additional comments added [Alan Steiner, IT Department]

Ive investigated the database issue; it wont affect us on your initial roll-out.
We should prevent executable files from being placed in the data areas because
these seem to be the main problem.
200 MB is ample storage for each user in the shared data area; few, if any, are using
more than around 100 MB.
The shared folder should follow corporate standards regarding permissions; that
is, Modify permissions granted to the appropriate global group.
We should be thinking about easy ways to deploy printers to these regions.
Alan Steiner, IT

Sales Branch Offices: File and Print Services
Document Reference Number: GW1510/1
Document Author Gregory Weber

Date 15 October
Requirement Overview
Deploy the required services to the branch sales offices to meet the needs outlined in
the Requirements document.
Additional Information
The requirements are summarized as follows:
Deploy server roles to support file and print services.
Create a single UNC name to allow access to all sales shared resources. This single
UNC name should not be a single point of failure.
Provide for a means of synchronizing data between the branch and head office
sales shared folders.
Impose restrictions to prevent creation of executable files in data areas.
Impose hard limit on amount of disk space each user can consume in the data
folder.
Deploy printers to client computers quickly and easily.
Proposals
1. What server roles will you need to deploy to the branch servers to satisfy these
requirements?
2. Will you need to make any changes to the infrastructure at the head office to
support these requirements?
3. What folder and shared folder permissions would you recommend for sales data
areas?

(continued)
Proposals (continued)
4. How will you address the requirement for a single UNC name for all sales shared
resources and avoid a single point of failure?
5. How will you synchronize the sales data at each location?
6. What role or feature enables you to impose a restriction on the types of files that
users can create in designated folders?
7. What role or feature enables you to impose a restriction on the disk space users
can consume in designated folders?
8. Provide additional details about the specifics of the process you will use to
provide for the previous two requirements:
9. How do you intend to deploy printers to client computers?
Results: After this exercise, you should have a completed Sales Branch Offices: File and
Print Services document.

Exercise 2: Implementing File and Print Services in a Branch
Office
Scenario
Your proposal for file and print services for the sales branch offices has been
approved. You must now implement a subset of your plan at a branch office.
1. Start the virtual machines, and log on.
2. Deploy the necessary server roles to support your plan.
3. Create, secure, and share data folders for the sales department.
4. Configure a DFS namespace.
5. Configure DFS-R to support your plan.
6. Configure FSRM to support your plan.
7. Deploy a shared printer for the branch office.
f Task 1: Start the virtual machines, and then log on

1. On your host machine, click Start, point to All Programs, point to Microsoft
Learning, and then click 6430B. The Lab Launcher starts.
2. In the Lab Launcher, next to 6430B-SEA-DC1, click Launch.
3. In the Lab Launcher, next to 6430B-SEA-SVR1, click Launch.
4. In the Lab Launcher, next to 6430B-SEA-CL1, click Launch.
5. Log on to 6430B-SEA-DC1 as ADATUM\Administrator with the password
Pa$$w0rd.
6. Log on to 6430B-SEA-SVR1 as ADATUM\Administrator with the password
Pa$$w0rd.
7. Log on to 6430B-SEA-CL1 as ADATUM\Joe with the password Pa$$w0rd.
8. Minimize the Lab Launcher window.

f Task 2: Deploy the required server roles at the branch server
1. Switch to the SEA-SVR1 computer.
2. Open Server Manager.
3. Add the following roles:
File Services
File Server
Distributed File System. Click Create a namespace later using the
DFS Management snap-in in Server Manager.
File Server Resource Manager
Print Services
Default
4. Close Server Manager.
f Task 3: Add additional role services on the SEA-DC1 computer

1. Switch to the SEA-DC1 computer.
2. Open Server Manager.
3. Add the Distributed File System roles service to the File Services role.
Click Create a namespace later using the DFS Management snap-in in
Server Manager.
f Task 4: Create, secure, and share the Sales-data folders

1. On SEA-DC1, create a folder called D:\Sales-data.
2. Modify the default security:
Remove the ADATUM\Users permission from the folder.
Grant ADATUM\SalesGG Modify access on the folder.

3. Share the folder:
Share name: Sales-data
Shared permissions: Everyone Full Control
4. Close all open windows.
5. On SEA-SVR1, create a folder called C:\Sales-data.
6. Modify the default security:
Remove the ADATUM\Users permission from the folder.
Grant ADATUM\SalesGG Modify access on the folder.
7. Share the folder:
Share name: Sales-data
Shared permissions: Everyone Full Control
f Task 5: Configure a DFS namespace

2. Open DFS Management.
3. Create a new namespace with the following properties:
Server to host namespace: SEA-DC1
Name: Sales
Type: Domain-based namespace
f Task 6: Add a namespace server

1. Add a new namespace server to the \\Adatum.com\Sales namespace:
Server name: SEA-SVR1
2. In DFS Management, expand Namespaces, click \\Adatum.com\Sales, and
then in the results pane click the Namespace Servers tab. Verify that two
servers are listed.

f Task 7: Add a DFS folder
1. In DFS Management, in the navigation tree, right-click \\Adatum.com\Sales,
and then click New Folder.
2. Create a new folder with the following properties:
Name: Corporate Sales Data
Folder target: \\sea-dc1\sales-data
f Task 8: Add a folder target

In DFS Management, right-click Corporate Sales Data, and then click Add
Folder Target:
Path to folder target: \\sea-svr1\sales-data
You are prompted to establish replication. In the Replication dialog box,
click Yes.
f Task 9: Create a Replication group

1. In the Replicate Folder Wizard, click Next.
2. On the Replication Eligibility page, click Next.
3. Use the following information to complete the process:
Primary member: SEA-DC1
Topology selection: Full mesh
Replication Group Schedule: defaults
4. In the Replication Delay dialog box, click OK.
5. Close DFS Management.
f Task 10: Configure quotas on the branch server

2. Open File Server Resource Manager.

3. Create a new quota with the following properties:
Quota path: C:\Sales-data
Select Auto apply template and create quotas on existing and new
subfolders.
Quota : 200MB Limit Reports to User
f Task 11: Configure a file screen for the branch server

In File Server Resource Manager, create a new file screen with the following
properties:
File screen path: C:\Sales-data
Block executable files
f Task 12: Configure FSRM options

1. In the navigation tree, right click File Server Resource Manager (Local), and
then click Configure Options.
2. Scroll along the tabs, and then click the File Screen Audit tab.
3. Select the Record file screening activity in auditing database check box, and
then click OK.
f Task 13: Test the file screen settings

1. Switch to the SEA-CL1 computer.
2. Map drive letter Z to \\sea-svr1\sales-data.
3. Open a command prompt and execute the following commands:
Z:
Copy c:\windows\*.exe
Question: Were you successful?
4. Switch to the SEA-SVR1 computer

5. In File Server Resource Manager, click Storage Reports and Management.

6. In the action pane, click Generate Reports Now.
7. Create a new report with the following properties:
Folder name: C:\Sales-data
Reports to generate: File Screen Audit
In the Generate Storage Reports dialog box, click OK.
Question: In Internet Explorer, examine the report. Which user attempted to

create executables in the C:\Sales-data folder?
f Task 14: Deploy a shared printer with group policy

1. On SEA-SVR1, open Print Management.
2. Add a new printer to SEA-SVR1 with the following properties:
Add a new printer using an existing port: LPT1: (Printer Port).
Manufacturer: Canon
Type: Canon Inkjet MP700
On the Printer Name and Sharing Settings page, click Next.
On the Printer Found page, click Next, and then click Finish.
3. Right-click Canon Inkjet MP700, and then Deploy with Group Policy.
4. Locate and select the Default Domain Policy.
5. In the Deploy with Group Policy dialog box, select the The users that this
GPO applies to (per user) check box, and then click Add and OK.
6. In the Printer Management dialog box, click OK.
7. Click OK to close the Deploy with Group Policy dialog box.

f Task 15: Test the printer deployment
2. Refresh the group policy, and then log off.
4. Click Start, click Control Panel, and then click Printer.
Question: Is the Canon printer listed?
Results: After this exercise, you should have successfully configured file and print
services for the branch office.
f To prepare for the next module

1. For each running virtual machine, close the Virtual Machine Remote Control
(VMRC) window.
2. In the Close box, select Turn off machine and discard changes. Click OK.

Module Review and Takeaways
Review Questions
1. Which File Services server role supports UNIX users?
2. Why is using Public folder sharing inappropriate for many organizations?
3. Do you need to enable network discovery to be able to map network drives?
4. What RAID configuration would you recommend to provide a good balance

between fault tolerance and performance for an organization on a tight
budget?
5. Why would you implement a soft quota limit?


6. What notifications can you configure for when users approach their quota
thresholds?
7. What is the benefit of using templates for file screens or quotas?
8. What are the primary benefits of a SAN over DAS?
9. What is the primary advantage of a domain-based DFS namespace?
10. How can fault tolerance of the content in a DFS namespace be provided?
Planning Server and Network Security 7-1

Module 7
Planning Server and Network Security
Contents:
Lesson 1: Overview of Defense-in-Depth 7-3
Lesson 2: Planning for Windows Firewall with Advanced Security 7-11
Lesson 3: Planning Protection Against Viruses and Malware 7-24
Lesson 4: Planning Remote Access 7-38
Lesson 5: Planning for NAP 7-45
Lab: Planning Server and Network Security 7-59

Module Overview
Maintaining security is an essential part of server and network management. One

way to analyze security requirements and solutions is by using the Defense-in-
Depth model. After identifying security requirements, you can use Windows
Server 2008 features such as Windows Firewall with Advanced Security and
Network Access Protection (NAP) to help secure your servers and network. When
planning server and network security, you must determine how to prevent viruses
and malware from entering your network. For remote users, you must determine
what type of VPN should be used.
Objectives
Describe Defense-in-Depth.
Plan for Windows Firewall with Advanced Security.
Plan protection against viruses and malware.
Manage remote access.
Plan for NAP.

Lesson 1
Overview of Defense-in-Depth
The Defense-in-Depth model is a layered approach for analyzing network security.

It can be used to identify both risks and methods for mitigating those risks. The
layered approach allows you to see how mitigation methods can be combined for
greater security.
Objectives
Describe the layers of the Defense -in-Depth model.
Describe how to use Defense-in-Depth to identify risks.
Describe how to use Defense-in-Depth to mitigate risks.

What Is Defense-in-Depth?
Key Points
Defending your organization in depth means that you apply a combination of
people, processes, and technology to protect against threats at each layer. If one
layer is compromised, the protections for other layers are still in place. Using a
layered approach increases the probability of detecting an attacker and reduces the
probability that an attack will be successful. As a general guideline, design and
build each layer of security under the assumption that every other layer has been
breached.

The layers of the Defense-in-Depth model are:
Policies, procedures, and awareness. This layer refers to the policies put in
place by the organization to protect data and other network resources. For
example, there could be a policy that dictates that USB drives are not to be
brought in from outside the organization. Many policies and procedures are
not enforceable with technology. In many cases, you rely on staff to follow the
rules. This layer affects all other layers because the policies and procedures
you create will be related to protecting the resources defined in the other
layers.
Physical security. This layer refers to restricting physical access to network
resources. For example, the server room should be kept locked, and wiring for
the network backbone should not be physically accessible to unauthorized
people. As with the policies, procedures, and awareness layer, this layer affects
the resources defined in all other layers.
Perimeter. This layer refers to the connectivity points between the
organization and other information systems. This includes the Internet and
partner networks.
Internal network. This layer refers to the overall internal network of an
organization. This includes LAN and WAN components such as switches and
routers.
Host. This layer refers to the individual client and server computers on the
network. The operating system of each host is included in this layer.
Application. This layer refers to the applications that run on network hosts.
Client applications such as Microsoft Office are included here. Server
applications such as Microsoft Exchange Server are also included here.
Data. This layer refers to the data stored on the network. Data stored in file
shares is included here. Data in other locations such as databases is also
included.

How to Use Defense-in-Depth to Identify Risks
Key Points
Some of the risks associated with Defense-in-Depth layers are:
Data. Any unauthorized or accidental access to data is a risk. This access can
include modification of data, deletion of data, or just viewing data.
Application. Loss of application functionality through denial of service is one
risk. However, a flawed application can also create risks for other layersfor
example, accidental data corruption.
Host. Operating system flaws are one source of risk. However, default
configuration options and weak passwords are also a risk. Failure of computer
components would also be included here.
Internal network. Risks on the internal network includes packet sniffing and
unauthorized use of wireless networks. Visiting consultants who connect to
the network are also a source of risk, as is simple failure of network
components.

Perimeter. One source of risk is anonymous Internet users attempting to
break into your network or perform denial of service attacks. Partner networks
can also be a source of risk if their internal networks are compromised.
Physical security. The general rule of thumb for physical security of computer
networks is that any computer system that can be physically accessed is
vulnerable to utilities that can reset the Administrator password. This can be
done very quickly from a boot CD. Another risk is that a computer with data
can be stolen. Even accidental damage to exposed network components is a
concern (as could happen, for example, if a computer under a desk gets
kicked). Other more unusual risks related to physical security include flood
and fire.
Policies, procedures, and awareness. One risk is that staff do not follow the
policies and procedures that have been defined. This may be because they do
not see the benefit or because they are not aware of the policies and
procedures.

How to Use Defense-in-Depth to Mitigate Risks
Key Points
When you perform risk analysis, you need to consider the value of each asset, the
cost of downtime, and the likelihood of a risk occurring. After you have identified
all of the risks, you can begin to identify methods to mitigate those risks.
Eventually, after the risks and their mitigation methods have been identified, you
can select the mitigation methods that you want to implement.
Note: Elimination of risk is not a realistic goal for computer security. The goal should be
to mitigate risk in a cost-effective way based on your risk analysis.

Some ways to mitigate risk for the different layers of Defense-in-Depth are:
Data. To protect data, you can use ACL, NTFS permissions, share permissions,
EFS, BitLocker, and DRM.
Application. To protect applications, you should apply all security updates
when they become available. You should also configure application in a secure
way--for example, restricting the execution of ActiveX controls in Internet
Explorer. Finally, antivirus software should be used.
Host. For the operating system, you should apply security updates when they
become available. You should also configure your operating system in the
most secure way possible. For example, disable any unnecessary services. NAP
can be used to ensure that only healthy hosts connect to the network.
Internal network. Segmenting the network into multiple parts increases
security by allowing you to control communication between the segments. You
could place different departments on different segments. IPsec encrypts
network communication to ensure that it cannot be read by anyone with a
packet sniffer. Intrusion detection software monitors the network to identify
unusual activity.
Perimeter. The primary way to the perimeter of the network is by using
firewalls and proxy servers. However, virtual private networks are also used to
secure communication between the remote users on the Internet and the
corporate network.
Physical security. The primary mechanism for enforcing physical security is
simply locking doors to prevent access to essential network components.
However, you can also use tracking devices for mobile hardware such as
laptops.
Policies, procedures, and awareness. When policies and procedures are
introduced in an organization, the goal is to get employees to follow them. The
simplest method is user education. Employees will not follow procedures that
they do not know exist. However, when polices are well know and not being
followed, some type of disciplinary measure may be required.

Discussion: Security Implementation
Key Points
Every organization evaluates security risks and asset values differently. With your
instructor, discuss the measures that your organization has in place to mitigate risk
at each layer of the Defense-in-Depth model.

Lesson 2
Planning for Windows Firewall with Advanced
Security
Windows Firewall with Advanced Security can be used to protect both clients and
servers on your network by implementing a firewall on each host. You must
determine the rules that will be used to protect the computers on your network.
This includes the inbound rules, outbound rules, and connection security rules.
After you have determined the rules to be implemented, you must determine how
the rules will be created and applied to each computer.

Objectives
Describe the considerations for types of rules.
Describe the consideration for configuring rule options.
Describe the considerations for connection security rules.
Describe IPsec isolation.
Describe the considerations for applying rules.

Considerations for Types of Rules
Key Points
Windows Firewall with Advanced Security is an updated version of the Windows
Firewall that first appeared in Windows XP. One of the major updates is the
inclusion of outbound rules and connection security rules.
The types of rules are:
Inbound. These rules control the network connections that the local computer
will accept from other computers. By default, all inbound connections are
blocked.
Outbound. These rules control the network connection that the local
computer can make with other computers. By default, all outbound
connections are allowed.
Connection security. These rules are a replacement for the IPsec rules in
previous versions of Windows. They are used to create and control IPsec
connections between computers.

Considerations for the rule types are:
Block all inbound connections by default. This keeps a computer secure by
allowing only know connection types.
Create inbound rules to allow access to local applications when necessary. For
example, if a server application has been installed that uses port 8000, create a
new inbound security rule that allows connection for port 8000.
Use outbound rules to prevent communication with specific software. For
example, you can create an outbound rule that prevents users from accessing
an internal accounting Web server. You can also block a file-sharing
application.
To increase security, prevent outbound connections by default. This option
prevents unknown software on computers from communicating with other
computers. By doing this, you can prevent malware from spreading in your
organization because the malware on the infected computer will not be able to
create connections to other computers. However, there will be significant
administrative work to identify all of the allowed applications and create rules
that allow them to communicate on the network.
Use connection security rules to secure communication between computers.
The IPsec protocol initiated by using connection security rules encrypts
communication between computers to enhance security.

Considerations for Rule Configuration Options
Key Points
The rules you create in Windows Firewall with Advanced Security have a number
of options that can be configured. Unlike with some firewalls, with Windows
Firewall with Advanced Security the options for configuration are not limited to
just port-based rules. The rules can also be created for specific programs.
Windows Firewall with Advanced Security also recognizes different network
profiles. Windows Vista and Windows Server 2008 recognize each unique
network that you connect to based on the Media Access Control (MAC) address of
the default gateway. Each network can be given a name and is assigned a profile.
The profiles are:
Public. This profile is meant to be used on publicly accessible networks. It is
typically used for laptop users that roam in public locations such as hotels.
Private. This profile is meant to be used on private networks where other
computers are known and secure. It is used for trusted locations such as a
home network or a corporate network.

Domain. This profile is automatically assigned to any network that provides
authentication to a joined domain. In most cases, this will apply to computers
on a corporate network.
Considerations for rule configuration options are:

Simplify configuration by using program-based rules. Many applications that
create outbound connections use randomized port numbers. When
randomized port numbers are used, it is not possible to block the application
by port number. However, blocking the program is possible.
Use port-based rules when it is not possible to create program-based rules. For
example, Internet Information Services (IIS) cannot be blocked with a
program-based rule. For IIS you must create port-based rules.
Select the proper profile for rules. If you apply a rule to the wrong profile, it
will not be used. For example, a member server on an internal network will be
using the domain profile. An IIS exception for the member server must be
created for the domain profile or it will never be used by the server.
Train roaming users to select the correct profile for a new network. The first
time a roaming user connects his or her laptop to a new network, he or she
will be prompted to select a profile to use. Training the roaming users ensures
that they select the appropriate profile to protect their laptops. This helps
prevent data from being stolen from their computers and prevents them from
bringing malware back to the corporate network.
Use the Scope option to limit rules to specific IP addresses and IP address
ranges. You can use this to provide only part of your network with access to an
application. For example, if the human resources department is limited to a
specific IP address range, you can configure the inbound rule for the human
resources application on a server to allow only requests from that specific IP
address range.
Use the Interface Types option to apply rules only to wireless network or
remote access connections. Wireless networks and connections to remote
networks via remote access may be less secure than a corporate network. This
option allows you to enhance security for these types of connections.

Considerations for Connection Security Rules
Key Points
Windows Vista and Windows Server 2008 include connection security rules as a
replacement for IPsec rules. When connection security rules are used, the
communication between computers is authenticated.
There are several types of connection security rules:
Isolation rules are used to prevent unauthorized computers from
communicating with each other. Domain isolation can be implemented with
these rules.
Server-to-server rules authenticate, and possibly encrypt, communication
between two hosts. These are typically used to secure communication between
a few hosts because you specify endpoints (IP addresses) that the rules apply
to.
Tunnel rules are used when Windows Server 2008 computers act as routers
and IPsec is used to secure communication between them.

Authentication exemptions are used to allow operating systems that do not
support IPsec to communicate on the network. The exemptions are to an
existing rule.
Custom rules are use to create unique rules that do not match any of the types
available in the wizard. All configuration options are available in the wizard
when you create custom rules.
Some of the considerations for using connection security rules are:

Compatible connection security rules must exist on both hosts to create an
IPsec connection. For example, authentication must be configured in the same
way.
Connection security rules apply to all traffic between hosts, not just traffic
generated on specific ports or by specific applications.
When a connection security rule is in place, other rules can be enforced based
on the user or computer. This allows increased flexibility to restrict access to
some applications by user or computer rather than by IP address. This avoids
problems with changing IP addresses due to dynamic IP addressing.
Use Kerberos authentication to allow both user and computer authentication.
Kerberos is based on domain authentication and requires no additional
configuration. However, it is only suitable for computers that are members of
the domain.
Avoid applying IPsec rules and connection security rules to the same
computer. IPsec policies and connection security rules can be applied at the
same time, but this is not recommended because the two can conflict. When
there is a conflict, it is difficult to determine where the problem is occurring.
Test thoroughly before implementation to ensure that all computers are
configured properly. The best practice is to request IPsec authentication and
verify functionality before requiring IPsec authentication.
Use IPsec only where required as part of your security plan. Using IPsec
increases the complexity of your network and should not be done without a
defined purpose.

What Is Server and Domain Isolation?
Key Points
Server and domain isolation are systems that use IPsec to segment and isolate parts
of a network. Computers on the isolated network ignore all requests from
computers outside the isolated network. The isolated network is created by using
isolation connection security rules and requiring authentication for inbound
connections.
All computers in the isolated network must be part of a domain. This is because
Kerberos will be used to provide authentication that identifies the computers. This
allows access to computers on the isolated network to be enforced based on the
identity of the computers. Exceptions can be created for specific hosts that do not
support IPsec or are not members of the domain by using authentication
exemption connection security rules.
Domain isolation restricts communication to computers that are members of the
domain. This prevents unauthorized access to hosts on your network. For
example, a visiting consultant who connects a laptop to your network would not
be able to communicate with any of the computers in the domain.

Server isolation restricts communication to computers that are part of the same
workgroup. For example, you can isolate all of the computers in the research and
development department to enhance their security. To implement server isolation,
you use Active Directory groups to control access in Windows Firewall rules. The
Active Directory groups can have either users or computers as members,
depending on your goals.
Note: It is significantly more complex to implement server isolation when using IPsec
policies rather than connection security rules.
For detailed information about how to implement server and domain

isolation, see Introduction to Server and Domain Isolation on the
Microsoft TechNet Web site at http://go.microsoft.com/fwlink
/?LinkID=166424&clcid=0x409.

Considerations for Applying Rules
Key Points
There are multiple ways to deploy new firewall rules to hosts. Consider the
following:
Some applications will automatically create any necessary firewall rules for
their functionality. When you install a new application, you can review the
firewall configuration to see what changes have been made. It is useful to
document the changes made by an application in case you need to recover the
firewall configuration at a later time.
Back up firewall configuration before making changes. You can use the Export
Policy option in Windows Firewall to create a file containing the Windows
Firewall configuration. Later you can use the Import Policy option to restore
the configuration.
Windows Firewall with Advanced Security is suitable for configuring only a
small number of computers. It can only configure one host at a time. When a
manual process is repeated many times it is subject to human error.

Use Group Policy to deploy rules to a large number of computers. This process
is automated and is therefore less prone to error. Any new computers added
to an organizational unit will automatically have the rules applied. Rules
deployed by using Group Policy will override conflicting rules created on a
local server.
Use netsh and Windows PowerShell to create scripts that manage firewall
rules. Scripts allow you to configure individual computers in a repeatable way
that eliminates the potential errors introduced when using Windows Firewall
with Advanced Security. In most cases, scripts will be used only when it is
difficult to configure an appropriate Group Policy object.

Demonstration: Windows Firewall Rules Configuration
Options
Key Points
Steps
1. Open Windows Firewall with Advanced Security.
2. Open an inbound rule and review the available settings.
3. Create an isolation connection security rule.

Lesson 3
Planning Protection Against Viruses and
Malware
The threat of viruses and malware is pervasive on computer networks. However,

there are products and Windows Server 2008 features that help prevent viruses
and malware from entering your network. Windows Defender and antivirus
software are products that detect and eliminate viruses and malware. Internet
Explorer 8 has security options built in to make it secure. User Account Control
limits the ability of viruses and malware to spread on the network. Finally, the
Security Configuration Wizard is used to harden a host and prevent security
problems.

Objectives
Describe how viruses and malware enter the network.
Describe the considerations for using Windows Defender.
Describe the considerations for antivirus protection.
Describe the security benefits of Internet Explorer 8.
Describe User Account Control.
Describe how the Security Configuration Wizard can be used.

How Viruses and Malware Enter the Network
Key Points
Viruses and malware are software that is installed on computers without
permission. When this software is installed, it is sometimes harmless, but it often
has serious consequences.
Some consequences of viruses and malware are:
Insertion of additional advertising into Web pages. The malware attempts to
generate revenue by placing additional advertisements on your computer that
you would not normally see. Often these advertisements appear as part of Web
search results or as pop-up windows.
Theft of passwords and personal data. Personal information is valuable to
those interested in identity theft or transferring money out of a bank account.
Malware can monitor the keystrokes on your computer for passwords and
other sensitive information.

Data theft or loss. After malware has infected a computer, it is able to access
data on the local computer and the network. The malware has the same
permissions as the user logged on to the computer. Data can be stolen,
modified, or deleted.
System instability. Much malware is poorly written and causes computer
systems to become unstable. This leads to system crashes and frustrated users.
Your computer becomes part of a botnet. A botnet is a group of computers
that is controlled remotely via malware. The owners of a botnet can use the
botnet to perform denial of service attacks or send unsolicited commercial e-
mail (spam).
To prevent your computers from becoming infected with viruses and malware, it is
important to understand how they enter your network. Some of the ways viruses
and malware enter the network are:
As an e-mail attachment. Sometimes malware is sent as an e-mail attachment.
When users open the attachment, their computer becomes infected. Users
should be trained not to open e-mail attachments except from trusted sources.
As part of another program the user is installing. Many users are lured into
installing programs that seem helpful, but include malware along with the
installation. File-sharing programs are a common source of malware. Toolbars
for Internet Explorer and utilities to add emoticons to e-mail messages are also
common sources of malware.
From a Web page. Sometimes, due to flaws in Web browser software or add-
ons to Web browser software, a user can infect his or her computer simply by
viewing a Web page. In most cases, this type of vulnerability is corrected
quickly by the Web browser vendor issuing an update for the software.
Portable computers. A portable computer is inherently more vulnerable to
malware than a desktop computer just because it is moved into multiple
environments. If a portable computer becomes infected with malware and then
is reconnected to the network, it may spread the malware to other computers
on the network. Also, external vendors or staff may bring in portable
computers that do not meet organizational standards for malware protection.
Portable storage. Any type of portable storage may have malware on it that is
spread when it is attached to the computers in your network. This includes
portable disk drives, USB drives, music players, and smart phones.

Considerations for Using Windows Defender
Key Points
Windows Defender helps protect client computers from spyware and malicious
software. However, Windows Defender is not anti-virus software. Windows
Defender is not part of Windows Server 2008 but should be used on client
computers to limit the chance of malware spreading to servers.
Considerations when using Windows Defender are as follows:
Enable real-time protection. Real-time protection actively monitors a
computer for software that is attempting to install itself. This can be software
from portable storage or from a Web page. Real-time protection prevents
malware from being installed.
Ensure that Windows Defender updates are being applied. Windows
Defender uses antispyware definitions to identify malware. The definitions are
provided by Windows Update. You need to ensure that new definitions are
being downloaded and applied or your computers will be vulnerable to recent
attempts.

Use scheduled and manual scans to remove malware that was missed by
real-time protection. If malware was installed before the antispyware
definitions were updated, you can remove it by running a scheduled or manual
scan. In most scanning scenarios, options are used to scan for unwanted
software on the computer, to schedule scans on a regular basis, and to
automatically remove any malicious software that is detected during a scan.
Use definition-based actions for each alert level. The antispyware definitions
contain a recommended action for each piece of malware. In most cases, using
these default actions is appropriate. However, you can override the action for
categories of alerts to allow or remove threats.
Join Microsoft Spynet with a basic membership. This provides Microsoft
with information about malware detected but does not monitor unknown
software. If you select an advanced membership, Windows Defender will
prompt you for what to do with unknown software. The advanced
membership is fine for an IT professional but should not be used by typical
users.
For more information, see the Join the Spynet community page on the
Windows Help and How-to Web site at http://go.microsoft.com
/fwlink/?LinkID=167159&clcid=0x409.
Use Software Explorer to control the programs that start automatically on

your computer. In some cases, malware can be stopped by being prevented
from starting when the operating system boots. Software Explorer also allows
you to determine which software running on your computer is not classified
and view the antispyware definitions.

Considerations for Antivirus Protection
Key Points
Antivirus software is an essential part of any network security plan. There is a wide
variety of vendors with antivirus products with a wide range of features. All
computers on a network, including servers, should have antivirus software.
Microsoft produces the Forefront line of security products, which includes
antivirus software.
General considerations for antivirus software are as follows:
Select antivirus software that can be centrally managed. Central
management is essential for most organizations. This enables you to easily
review the status of all computers from a central console and respond to them
quickly. This also allows you to deploy the software from a single console and
provide definition updates from a central location. Centralized management is
one of the primary differentiators between consumer and business-level
antivirus software.

Update antivirus definitions at least once per day. Daily updates ensure that
you are able to detect new viruses almost as soon as they are known to be
spreading.
Carefully test heuristic-based scanning. Antivirus scanning based on
heuristics monitors what software is doing to try and identify it as a virus.
Heuristic scanning has the potential to detect viruses that are not in the
antivirus definitions, However, heuristics can also generate false positives that
incorrectly identify legitimate software as a virus. Test heuristic scanning
before it is enabled to reduce the chance of legitimate software being
quarantined on user workstations.
Use quarantine instead of removal for infected files. Moving a file to
quarantine means that you may be able to recover the contents of a file that
has become infected. If the file is simply removed, you may lose data. This
applies mostly to macro viruses in documents.

Security Features of Internet Explorer 8
Key Points
Internet Explorer 8 is primarily used on client computers. However, it is also
included on Windows Server 2008. On servers, Internet Explorer includes
Enhance Security Configuration (ESC).
ESC raises the security settings for the security zones to provide additional
protection for your servers. For Internet Web sites, this prevents ActiveX controls
and scripts from running. If you encounter a Web site running scripts or ActiveX
controls, you are prompted to add the site to the Trusted Sites security zone.
Internet Explorer maintains two lists of sites in the Trusted Sites security zone.
One list is used when ESC is enabled; the other is used when ESC is disabled.
You can use Server Manager to enable or disable ESC for users or administrators
independently. On most servers, you should leave ESC enabled. Most Internet
browsing, including searching for troubleshooting documents, should be
performed from a client computer, rather than a server. However, you should
disable ESC for users on a terminal server if the users are expected to do Web
browsing in the terminal services session.

Note: For detailed information about Internet Explorer ESC, see Internet Explorer 8
Enhanced Security Configuration on the TechNet Web site at
http://go.microsoft.com/fwlink/?LinkID=166426&clcid=0x409.
Other Internet Explorer 8 security features relevant to browsing from servers are as
follows:
IT professionals can increase security and trust through improvements in
ActiveX controls that enable command of how and where an ActiveX control
loads and which users can load them.
The XSS Filter in Internet Explorer 8 helps block cross-site scripting (XSS)
attacks, currently one of the most common Web site vulnerabilities.
Data Execution Prevention (DEP) is enabled by default to help prevent system
attacks in which malicious data exploits memory-related vulnerabilities to
execute code.
The SmartScreen Filter helps protect against phishing Web sites and sites
known to distribute malware. With the SmartScreen Filter enabled, Internet
Explorer 8 performs a detailed examination of the entire URL string and
compares the string to a database of sites known to distribute malware, and
then the browser checks with the Web service. If the Web site is known to be
unsafe, it is blocked and the user is notified with a bold SmartScreen blocking
page that offers clear language and guidance to help avoid Web sites known to
be unsafe.
Protected Mode forces Internet Explorer to request permission before writing
to files or the registry. The functionality relies on User Account Control. Some
Web-based applications do not work properly with Protected Mode enabled. If
an application needs to function without Protected Mode, add it to the Trusted
Sites security zone.

What Is User Account Control (UAC)?
Key Points
User Account Control (UAC) is typically thought of as a security measure for client
computers, but it is also in place on Windows Server 2008. The purpose of UAC is
to allow most processes to run as a standard user account and be elevated to
administrator only when required. The elevation is performed without requiring
the use of Run As or making the user log off. Overall, UAC increases security
because any malware on the computer running in the context of the user will be
limited to running only processes that require standard user permissions.
For administrators, security is enhanced by Admin Approval Mode, which is
enabled by default. When a computer is configured to use Admin Approval Mode
and an administrator logs on, two access tokens are generated. One access token
has user-level permissions, and the other has administrator-level permissions.

When an administrator runs an application or performs a system task, the user-
level token is used. If the user-level token does not provide sufficient privileges to
perform the task or run the application, the administrator is prompted for
permission to continue. This prevents malware from starting in the background
and using administrative privileges without the knowledge of the administrator.
Prompting for permission to continue is the default configuration, but this
behavior can be modified. You can also:
Prompt for credentials. This setting forces administrators to enter their
administrative credentials again to run the application. This may be suitable in
high-security environments but will frustrate administrators who run many
administrative utilities.
Elevate without prompting. This setting allows applications to run with
administrative privileges silently, without administrator interaction. Although
using this option is very convenient for administrators, it effectively negates
the benefits of UAC.
Built-in Administrator accounts are not subject to Admin Approval Mode by

default. The built-in Administrator accounts include the domain Administrator and
local Administrator accounts. Membership in administrative groups is not
sufficient for this to apply. It applies only to the Administrator accounts created
automatically by the system during installation. This is one reason why use of the
built-in Administrator accounts should be avoided for performing administrative
tasks.
UAC configuration settings can be modified in the Local Security Policy or by
using Group Policy. The settings in the Local Security Policy are located at Security
Settings\Local Policies\Security Options\User Account Control:*. The settings in a
Group Policy are located at Computer Configuration\Policies\Windows Settings\
Security Settings\Local Policies\Security Options\User Account Control:*. Settings
configured in a Group Policy will override settings configured in the Local Security
Policy.

Using the Security Configuration Wizard (SCW)
Key Points
The Security Configuration Wizard (SCW) is included with Windows Server 2008
to help you reduce the attack surface of your computer by creating and applying a
security policy.
When you run SCW, it analyzes the computer to determine which roles, features,
and applications are installed. You can review this list and make modifications.
SCW then makes suggestions to enable and disable services, modify registry
settings for security, and audit.
After you use SCW to create a security policy, you can apply the policy to the same
computer or save it to a file and then apply it to another computer. After you apply
a security policy, the settings can be rolled back if required.

Some considerations for using SCW:
Ensure that templates are registered for all applications on the server. SCW
uses templates to make recommendations for changes. If the appropriate
template is not imported, SCW cannot recommend changes for it. Some
applications ship with templates. For example, Microsoft Exchange Server
2007 includes templates that must be registered with SCW before SCW is
used on an computer running Exchange Server 2007.
Create a standard policy for specific server types. Rather than running SCW on
every server, create a policy on one server, and then apply that policy to
multiple servers. This will reduce administrative work.
Apply common settings by using Group Policy. Group Policy is the fastest way
to apply security settings to multiple computers. You can convert a security
template to a Group Policy object by using scwcmd with the transform option.
Disable unknown services only if you understand what the results will be.
SCW has a setting for unknown services. Disabling unknown services is done
only in very high security situations. When you use this option, you can use
the resulting policy only on servers with an identical configuration.
If a new security policy creates unexpected results, roll it back. When a
security policy is rolled back, the computer is placed in the state it was in
before the policy was applied. It is common to roll back policies during testing.
Test new policies before applying them to multiple computers. As with any
other configuration change, you should test new policies on one or a few
computers before applying them to a larger group of computers. This
minimizes the consequences of an unexpected issue.
Note: Windows Server 2008 security includes some templates with recommended
settings for applying security to Windows Server 2008 environments. Templates are
included for domain controllers and member servers. You can download the Windows
Server 2008 Security Guide from the Microsoft Web site at http://go.microsoft.com

Lesson 4
Planning Remote Access
Remote access is used by many organizations to provide users with access to data
from outside the network. The most common type of remote access is virtual
private networks (VPNs). When planning a remote access solution, you must
determine which VPN protocols will be used, as each has a unique set of
characteristics that make it suited to different scenarios. Network policies and
Network Policy Server are used to control the authentication for remote access and
can be used in several configurations to meet the needs of your organization.
Objectives
Describe considerations for VPN protocols.
Describe considerations for network policies.
Describe considerations for Network Policy Server.

Considerations for VPN Protocols
Key Points
A VPN uses a tunneling protocol to transfer data on a remote network. Tunneling
allows data that would not normally travel well over a remote connection to travel
to a remote network. For example, programs that use remote procedure calls
(RPC) have difficulty traversing firewalls. When a VPN is used, the application
requests are encapsulated in the packet used by the tunneling protocol.
A VPN can be used to access data and applications remotely. However, a VPN
requires the client computer to be configured with a VPN connection. This makes a
VPN suitable only for computers that can be configured, such as a home computer
or a company laptop. It is not typically possible to create a VPN connection on a
public access computer at a library or Internet caf.
A VPN connection typically has high latency, which makes a VPN unsuitable for
running most applications. Terminal Services is a better solution for running most
applications. A VPN is a reasonable way to transfer data.

There are three types of VPN supported by Windows Server 2008 and Windows
Vista.
Point-to-Point Tunneling Protocol (PPTP). This type of VPN has been
available in Microsoft operating systems since the 1990s. It offers only user-
based authentication and the ability to encrypt data in transit. This type of
VPN is well understood by most IT professionals and easy to implement. Some
locations such as hotels may not allow this type of packet through their
firewall.
Layer 2 Tunneling Protocol (L2TP)/IPsec. This type of VPN was introduced
in Windows 2000. IPsec is used to secure the data and is encapsulated by
L2TP. IPsec enables computer authentication to be performed as part of the
authentication process for greater security. Also, IPsec encryption is
considered more secure than PPTP. The main drawback of L2TP/IPsec is the
complexity of configuration. IPsec must be properly configured to allow
authentication to occur. Like PPTP, this type of VPN is also blocked by some
firewalls.
Secure Socket Tunneling Protocol (SSTP). This type of VPN has the best
compatibility with firewalls and proxy servers. All data is encapsulated in
HTTPS packets, which are allowed through firewalls and proxy servers in
public locations, such as hotels. SSTP is only available starting with Windows
Server 2008 and Windows Vista. Configuration on the server side requires that
a Secure Sockets Layer (SSL) certificate be installed, but SSL configuration is
fairly simple to complete.
Note: Windows 7 and Windows Server 2008 R2 include an alternative to VPN

connections called DirectAccess. The primary benefit of DirectAccess is simplified access
to remote resources. For more information about DirectAccess, see DirectAccess on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=167161&clcid=0x409.
Recommendations for VPNs:

Use PPTP for best compatibility with operating systems.
Use L2TP/IPsec to increase security.
Use SSTP to increase security and provide the best compatibility with firewalls
and proxy servers.

Considerations for Network Policies
Key Points
Network policies are a set of rules used by Routing and Remote Access Servers
(RRAS) to determine which users are able to remotely connect. The most
commonly implemented RRAS functionality is a VPN server.
Some considerations for network policies are:
By default, each RRAS server has its own set of network policies. If you have
multiple RRAS servers, you must create the same set of policies on each server
for the same behavior to occur on each server.
You can maintain different network policies on different servers to meet the
needs of different user groups. For example, the engineering group may
maintain its own VPN server that only engineering users are able to use, while
another VPN server is used for other users in the organization.
The default network policies prevent access. To allow access, you must create a
new network policy or allow access on the Dial-in tab in the properties of a
user account.

Simplify the management of network access by using groups to control access.
It is much more efficient to allow a group remote access by using a network
policy rather than allowing access for individual user accounts. Group
membership is one of the most common conditions applied to a remote access
connection.
Only the first matched network policy will apply. When there are multiple
network policies, they are processed in order. If the first network policy with
matching conditions denies access to a user, no further policies will be
evaluated. Ensure that network policies are in the correct order to obtain the
results you want. For example, if a large group of users such as the engineering
department has been granted remote access and you want to deny access to a
few users in another group, the network policy for the smaller group should
have a lower processing order (number 1 is processed before number 2).
Increase security by implementing additional conditions. For example, you can
use day and time restrictions to prevent remote access late at night when
legitimate use is unlikely.
Identify the authentication methods that meet your needs. When selecting
authentication methods, consider that MS-CHAPv2 provides better security
than MS-CHAP and can be used with Windows 2000 (and it can be used even
by Windows 95, with updates). Other more secure authentication such as
smart cards can be implemented by using Extensible Authentication Protocol
(EAP).
Use constraints with characteristics such as idle timeout and session timeout
to control a remote access connection. You can also configure port type
restrictions and day and time restriction as constraints. If a constraint for
port type or day and time does not match, access is denied and no further
processing of network policies is performed. This is different from day and
time restrictions in conditions where the next network policy would be
evaluated.
Apply the IP Filters setting to control which internal resources can be accessed
by remote access clients. For example, the IP filters applied to the marketing
department users could limit their access to a single file server with shared
marketing documents. This limits the potential damage if an unauthorized
user gains access to the network.

Considerations for Network Policy Server (NPS)
Key Points
Network Policy Server (NPS) is a role service for the Network Policy and Access
Services role. Some of the functionality in NPS was provided by Internet
Authentication Server (IAS) in Windows Server 2003. It contains three
components:
RADIUS server. A RADIUS server is a central service that provides
authentication services for other applications. RRAS servers can forward
authentication requests to the RADIUS server instead of using local network
policies.
RAIDUS proxy. A RADIUS proxy is a central service that routes RADIUS
authentication requests to the appropriate RADIUS server.
NAP policy server. NAP requires a central location for health polices. A NAP
policy server performs this function.

Some considerations for NPS are:
To centralize authentication for multiple RRAS servers, use the RADIUS server
functionality. The network policies created for the RADIUS server are used by
all RRAS servers when the authentication requests are forwarded to the
RADIUS server. Centralizing the network policies in a single location simplifies
maintenance of network policies.
To centralize logging for multiple RRAS servers, use the RADIUS server
functionality. You can configure RRAS servers to forward logging information
to a RADIUS server for centralized storage. This makes it easier to analyze and
troubleshoot RRAS authentication issues, particularly when network load
balancing is used for the RRAS servers and the client does not know which
RRAS server was being accessed.
Connection request policies are used to implement the RADIUS proxy
functionality in NPS. If a connection request policy does not match the
incoming RADIUS authentication request, the server acts as a RADIUS server
for the request.
Use the RADIUS proxy functionality to forward requests to independently
managed RADIUS servers. One group in an organization, such as the
engineering group, may want to maintain their own isolated RADIUS servers.
This allows the engineering group to independently control their logons.
RADIUS can be used to authenticate non-RRAS applications. For example, the
802.1X protocol for authenticating computers at a switch or wireless access
point uses RADIUS for authentication.

Lesson 5
Planning for NAP
Network Access Protection (NAP) is a new feature in Windows Server 2008

designed to prevent unhealthy computers from communicating on the network.
Windows Server 2008 provides a System Health Validator that provides basic
monitoring capabilities for Windows XP, Windows Vista, and Windows Server
2008. When enforcing NAP policies, you can use DHCP, VPN, 802.1X, or IPsec
enforcement. The enforcement type you select is based on the needs and
infrastructure of your organization.

Objectives
Describe Network Access Protection.
Describe the status characteristics monitored by Windows System Health
Validator.
Describe the considerations for DHCP enforcement.
Describe the considerations for VPN enforcement.
Describe the considerations for 802.1X enforcement.
Describe the considerations for IPSec enforcement.

What Is NAP?
Key Points
NAP is a system that enforces client health before allowing access to the network.
Client health is defined in policies by an administrator and enforced by a Network
Policy Services (NPS) server. NAP does not block intruders or malicious users.
Instead, NAP ensures that clients have an appropriate configuration such as
software updates installed and antivirus software that is current.
NAP includes multiple enforcement mechanisms. You can implement one or more
of these mechanisms at the same time, depending on your network scenario.
When a computer is noncompliant with the health policy, you can then allow
limited access to the network. The limited access is, typically, to remediation
servers. Remediation servers provide resources for computers to become
compliant. For example, a remediation server could be a Windows Server Update
Services (WSUS) server that clients can use to download and apply required
updates.

NAP can be implemented in virtually any scenario in which computers are
accessing a network. The most common scenarios are:
Desktop computers. NAP can be applied to all desktop computers in an
organization. This ensures that a misconfigured desktop computer does not
affect the security of the organization.
Roaming laptops. NAP can be implemented when wireless clients
authenticate to a wireless access point or a virtual private network (VPN)
connection. This ensures that laptops that are often outside the organizational
network are still in compliance when they return.
Visiting laptops. Visiting laptops are not controlled by the organization and
can often not be compliant with organizational policies. NAP can ensure that
they are restricted to a limited set of resources.
Home computers. Many employees use home computers when remotely
accessing the corporate network over a VPN connection. NAP can ensure that
these computers are healthy and do not introduce viruses or malware onto the
organizational network over the VPN.

Status Monitored by Windows System Health Validator
(SHV)
Key Points
NAP uses a System Health Validator (SHV) on the server side and a System Health
Agent (SHA) on the client side to evaluate health status. The SHA and SHV are a
matched set that must be deployed together. NAP includes a Windows SHV, and a
corresponding Windows SHA is included in Windows XP SP3, Windows Vista,
Windows 7, and Windows Server 2008.
The settings monitored by the Windows SHV are based on the settings that are
monitored by Windows Security Center on the client. Software must be compatible
with the Windows Security Center to be monitored.

The following are the settings that can be monitored for Windows Vista and
Windows Server 2008:
Firewall is enabled
Antivirus application is on and up to date
Antispyware application is on and up to date
Automatic updating is enabled
All available security updates installed
Locations where security updates can be downloaded
Note: Security Update Protection should not be enabled unless you have configured
WSUS for your network. If clients are not registered with a WSUS server and Security
Update Protection is enabled, clients are automatically placed on the restricted network
even if they are configured with the necessary updates.
NAP can be extended to monitor additional settings and software. You can do this
by deploying additional SHAs on NAP clients and additional SHVs on NPS servers.
Some products that NAP can integrate with are:
System Center Configuration Manager (SCCM). When SCCM is integrated
with NAP, you can monitor the application of specific updates.
Microsoft Forefront Client Security. When Forefront client security is
integrated with NAP, you can perform additional actions. For example, you
can perform an auto-remediation of a stopped service by restarting the stopped
service. You can perform Forefront integration by using the Microsoft
Forefront Integration Kit for Network Access Protection.
Note: To find organizations that are shipping an SHA and SHV for their products, see the
Network Access Protection Communities and Partners page on the Microsoft Web site at

Considerations for Designing DHCP Enforcement
Key Points
DHCP enforcement requires the use of a NAP-integrated DHCP server. The DHCP
server included with Windows Server 2008 is NAP- integrated for IPv4 addressing,
but not for IPv6. The health status of the client computer is sent with the DHCP
lease request.
If the client computer is noncompliant, a lease is given with:
A default gateway of 0.0.0.0
A subnet mask of 255.255..255.255
Static routes to remediation servers

Considerations for DHCP enforcement include the following:
DHCP enforcement is easy to implement and can apply to any computer with
a dynamic IP address.
DHCP enforcement is easy to circumvent. A client can circumvent DHCP
enforcement by using a static IP address. In addition, a noncompliant
computer could add static host routes to reach servers that are not
remediation servers.
DHCP enforcement is not possible for IPv6 clients. If computers on your
network use IPv6 addresses to communicate, DHCP enforcement is ineffective.

Considerations for Designing VPN Enforcement
Key Points
VPN enforcement requires the use of a NAP-integrated VPN server. The RRAS
server included with Windows Server 2008 is NAP integrated. The health status of
the client computer is sent as part of the authentication process.
When a computer is noncompliant, the VPN connection is still authenticated.
However, IP filters are used to restrict access to only remediation servers.
Considerations for VPN enforcement include the following:
VPN enforcement is best suited to situations in which a VPN is already being
used. It is unlikely that you will implement VPN connections on an internal
network to use VPN enforcement.

Use VPN enforcement to ensure that staff members connecting from home
computers are not introducing malware to your network. Home computers are
often not well maintained by users and represent a high risk. Many do not
have antivirus software or do not apply Windows updates regularly.
Use VPN enforcement to ensure that roaming laptops are not introducing
malware to your network. Roaming laptops are more susceptible to malware
than computers directly on the corporate network because they may be unable
to download virus updates and Windows updates from outside the corporate
network. Also, they are more likely to be in environments where malware is
present.

Considerations for Designing 802.1X Enforcement
Key Points
To implement 802.1X enforcement, you must ensure that the network switches or
wireless access points (WAPs) support 802.1X authentication. The switches or
WAPs then act as an enforcement point for NAP clients. The health status of the
client is sent as part of the authentication process.
When a computer is noncompliant, the switch places the computer on a separate
virtual local area network (VLAN) or uses packet filters to restrict access to only
remediation servers.

Considerations for 802.1X enforcement are as follows:
The isolation of noncompliant computers is enforced by the switch or WAP
that connects with the client. This makes it very difficult to circumvent and
therefore very secure.
Use 802.1X enforcement for internal computers. This type of enforcement is
appropriate for LAN computers with wired and wireless connections.
You cannot use 802.1X enforcement if your switches and WAPs do not
support the use of 802.1X for authentication.

Considerations for Designing IPsec Enforcement
Key Points
To implement IPsec enforcement, you must put additional software components
on the network. A Health Registration Authority (HRA) is required to act as an
enforcement point, and a Certification Authority (CA) is required to generate
health certificates. However, no specific hardware components are required. So
IPsec enforcement can be implemented in any environment.
The health status of a computer is verified with an HRA. The HRA then issues a
health certificate to the computer. The health certificate is used for IPsec
authentication.
When a computer is noncompliant, the computer is unable to successfully
complete IPsec authentication and is limited to a restricted network. The restricted
network has remediation servers on it.

Considerations for IPSec enforcement are as follows:
IPsec enforcement is more complex to implement than other enforcement
methods because it requires an HRA and a CA.
No additional hardware is required to implement IPsec enforcement. There is
no need to upgrade switches or WAPs as there might be if 802.1X enforcement
is selected. IPsec enforcement can be implemented in any environment.
IPsec enforcement is very secure and difficult to circumvent.
IPsec can be configured to encrypt communication for additional security.
IPsec enforcement is applied to IPv4 and IPv6 communication.

Lab: Planning Server and Network Security
Exercise 1: Creating a Plan for Server and Network Security

Scenario
A. Datum has two security-related tasks that need to be planned out. A new Web-
based application is being implemented for the finance department and requires a
security plan. Also, as part of a security review, a plan needs to be developed for
preventing malware on the A. Datum network.
You have been tasked with creating a plan for the new finance application and
creating a plan for preventing malware on the network. Your IT manager has
provided you with a list of requirements that must be met by your plan.
1. Read the supporting documentation.
2. Create a security plan for the new finance application.
3. Create a plan for preventing malware on the network.

E-mail thread of correspondence with Allison Brown:
Gregory Weber
From: Allison Brown [Allison@adatum.com]
Sent: 4 Aug 2009 10:22
Subject: Security Plan for Finance Application
Greg,
As we discussed in the meeting this morning, Id like you to take the lead on
planning security for the new Web-based finance application. Here are some of the
requirements that have come up:
All users of the application must be authenticated.
All data transferred over the network to or from the application must be
encrypted.
Access must be limited to only domain-joined computers in the finance
department.
The IT management committee has really bought in to the idea of Defense-in-
Depth that you presented at the last committee meeting. I think it would be helpful
if you could present the security plan for this server in that context.
Let me know if you require any clarification.
Regards
Allison

Gregory Weber
Sent: 4 Aug 2009 10:32
Subject: Malware Prevention Plan
Greg,
The IT management committee is also looking for a plan to prevent malware
within the organization. A competitor had an incident recently where customer
data was stolen, and it generated a lot of bad publicity for them, not to mention the
cost of monitoring the potential identity theft.
Im sure we already have reasonable measures in place, but the committee would
like to have a plan that lists potential sources of malware and how they can be
prevented. Just list any options you can think of. This will be a starting point for
discussion.
Please also put this information in context with Defense-in-Depth like the security
plan for the finance application.
Let me know if you require any clarification.
Regards
Allison

f Task 2: Create a security plan for the new finance application

Fill in the following table with potential risks and mitigations for each layer of
the Defense-in-Depth model related to the new finance application.
Layer Risk Mitigation

Data
Application
Host
Internal
network
Perimeter
Physical
security
Policies,
procedures,
and awareness

f Task 3: Create a plan for preventing malware on the network
the Defense-in-Depth model related to preventing malware on the network.

Data
Application
Host
Internal
network
Perimeter
Physical
security
Policies,
procedures,
and awareness
Results: After this exercise, you should have a completed security plan for new finance
application and a plan for preventing malware on the network.

Exercise 2: Implementing Windows Firewall Rules
Scenario
Your security plan for the new finance application calls for the implementation of
computer-specific firewall rules. Only computers in the finance department will be
allowed to access the finance application.
1. Start the virtual machines and log on.
2. Create a group for the finance computers.
3. Create a connection security rule for authentication to the finance server.
4. Create a firewall rule to restrict access to the finance application.
5. Force Group Policy updates.
6. Test the application of rules.
f Task 1: Start the virtual machines and log on

Pa$$w0rd.
5. Log on to 6430B-SEA-CL1 as ADATUM\Administrator with the password
Pa$$w0rd.
f Task 2: Create a group for the finance computers

1. On SEA-DC1, open Active Directory Users and Computers.
2. Create a global security group named Finance Computers in the computers
container.
3. Add SEA-CL1 to the Finance Computers group.

f Task 3: Create a connection security rule for authentication to the
finance server
1. On SEA-DC1, use Group Policy Management to create the enforced security
GPO.
Name: Secure Financial Application
Linked to Adatum.com
2. Edit the Secure Financial Application GPO and create a new Connection
Security Rule.
Computer Configuration\Policies\Windows Settings\Security Settings
\Windows Firewall with Advanced Security\Windows Firewall with
Advanced Security\Connection Security Rules.
Rule type: Server-to-server
Endpoint 1: 10.10.0.10
Endpoint 2: Any IP address
Request authentication for inbound and outbound connections
Authentication method, Advanced: Computer (Kerberos V5)
Profiles: All
Name: Enable Authentication
f Task 4: Create a firewall rule to restrict access to the finance

application
On SEA-DC1, use Window Firewall with Advanced Security to create a new
inbound rule.
Rule type: Port
Protocols and ports: TCP 80,443
Action: Allow the connection if it is secure and Require the connections
to be encrypted
User and computers: Only allow connections from the Finance
Computers group.
Profiles: All
Name: Restrict Access to Finance Application

f Task 5: Force Group Policy updates
1. On SEA-DC1, run gpupdate at a command prompt.
2. On SEA-CL1, run gpupdate at a command prompt.
3. Restart SEA-CL1 and log on as Administrator with a password of Pa$$w0rd.
f Task 6: Test the application of rules

1. On SEA-CL1, use Internet Explorer to open http://10.10.0.10. This is
successful because the computer is authenticated and allowed.
2. Use Windows Firewall with Advanced Security to view the Main Mode
Security Associations in the Monitoring node. This shows that an IPsec
connection has been created.
Results: After this exercise, you should have successfully implemented firewall rules.

Exercise 3: Implementing a VPN Server
Scenario
Your security plan requires a VPN to be implemented for some remote users.
Because all of the laptops are running Windows Vista, you have decided to use an
SSTP VPN for the highest level of compatibility with hotel firewalls and proxy
servers. Initially, you are configuring this only for domain Admins while testing.
1. Install Active Directory Certificate Services.
2. Create an SSL Certificate.
3. Configure RRAS.
4. Create a network policy to allow VPN access.
5. Configure the client with a trusted root certificate.
6. Configure and test an SSTP VPN connection.
f Task 1: Install Active Directory Certificate Services

On SEA-DC1, use Server Manager to add the Active Directory Certificate
Services role.
Role services: Certification Authority and Certification Authority Web
Enrollment
Add required role services
CA type: Enterprise Root CA
Create a new private key
Cryptography: default
CA name: default
Validity period: default
Database and log locations: default.

f Task 2: Create an SSL certificate
On SEA-DC1, use Internet Information Services Manager to request a new
server certificate for SEA-DC1.
Create Domain Certificate
Common name: SEA-DC1.adatum.com
Organization: A. Datum
Organizational unit: IT
City/locality: Seattle
State/province: Washington
Country/region: US
Online Certification Authority: Adatum-SEA-DC1-CA\SEA-
DC1.Adatum.com
Friendly name: WebSSL
f Task 3: Configure RRAS

On SEA-DC1, use the Routing and Remote Access administrative tool to
enable routing and remote access.
Configuration: Custom configuration
Custom configuration: VPN access
Start the service
Note: A custom configuration is used because SEA-DC1 has only a single network
adapter. You must have two network adapters to select the Remote Access (Dial-Up Or
VPN) configuration.

f Task 4: Create a network policy to allow VPN access
On SEA-DC1, use Network Policy Server to create a new network policy.
Policy name: Allow Domain Admins
Condition: Windows Groups Adatum\Domain Admins
Access permission: Access Granted
Authentication type: default
Constraints: default
Settings: default
f Task 5: Configure the client with a trusted root certificate

1. On SEA-CL1, use Internet Explorer to open the Certificate Services Web site at
http://SEA-DC1.Adatum.com/certsrv.
2. Log on as Adatum\Administrator with a password of Pa$$w0rd.
3. Download a CA certificate, open it, and install it.
Automatically select the certificate store based on the type of
certificate.
4. Open an empty MMC console and add:
The Certificates snap-in focused on My user account
The Certificates snap-in focused on Local computer
5. Copy the Adatum-SEA-DC1-CA certificate from Certificates Current User\
Intermediate Certification Authorities\Certificates to Certificates (Local
Computer)\Trusted Root Certification Authorities\Certificates.

f Task 6: Configure and test an SSTP VPN connection
1. On SEA-CL1, open Connect To from the Start menu.
2. Set up a new connection
Connect to a workplace
Use my Internet connection (VPN)
Ill set up an Internet connection later
Internet address: SEA-DC1.Adatum.com
Destination name: Adatum VPN
Leave the username and password blank
3. Open Connect To from the Start menu.
4. Open the properties of the Adatum VPN connection and select SSTP as the
type of VPN on the Networking tab.
5 Connect the Adatum VPN.
6. Open Connect To from the Start menu and verify that the Adatum VPN
connection is connected.
7. Disconnect the VPN connection
Note: If you experience an error during your connection attempt, review the
configuration of your SSTP listener by using the instructions from Setting Up
The SSTP Listener And Verifying It in the Routing And Remote Access Blog at
http://go.microsoft.com/fwlink/?LinkID=167164&clcid=0x409. In particular, you must
manually remove and replace the certificate used by SSTP if you want to replace it.
Results: After this exercise, you should have successfully implemented an SSTP VPN.

Exercise 4: Implementing NAP with DHCP Enforcement
Scenario
As part of your security plan, you have decided to implement NAP with DHCP
enforcement. This prevents unhealthy computers from connecting to the network
and helps to prevent the spread of malware.
1. Install Network Policy Server.
2. Configure NPS.
3. Configure DHCP.
4. Configure NAP Client by using Group Policy.
5. Configure networking on the client.
6. Configure the SHV.
7. Test compliance and auto-remediation on the client.
8. Close all virtual machines and discard undo disks.
f Task 1: Install Network Policy Server

On SEA-DC1, use Server Manager to add the Network Policy and Access
Services server role.
Include the Network Policy Server role service.
f Task 2: Configure NPS

1. On SEA-DC1, use the Network Policy Server administrative tool to select the
Network Access Protection (NAP) standard configuration and then configure
NAP.
Connection method: Dynamic Host Configuration Protocol (DHCP)
Policy name: NAP DHCP
RADIUS clients: None
DHCP scopes: None
User and machines groups: None

Remediation server groups: None
Windows Security Health Validator
Enable auto-remediation of client computers
Deny full network access to NAP-ineligible client computers
2. Review the connection request policies created by the wizard.
3. Review the network policies created by the wizard.
4. Review the health policies created by the wizard.
f Task 3: Configure DHCP

1. On SEA-DC1, use the DHCP administrative tool to enable Network Access
Protection for the Adatum Scope, and use the Default Network Access
Protection profile.
2. On the Advanced tab of Scope Options, for the User Class: Default Network
Access Protection Class, configure the following:
006 DNS Servers: 10.10.0.10
015 DNS Domain Name: restricted.adatum.com
f Task 4: Configure NAP Client by using Group Policy

1. On SEA-DC1, use Active Directory Users and Computers to create a new
organizational unit, named NAP Clients, in the root of the Adatum.com
domain.
2. Move the SEA-CL1 computer object into the NAP Clients organizational unit.
3. Use the Group Policy Management administrative tool to create a new Group
Policy object, named DHCP NAP Client, linked to the NAP Clients
organizational unit and with the following settings:
Computer Configuration\Policies\Windows Settings/Security Settings
\System Services\Network Access Protection Agent: Automatic
Computer Configuration/Policies/Windows Settings/Security
Settings\Network Access Protection\NAP Client Configuration
\Enforcement Clients\DHCP Quarantine Enforcement Client: Enable

Computer Configuration\Policies\Windows Settings\Security
Settings\Network Access Protection\NAP Client Configuration: Apply
from context menu
Computer Configuration\Policies\Administrative
Templates\Windows Components\Security Center\Turn on Security
Center (Domain PCs only): Enabled
f Task 5: Configure networking on the client

1. Restart SEA-CL1, and log on as Administrator with a password of Pa$$w0rd.
2. On SEA-CL1, open a command prompt and use the following command to
update group policy settings:
gpupdate
3. Reconfigure Local Area Connection to use DHCP to obtain an IP address and
DNS server.
4. Open a command prompt and use the following command to view the
configured IP address:
ipconfig /all
5. Notice that an IPv4 address has been configured, but the subnet mask is
255.255.255.255 and the Connection-specific DNS suffix is
restricted.adatum.com.
f Task 6: Configure the SHV

On SEA-DC1, use the Network Policy Server administrative tool to configure
the Windows Security Health Validator in Network Access Protection.
Test only for an enabled firewall

f Task 7: Test compliance and auto-remediation on the client
1. On SEA-CL1, renew the IP address by using the command ipconfig /renew.
2. Notice that SEA-CL1 now has a default gateway, a subnet mask of
255.255.0.0, and the Connection-specific DNS suffix is Adatum.com.
3. In the Control Panel Security settings, turn off Windows Firewall.
4. Notice that Windows Firewall status is off only briefly, before being turned
back on by the NAP client
Results: After this exercise, you should have successfully implemented NAP with DHCP
enforcement.

(VMRC) window.

Review Questions
1. How does Defense-in-Depth help you identify and mitigate risks?
2. What is the default configuration for outbound rules in Windows Firewall?
3. How can you identify when viruses or malware have infected a computer?
4. How does UAC prevent viruses and malware from infecting a computer?
5. Which type of IPsec authentication is required to configure firewall rules based

on users and computers?

Common Issues Related to Remote Access
Identify the causes for the following common issues related to remote access and
fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Troubleshooting Tip

A VPN connection is blocked by a
hotel firewall
A specific user is unable to log on

even though he or she is a member
of a group that is allowed access
Troubleshooting is difficult because

logs are located separately on each
VPN server
Configuration is time-consuming
because network policies must be
created on each VPN server
Real-World Issues and Scenarios

1. You have recently created a standardized list of firewall rules that you want to
apply to all Windows Vista computers in your organization. What is the best
way to do this?
2. You have recently migrated your servers to Windows Server 2008. After the
migration, administrators are being prompted for permission each time they
run an administrative tool on the server. A colleague suggests that this
functionality be disabled because it is annoying. How do you respond?

3. Your organization has recently had a security breach on a Web-based
application server. In addition to analyzing how this problem occurred, you
need to evaluate security overall for this server. What areas do you need to
consider as you identify risks to this server?
4. Your organization has recently reviewed NAP as a potential method for

preventing malware from entering the network. Based on the initial evaluation,
your manager has asked you to identify the type of NAP enforcement that
would be most appropriate for your organization. Your organization would
like to begin with the simplest implementation possible for internal users.
What type of NAP enforcement should you use?
Best Practices Related to Planning Protection Against Viruses and

Malware
Supplement or modify the following best practices for your own work situations:
Use real-time protection to prevent viruses and malware from infecting a
computer. Scheduled scans find malware only after it is already on the
computer.
Use scheduled scans to find malware missed by real-time scanning because the
signature files did not include the malware at the time of infection.
Use antivirus software that can be centrally managed.
Update antivirus definitions at least once per day.
Use quarantine instead of removal for infected files.
Do not disable UAC, particularly for administrators. Disabling UAC also
disables Protected Mode in Internet Explorer.
Planning Server Administration 8-1

Module 8
Planning Server Administration
Contents:
Lesson 1: Selecting the Appropriate Administration Tool 8-4
Lesson 2: Planning Server Core Administration 8-17
Lesson 3: Delegating Administration 8-27
Lab: Planning Server Administration 8-34

Module Overview
As a network administrator, you have many responsibilities and have to perform a

variety of administrative tasks on a day-to-day basis. Windows Server 2008
provides improved administrative tools that help to reduce the burden on any busy
administrator. A good understanding of the administrative tools available will help
you administer your network more efficiently.
Beginning with Windows Server 2008, you can choose to install Windows Server
with only core server functionality and with minimal overhead; although this does
limit the server to performing only key infrastructure roles, it can help improve
security and reduce administrative effort. This type of installation is called a Server
Core installation, and knowing how and where to implement Server Core is
important because it ensures you can get the best from your network infrastructure
roles.

In larger networked environments, a single administrator, or even a team of
administrators, is unlikely to be able to perform all administrative tasks; often,
some of these tasks are delegated to additional groups of individuals within the
organization. It is important to know how to delegate which administrative tasks,
both securely and efficiently.
Objectives
Select an appropriate administrative tool for a given situation.
Determine where to deploy Server Core servers.
Delegate administrative tasks.

Lesson 1
Selecting the Appropriate Administration Tool
When you are faced with multiple administrative tasks during your working day, it
is important that you know which tool to use for a specific task. Windows Server
2008 provides tools with both a graphical interface and a command-line interface.
Windows PowerShell extends the capabilities of the command line, and provides
you with a feature-rich, powerful, programmatic interface for performing your
administrative tasks.
As networks get larger, and servers more distant from the administrators that
manage them, it is important that you understand how to enable and perform
administrative tasks remotely.

Objectives
Describe the function of Windows Server 2008 graphical administration tools.
Describe the function of Windows Server 2008 command-line tools.
Administer a server from the command line.
Enable remote administration.

What Are the Graphical Administration Tools?
Key Points
There are many different administrative tools that you use in order to manage
Windows Server; many of these tools provide a graphical interface. If you have
administered earlier versions of Windows, you are probably familiar with many of
these tools. Windows Server 2008 provides two new administrative tools with a
graphical interface: the Initial Configuration Tasks (ICT) wizard and Server
Manager.
Initial Configuration Tasks

The Initial Configuration Tasks wizard is a new feature in Windows Server 2008; it
is launched automatically after the completion of the operating system installation.
This tool helps you complete setup and configure a new server. It includes many
security-related tasks, such as:
Set the time zone.
Configure network settings.
Configure the computer name.

Configure workgroup or domain settings.
Enable automatic updates.
Download and install updates.
Add roles or features.
Enable Remote Desktop.
Configure Windows Firewall.
Note: You can rerun the ICT wizard by running Oobe.exe.
Server Manager
The new Server Manager console simplifies the task of administering and securing
server roles with Windows Server 2008. Server Manager in Windows Server 2008
provides tools to:
Add, remove, or manage server roles.
Add, remove, or manage server features.
Access diagnostics tools, including Event Viewer, Device Manager, and the
Reliability and Performance console.
Perform configuration of tasks, firewall settings, services, local users and
groups, and WMI settings.
Configure and manage storage.
In short, the Server Manager console provides a single point for managing a server.
The Server Manager console uses integrated wizards to guide you through the
process of adding server roles; these wizards perform all the necessary dependency
checks and perform conflict resolution so that your server is stable, reliable, and
secure.
Note: You can use Server Manage to add several roles at once, even if they are
unrelated. For example, if you plan to provision a server as a branch office, you might
select the DNS Server, DHCP Server, and Print Server roles simultaneously.

You can use Server Manager to:
Perform regular, on-going server administration. The Server Manager console
reports on server status, exposes key management tasks, and guides
administrators to advanced management tools.
Manage server roles. A key component of the Server Manger is the server role
home pages. These pages provide an integrated view of server roles, including
their current status and current configurations. Some of these consoles include
a filtered event viewer that displays recent events related specifically to that
role. Server role home pages offer controls where you can diagnose problems
by selectively stopping and starting role services. These role-specific
summaries highlight potential problems and offer relevant troubleshooting
tools.
Note: The Server Manager console replaces the Computer Management tool in Windows
Server 2003.

What Are the Command-Line Administration Tools?
Key Points
Although graphical tools are often simpler to use than command-line tools,
command-line tools can often be the quickest way of performing an administrative
task. For example, using Active Directory Users and Computers to change the
telephone number for all users that reside in a particular office building could take
a little while, whereas using a command-line tool enables you to perform the
update in a single, simple line of syntax.
ServerManagerCmd.exe
The ServerManagerCmd.exe tool enables you to perform certain Server Manager
tasks outside of the Windows graphical user interface (GUI), such as installation or
removal of roles, role services and features, command validation, and querying the
current state of the computer.
In addition, ServerManagerCmd.exe allows for installation or removal of multiple
roles, role services, or features in a single command instance by using XML answer
files.

A set of command-line arguments are available to allow additional control over
how the answer file should be executed. For example, you can specify if the server
computer should be restarted automatically when the commands in the answer file
have been executed, perhaps as a requirement of the software you are installing or
removing.
Network Command-Line Tools

You can use the following tools at the command prompt to perform management
of network-related settings:
Netsh, or network shell, enables you to perform most network management
tasks. For example, you can reconfigure basic IP settings, configure Windows
Firewall, or configure settings on a Dynamic Host Configuration Protocol
(DHCP) server.
Netdom enables you to perform a number of domain and computer name-
related tasks, including adding a computer to a domain, changing a
computers name, and managing trust relationships between domains.
DNScmd enables you to administer the Domain Name System (DNS) server
role from the command prompt.
DFScmd enables you to administer the distributed file system file services
server role from the command prompt.
Active Directory Command-Line Tools

You can use the following tools from the command line to perform administration
of objects within your Active Directory forest:
Dsmod enables you to modify the properties of a specific Active Directory
object.
Dsquery enables you to search for objects that match defined criteria.
Dsget enables you to view a specified property of a given Active Directory
object.
Csvde uses comma-separated value files in order to import objects to or export
objects from Active Directory.

Ldifde uses a Lightweight Directory Access Protocol (LDAP) conformant file to
create, modify, and delete Active Directory objects.
Dcpromo is a powerful tool that enables you to promote a computer to or
demote a computer from the domain controller role; it can be used with an
answer file to perform automated domain controller deployments.
Windows PowerShell
You install Windows PowerShell as a Windows Server 2008 feature. It is included
as a standard part of the Windows Server 2008 operating system. Windows
PowerShell is based on cmdlets that enable you to perform virtually any
management or administrative tasks by using simple, discoverable, verb-noun
syntax. One of the most far-reaching features of Windows PowerShell is the ability
to pipe, or pass, the result of one command to a following command; in this way,
you can create very powerful administrative commands with very little knowledge
of scripting.
Note: Windows PowerShell is based on the Microsoft .NET Framework; consequently,

you cannot easily deploy Windows PowerShell on Server Core servers, because Server
Core does not support the .NET Framework.

Demonstration: Administering a Server from the
Command Line
Key Points
Use standard command-line tools.
Use Windows PowerShell.
Use the Directory Service (DS) tools.
High-level steps:
1. Use the Netsh command-line tool to configure network settings.
2. Use the Netdom command-line tool to perform Active Directoryrelated
administrative tasks.
3. Use winrs to execute a command on a remote server.
4. Install the Windows PowerShell feature.
5. Perform some typical Windows PowerShell tasks.

6. Create and use a Windows PowerShell function.
7. Create and test a basic Windows PowerShell script.
8. Format the output from Windows PowerShell commands.
9. Use the DS tools to perform Active Directoryrelated tasks.
Question: How would you accomplish the task of updating users office location
by using Active Directory Users and Computers? For example, if all users with a
specific office location of London were moving to Windsor?

Implementing Remote Administration
Key Points
In the early days of networking, it was common for administrators to perform
management tasks sitting at the server console. As networks have grown in size
and importance, this practice of interactive administration has diminished.
Consequently, it is important that you understand how to enable and use the
various remote management tools and technologies provided in Windows
Server 2008.
Changing the Focus of a Tool

Most administrative tools enable you to select the focus for your tool; for example,
you can use the DHCP console to manage a remote DHCP server by adding the
remote server to the console. This is often the simplest way of achieving remote
administration.

Remote Server Administration Tools
Obviously, you can only add a remote server to an administrative console if your
computer has the administrative tools installed. You can install the Remote Server
Administration Tools (RSAT) as a feature on any Windows Server 2008 server
computer. To install the tools on a client computer running Windows Vista, you
must first download the tools.
Note: You can download the RSAT tools for Windows Vista from the Microsoft Download
Center at http://go.microsoft.com/fwlink/?LinkID=166022&clcid=0x409.
Remote Desktops
Perhaps one of the easiest ways of performing remote administration is to use
Remote Desktop. You can enable Remote Desktop on your remote server by using
the Remote Settings link from System in Control Panel. You can then use the
Remote Desktop Connection to connect to your remote server from any other
server or client computer. The advantage of using this method is that it requires no
additional features or software to be installed on the client or server computer.
If you want to administer multiple computers simultaneously, you can use the
Remote Desktops snap-in. To do this, run tsmmc.msc on any server computer. You
can then create Remote Desktop connections to multiple remote computers.
Windows Remote Management Command-Line Tool (WinRM)

You can also administer remote server computers with various command-line
tools. WinRM is the Microsoft implementation of the WS-Management protocol
that provides a way to communicate with both local and remote computers
securely by using Web services. For example, to enable remote management for a
computer, you can use the following command:
Winrm quickconfig
For more information about Windows Remote Management tools, see

Windows Remote Shell (WinRS)
WinRS enables you to perform a command-line task over a secured connection on
a remote host. For example, to determine the current IP configuration of a remote
server, you can use the following command:
winrs -r:sea-dc1 -u:administrator -p:Pa$$w0rd ipconfig
Firewall Issues
It is important to realize that by default, Windows Firewall is enabled on all
network connections. Remote administration tools use a variety of protocols and
ports to connect to remote servers. You must modify the firewall settings to enable
remote administration. The following settings are relevant for enabling remote
administration:
Remote Administration
Remote Desktop
Remote Event Log Management
Remote Scheduled Tasks Management
Remote Service Management
Remote Volume Management
Windows Management Instrumentation (WMI)
Windows Remote Management

Lesson 2
Planning Server Core Administration
With the Server Core installation type, Windows Server 2008 can be installed with
core functionality. By installing only the files, services, and related files needed to
support core network infrastructure roles, Server Core provides a more secure and
stable platform.
Objectives
Describe Server Core.
List the server roles and features supported by Server Core.
Determine when to deploy Server Core.
Enable effective administration of Server Core.

What Is Server Core?
Key Points
Windows Server 2008 Server Core provides a minimal operating system
installation; this reduces disk space and memory requirements; the reduced
footprint in Server Core requires less maintenance and reduces opportunities for
network attacks, and can make Server Core a good candidate for remote branch
office scenarios.
Server Core is a minimal server installation option for Windows Server 2008
without a GUI. Server Core provides an environment for running key network
infrastructure roles only. To accomplish this, the Server Core installation option
installs only a subset of the executable files and supporting dynamic-link libraries
(DLLs).

Server Core provides several benefits.
Server Core requires less software maintenance, such as installing updates.
Server Core has fewer attack vectors (services with listening ports) exposed to
the network, and therefore less of an attack surface.
Server core is easier to manage.
Server Core uses less disk space for installation.
You can perform an unattended Server Core deployment to install and configure
Server Core simultaneously, rendering post-installation configuration of the new
server unnecessary; this capability can be used to support scenarios like rapid
datacenter capacity scale-out or server deployment for remote branch offices.
Server Core supports network infrastructure roles, including:
DHCP Server
DNS Server
File Server
Domain Controller
This provides a stable, easier-to-secure platform for these roles.


What Server Roles and Features Does Server Core Support?
Key Points
The server core installation of Windows Server 2008 supports the following server
roles:
Active Directory Domain Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
DHCP Server
DNS Server
File Services
Print Services
Hyper-V
Web Services (IIS)

After the installation is complete and the server is configured for use, you can also
install optional features. The server core installation of Windows Server 2008
supports the following optional features:
Failover Clustering
Windows Internet Name Service (WINS)
Network Load Balancing
Subsystem for UNIX-based applications
Backup
Multipath IO
Removable Storage Management
Windows BitLocker Drive Encryption
Simple Network Management Protocol (SNMP)
Distributed File System Replication
Simple Network Time Protocol (SNTP)

Discussion: When to Deploy Server Core
Key Points
Scenario 1
Fabrikam wants to deploy new branch servers to its regional development centers.
The managers have asked you to advise them where they could implement Server
Core, and where they must use a full installation of Windows Server 2008.
Question: A number of Windows PowerShell scripts have been developed in order

to make changes to an application that is to be installed on one branch server. Is
Server Core suitable?

Scenario 2
Contoso has decided to implement Server Core to support its users wherever
possible. The company wants to implement a domain controller at each branch
office.
Question: Could this role be supported by a Server Core deployment?
Question: It is important that data about the servers be collected by Contosos

third-party SNMP-management information system. Does this preclude the use of
Server Core?
Scenario 3
Northwind Traders has started to deploy Windows Server 2008 servers around the
organization. The company wants to ensure that its branch offices can support its
users needs in the event of a network failure between the branch and the head
office. Security is important because the branch offices often have customers
walking in off the street, and there is nowhere at the branches to physically secure
servers.
Question: What do you propose as a server solution for Northwind Traders?

Include the roles and features required to support your proposal.

Administering Server Core
Key Points
Because no GUI is available, configuring and administering a Server Core
installation requires a different approach when compared to a full Windows Server
2008 installation. The minimal interface in Server Core requires a modified use of
command prompt administrative tools or remote administration over the network.
Initial Configuration
Before you can administer the server, you must complete the post-installation
configuration steps. These are:
Specify the IPv4 address. A DHCP address is configured by default, but you
can specify a static address.
Netsh interface ipv4 set address name="Local Area Connection"

source=static address=10.10.0.100 mask=255.255.0.0
gateway=10.10.0.1 1

Specify the IPv4 DNS client-resolver configuration.
Netsh interface ipv4 set dns name="Local Area Connection"

source=static address=10.10.0.200 primary
Change the computer name.
Netdom renamecomputer %computername% /newname:sea-svr1
If you need to join the Server Core system to an existing Windows domain,
you will need a username and password for an account that has the proper
credentials.
Netdom join %computername% /domain:ADATUM

/userADATUM\administrator /passwordD:*
Configure the firewall.
Netsh advfirewall set rule group = "program to allow" new enable

=yes
Note: The program to allow is substituted with Remote Administration, Remote Service
Management, and the other remote management options discussed in the last lesson.
Activate the new installation of Windows Server 2008.
Slmgr.vbs -ato
Enable automatic updates.
Cscript c:\windows\system32\scregedit.wsf /AU 4
Note: Not all tasks can be performed from the command line or remotely through an
MMC snap-in. To enable you to configure these settings, the scregedit.wsf script is
included with the Server Core installation of Windows Server 2008. Scregedit.wsf can be
used to configure the paging file, enable automatic updates, enable error reporting,
enable Remote Desktop, and enable Terminal Server clients on previous versions of
Windows to connect to the Windows Server Corebased computer. Scregedit.wsf is
located in the \Windows\System32 folder of the server running the Server Core
installation.

Ongoing Administration
After you have completed these steps, you can then remotely administer the server
by using the various methods described in the preceding lesson. Alternatively, you
can manage the Server Core installation from the command line interactively.
These commands are:
Tasklist. Displays and enables management of running tasks.
Oclist. Enables you to determine the available roles and features.
Ocsetup. Enables you to add or remove roles and features.
Netsh. Provides for network management.
Netdom. Provides for computer and domain administration.
Cscript. Enables you to launch scripts.
Dnscmd. Provides for management of the installed DNS server role.
Dfscmd. Enables you to manage DFS.
The case-sensitive Ocsetup Role Package command enables you to add or remove
server roles.
To add a role.
Start /w Ocsetup DHCPServerCore
To remove a role.
Start /w Ocsetup DHCPServerCore /Uninstall
Note: You cannot use the Active Directory Domain Controller Installation Wizard
(Dcpromo.exe) on a server running Server Core. You must use an unattended file with
Dcpromo.exe to install or remove the Domain Controller role on a server running a
Server Core installation.

Lesson 3
Delegating Administration
Busy administrators cannot be expected to perform all day-to-day administration of

all servers within their organization. It is important to consider delegating certain
administrative tasks to individuals or teams of individuals in order to more
efficiently administer an organizations network infrastructure.
Objectives
List the common administrative tasks.
Determine which tasks can be delegated.
Delegate common administrative tasks.

What Are the Common Administrative Tasks?
Key Points
In your role as a server administrator, you have many different tasks to perform;
some you perform infrequently, such as deploying additional servers; others, you
perform more frequently, such as resetting user passwords.
In order to enable you to work more efficiently, you can consider delegating some
of these tasks to other users within the organization. This topic describes the
common administrative tasks that you could consider delegating.
User and Group Administration

There are a variety of tasks that relate to user and group administration. These
include:
Creating user accounts
Modifying users properties
Resetting users passwords
Moving user accounts

Deleting user accounts
Creating group accounts
Managing group account membership
Moving groups
Deleting groups
Client Computer Deployment and Administration

Most organizations regularly deploy new client computers. Tasks that relate to
computer deployment include:
Deploy the operating system to client computer
Join the client computer to domain
Reconfigure the client computer settings
Server Administration
To some extent, all of the administrative tasks discussed in this topic can be
considered to be server administration. However, for the purposes of this
discussion, server administration focuses on the tasks you perform solely on the
server computer:
Stop and start computer services.
Perform backup and restore operations.
Add and remove server roles or features.
Manage storage.
Configure local folder security.
Enable and configure sharing.
Configure firewall settings.
Configure specific applications that are installed on the server, for example
Microsoft Exchange Server, Microsoft SQL Server, or others.
Shut down the server.

Group Policy Administration
Most organizations choose to use Group Policy Objects (GPOs) within their Active
Directory forest as an easy way to manage user and computer settings. These GPOs
have a far-reaching effect, so delegation of GPO administration should be carefully
considered. GPO-related administration includes:
Create new GPO.
Link GPO to specific Active Directory container object, such as an
Organizational Unit.
Configure GPO permissions.
Edit the GPO settings.
Use Group Policy management tools, such as the Group Policy Results
Wizard.
Network Infrastructure Administration

The network infrastructure roles include DHCP, DNS, WINS, Windows
Deployment Services, and Network Policy and Access Services. Some of the tasks
associated with these roles include:
Add or remove DHCP servers.
Create DHCP scope.
Administer DHCP scope options.
Authorize DHCP server in Active Directory.
Add or remove DNS servers.
Create DNS zones.
Administer the zone records.
Add the WINS server feature.
Administer WINS records.
Add the WDS role.
Configure images.
Administer routing and remote access.

Administer Network Access Protection.
Administer network policies.
Active Directory Administration

Aside from administering users, groups, computers, and GPOsall of which are
Active Directory objectsthere are other aspects of Active Directory administration.
These include:
Modifying the schema
Adding or removing domains from the forest
Creating and administering trusts within and between forests
Creating and administering sites, site-links, site-link bridges, and subnets
Creating and administering organizational units (OUs)
Adding or removing domain controllers to an existing domain
Modifying the global catalog properties
Administering Active Directory replication
Note: This is not an exhaustive list of all administrative tasks, but rather should serve as
the basis for discussion about which administrative tasks could be delegated, and to
whom.

Discussion: Which Tasks Should You Delegate?
Key Points
This is an open discussion. Consider the list of administrative tasks in the
preceding topic, and as a class, discuss which you might consider delegating. In
addition, explain to whom you might delegate the task. For example, you might
decide to delegate the ability to reset user passwords to someone at a branch office
with relevant technical experience at management level. However, you might not
want that same user to be responsible for deploying computer accounts.

Demonstration: Delegating Administrative Tasks
Key Points
Delegate common administrative tasks
High-level steps:
1. Delegating administrative tasks to members of a local group.
2. Delegating administrative tasks by using the Delegate Control wizard.
3. Viewing and modifying Active Directory object permissions to enable
delegation.
4. Testing the delegated abilities.
Question: Would you recommend delegating common tasks directly to user

accounts? Why or why not?

Lab: Planning Server Administration
The Sales department branch offices have been operational for some time. Joe
Healy has requested that he has more control over the administration of the Sales
branches.
Exercise 1: Planning for Branch Office Administration

Scenario
You track down a corporate document that provides more information about
which elements of the IT infrastructure are centrally managed. Alan Steiner has
appended some comments to this document that are pertinent to Sales. You must
determine which administrative tasks you can delegate to Joe.
Update the Branch Office Delegation document with your proposals.

A Datum Corporate Security Policy.doc

No infrastructure roles should be delegated; DHCP, DNS, WINS, and WDS
should all be managed centrally by IT.
Group Policy Objects must only be created by IT.
Whenever delegation takes place, users must never be assigned permissions
directly; rather, an appropriate group strategy must be implemented.
Additional comments added [Alan Steiner, IT Department]

Branch offices are equipped with Read-Only Domain Controllers (RODCs), so any
edits to Active Directory objects must be made at the writable domain controllers
(DCs).
Joe needs to be able to determine which Group Policy settings will apply directly to
the sales team. Any really important stuff is configured at the domain level with
enforcement of the relevant GPO.
Joe needs to be able to manage user, group, and computer objects in the Sales OU
only.
We dont want to bother deploying administration tools to the client computer
desktops, so any administration must be handled over Remote Desktop Protocol
(RDP).
Were building up a library of useful Windows PowerShell scripts. I imagine well
want to let Joe have access to those.

Branch Office Delegation

Date 5th November
Determine which tasks can be delegated to Joe Healy in Sales.
Specify how this delegation will be achieved.
Proposals
1. Which features will you need to install on a recently deployed departmental server
to support administrative delegation?
2. How will you manage the requirement that Joe needs to be able to manage which
GPOs apply to the Sales OU without giving him the ability to edit the GPO
settings?
3. What delegated permissions will you give to Joe in Active Directory?
4. How will you achieve this?
5. Because you are not permitted to grant Joe any delegated permissions directly,
how will you achieve the required delegation?

f Task 2: Update the Branch Office Delegation document with your

proposals
Answer the questions in the Branch Office Delegation document.
Results: After this exercise, you should have a completed Branch Office Delegation
proposal document.

Exercise 2: Delegating Administration to Branch Office
Personnel
Scenario
Having determined which tasks you intend to delegate and to whom, you must
now implement your plan.
2. Create the necessary security group.
3. Delegate control of the Sales OU.
4. Configure group membership on the SEA-SVR1 server.
5. Enable Remote Desktop on SEA-SVR1.
6. Install Windows PowerShell and RSAT on SEA-SVR1.
7. Perform branch administration.
8. Create and run a Windows PowerShell script.

Pa$$w0rd.
Pa$$w0rd.

f Task 2: Create the necessary security group
2. Create a new Global Security with the following properties:
Location: Sales organizational unit
Name: Sales-Admins
Members: Joe Healy
f Task 3: Delegate control of the Sales organizational unit

1. Using the Delegate Control Wizard, delegate the following common tasks to
the Sales-Admins group on the Sales OU:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, and manage groups
Modify the membership of a group
Manage Group Policy links
2. In Active Directory Users and Computers, enable the Advanced Features view.
3. Grant the Sales-Admins group the following permissions on the Sales OU:
Create Computer objects/Allow
Delete Computer objects/Allow
4. Grant the Sales-Admins group the following additional permissions
Descendant Computer objects in the Sales OU:
Full control/Allow
5. Close Active Directory Users and Computers.

f Task 4: Configure group membership on the SEA-SVR1 server
2. Open Server Manager, and then in Server Manager, in the navigation tree,
expand Configuration, expand Local Users and Groups, and then click
Groups.
3. Add the Adatum\Sales-Admins global group to the local Administrators
group.
f Task 5: Enable Remote Desktop on SEA-SVR1

1. Click Start, right-click Computer, and then click Properties.
2. In the Tasks list, click Remote settings.
3. Enable Remote Desktop with the highest level of security.
4. Enable members of the Sales-Admins global group to access this computer
remotely.
5. Close System.
f Task 6: Install Windows PowerShell and RSAT on SEA-SVR1

1. From Server Manager, add the following features:
Remote Server Administration Tools:
Active Directory Domain Services Tools
Windows PowerShell
2. Restart when prompted.
Pa$$w0rd.
4. Complete the installation and then close Server Manager.

f Task 7: Perform branch administration
Note: If you are already logged on as Joe, please log off and then proceed with the lab.
2. Open Remote Desktop Connection:

IP address: 10.10.0.100
Username: adatum\Joe
Password: Pa$$w0rd
3. Open Active Directory Users and Computers.
4. Delete the user Tom Higginbotham from the Sales OU.
5. Create a new computer account in the Sales OU called Sales-1.
f Task 8: Create and run a Windows PowerShell script

1. Open Windows PowerShell with elevated privileges.
2. At the Windows PowerShell Command Prompt, type notepad user.ps1, and
then press ENTER.
3. In Notepad, type the following lines of code:
$objOU = [ADSI] "LDAP://OU=sales,DC=Adatum,DC=com"

$objUSR = $objOU.Create("User","cn=Tom Higginbotham")
$objUSR.Put("SAMACCOUNTNAME","Tom")
$objUSR.SetInfo()
4. Save the file and close Notepad.

5. Set the script execution policy to remote signed only:
Type set-executionpolicy remotesigned, and then press ENTER
6. Run the script:
Type ./user.ps1, and then press ENTER

7. Switch to Active Directory Users and Computers and verify creation of the
Tom account in the Sales OU.
Results: After this exercise, you should have successfully delegated administration to
the branch personnel.

(VMRC) window.

Review Questions
1. Which administrative tool(s) could you use to add server roles?
2. Which command-line tool(s) enables you to import objects into the Active
Directory directory service?
3. You have enabled Remote Desktop Connections on a server in your corporate

network and yet you are unable to access that server remotely. What possible
reasons for this failure could there be?

4. There is no need to configure Windows Firewall on Server Core because it is
disabled by default, and Group Policy settings can be used to configure the
firewall. True or false?
5. Automatic updates are enabled on Server Core by using the Netsh Updates
context. True or False?
Planning and Implementing Monitoring and Maintenance 9-1

Module 9
Planning and Implementing Monitoring and
Maintenance
Contents:
Lesson 1: Planning Monitoring Tasks 9-3
Lesson 2: Calculating a Server Baseline 9-9
Lesson 3: Tools for Monitoring Server Performance 9-17
Lesson 4: Planning Software Updates 9-29
Lab: Planning and Implementing Monitoring and Maintenance 9-40

Module Overview
Monitoring the performance of servers is important for all organizations.

Most businesses require cost-effective solutions that provide value for money. You
should monitor servers to ensure that they run efficiently and use available server
capacity.
Many administrators require performance-monitoring tools to identify components
that require additional tuning and troubleshooting. By identifying components that
require additional tuning, you can improve the efficiency of your servers.
Objectives
Plan monitoring tasks.
Calculate a server performance baseline.
Select the appropriate monitoring and maintenance tool.
Plan software updates.

Lesson 1
Planning Monitoring Tasks
The Windows Server 2008 operating system can use many monitoring tools.
This lesson discusses the range of monitoring features that are available for
Windows Server 2008 and how you can plan to measure the efficiency of the
operating system and hardware components through monitoring.
Objectives
Explain why it is important to monitor servers.
List various monitoring methods.
Plan for event monitoring.

Discussion: Why Monitor Servers?
Key Points
This is an open discussion. Consider why it is necessary to monitor servers, and
suggest these reasons to your instructor.

Monitoring Methods
Key Points
You should select the most appropriate tool to suit the type of monitoring that is
required.
There are several methods that you can use to collect performance data from
servers in your organization. You should use each of these methods to suit your
requirements.
Real-time monitoring of computers is useful when you want to determine the effect
of performing a specific action or troubleshoot specific events. This type of
monitoring can also help you to ensure that you are meeting service-level
agreements (SLAs).
Analyzing historical data can be useful for tracking trends over time, determining
when to relocate resources, and deciding when to invest in new hardware to meet
the changing requirements of your business. You should use historical
performance data to assist you when you plan future server requirements.

A range of tools is available to assist you in the monitoring of your server
environment. These tools are described in the following table.
Tool Description
Windows Server 2008 Windows Server 2008 Event Viewer collects information
Event Viewer that relates to server operations. This data can help to
identify performance issues on a server. You should
search for specific events in the event log file to locate
and identify problems.
Windows System Using WSRM, you can control how CPU resources are
Resource Manager allocated to applications, services, and processes.
(WSRM) Managing these resources improves system performance
and reduces the chance that these applications, services,
or processes will interfere with the rest of the system.
WSRM is a feature of Windows Server 2008.
Network Monitor Network Monitor is a protocol analyzer. It enables you to

capture, view, and analyze network data. You can use it
to help troubleshoot problems with applications on the
network.
Network Monitor is provided with Windows Server 2008.
Reliability and You can use Microsoft Windows Reliability and

Performance Monitor Performance Monitor to examine how programs you run
affect your computers performance, both in real time
and by collecting log data for later analysis. Windows
Reliability and Performance Monitor uses performance
counters, event trace data, and configuration
information, which can be combined into data collector
sets.
Reliability and Performance Monitor is built in to
Windows Server 2008.
System Center Operations Operations Manager enables you to build a complete

Manager (Operations picture of the past and current performance of your
Manager) 2007 server infrastructure. Operations Manager can also
automatically respond to events and address problems
before they become an issue for you. Operations
Manager requires time to configure and requires
additional licenses.

Planning for Event Monitoring
Key Points
You should consider the cost that monitoring events incurs. The cost that is
incurred to monitor systems is an investment in ensuring that your systems
continue to run effectively and efficiently. You can measure costs by using several
metrics, including:
Time allocated to personnel to perform monitoring tasks.
Money invested in monitoring systems.
An alternative view is to consider the cost of not monitoring your systems by

asking the following questions:
What is the monetary cost of reduced user productivity for your organization?
What is the cost of system outage that is caused by not monitoring systems?
What is the cost of a reactive approach to troubleshooting?

By using automated systems, you can monitor servers proactively and possibly
reduce the overall number of staff who are required to perform monitoring. By
using tools such as Operations Manager 2007, you can automatically monitor and
fix certain server issues.
By providing an IT infrastructure that automatically responds to events, you create
a server infrastructure that is flexible and dynamic. Windows Server 2008 enables
dynamic system responses through Task Manager and other tools such as SCOM
2007 and third-party offerings.
Additional Reading
For more information about SCOM 2007, see the Microsoft System Center
Operations Manager Web site. http://go.microsoft.com/fwlink
For more information about the Dynamic Systems Initiative, see Dynamic Systems
Initiative Overview White Paper on the Microsoft Web site.

Lesson 2
Calculating a Server Baseline
This lesson discusses some of the key server components to measure. You will
learn how to use analysis and planning techniques from collected performance
metrics to improve your server infrastructure.
Objectives
Determine which hardware components you should monitor.
Describe common performance metrics.
Analyze performance trends.
Plan for future capacity requirements.

Discussion: Which Hardware Components Should You
Monitor?
Key Points
This is an open discussion.

Common Performance Metrics
Key Points
You should familiarize yourself with basic performance measurement objects and
counters to monitor the main hardware components.
The following table lists some common performance metrics to measure.
Object Descriptions
Cache Monitors file system cache. The cache is an area of physical
memory that is used to store recently used data to permit
access to the data without having to read from the disk.
Memory Physical, random access memory (RAM) counters.

Virtual memory, RAM, and disk counters.
Includes paging, which is the movement of pages of code and
data between disk and physical memory.
Objects Logical objects in the system, including threads and processes.


(continued)
Object Descriptions
Paging Reserved space on the disk that complements committed

physical memory.
Physical Hard or fixed drives as the computer sees them. (Hardware

RAID may not be visible to these counters.)
Process Monitors running applications and system processes. All of the

threads in a process share the same address space and have
access to the same data.
Processor Measure aspects of processor activity. Each processor is

represented as an instance of the object.
Server Measure communication between the local computer and

network.
System Counters that apply to more than one instance of component

processes on the computer.
Thread Counters that measure aspects of thread behavior. A thread is

the basic object that executes instructions on a processor. All
running processes have at least one thread.
For more information about common performance metrics,

see Performance Tuning Guidelines for Windows Server 2008
on the Windows Hardware Developer Central Web site at
http://go.microsoft.com/fwlink/?LinkID=140009.

Analyzing Performance Trends
Key Points
You should give careful consideration to the value of performance data to ensure
that it reflects the real server environment.
You should consider performance analysis alongside business plans.
It may be possible to reduce the number of servers in operation after you have
measured performance.
By analyzing performance trends, you can predict when existing capacity is likely
to be exhausted. You should review historical analysis with consideration to your
business and use this to determine when additional capacity is required. Some
peaks are associated with one-time activities such as very large orders. Other peaks
occur on a regular basis, such as a monthly payroll, and these peaks may require
increased capacity to meet increasing numbers of employees.

Planning for future server capacity is a requirement for all organizations. Business
planning often requires additional server capacity to meet targets. By aligning your
IT strategy with the strategy of the business, you can support the business
objectives.
You should plan the server capacity to maximize the use of available space, power,
and cooling. You should consider virtualizing your environment to reduce the
number of physical servers that are required. You can consolidate servers through
implementing 64-bit computing and utilizing Hyper-V.

Planning for Future Capacity Requirements
Key Points
New server applications and services affect the performance of your IT
infrastructure. These services may receive dedicated hardware although they often
use the same local area network (LAN) and wide area network (WAN) network
infrastructure. Planning for future capacity should include all hardware
components and how new servers, services, and applications affect the existing
infrastructure. Factors such as power, cooling, and rack space are often overlooked
during initial exercises to plan capacity expansion. You should consider how your
servers can scale up and out to support an increased workload.
Tasks such as upgrading to Windows Server 2008 and updating operating systems
may affect your servers and network. It is not unknown for an update to cause a
problem with an application. Careful performance monitoring before and after
updates are applied can identify problems.

An expanding business requires you to provide support for more users. You
should consider business requirements when you purchase hardware. This
consideration will ensure that you can meet future business requirements through
increasing the number of servers or by adding capacity to existing hardware.
Capacity requirements include:
More servers.
Additional hardware.
Reducing application loads.
Reducing users.

Lesson 3
Tools for Monitoring Server Performance
Windows Server 2008 provides a range of tools to monitor the operating system
and applications that you can use to tune your system for efficiency. You should
use these tools and complement them where necessary with your own tools.
Objectives
List the Windows Server 2008 monitoring tools.
Describe the function of Performance Monitor.
Describe the function of Reliability Monitor.
Determine when to use third-party monitoring tools.
Use event subscriptions.
Identify business requirements.

Windows Server 2008 Monitoring Tools
Key Points
Windows Server 2008 has a range of built-in tools to assist you in monitoring your
systems.
The following table lists tools that you can use to monitor Windows Server 2008.
Tool Description
Windows Server 2008 Windows Server 2008 Event Viewer collects
Event Viewer information that relates to server operations. This data
can help to identify performance issues on a server.
You should search for specific events in the event log
file to locate and identify problems.
Log files are available through the Event Viewer
console; this removes much of the requirement for log
file interrogation by using tools such as Notepad.
However, some installation files and third-party
applications continue to require the use of programs
such as XML Notepad to review log file entries.

(continued)
Tool Description
Task Manager Task Manager enables you to view processes in real

time to determine their exact resource usage at a
point in time.
Scripting All performance counters are available

programmatically through Windows Management
Instrumentation (WMI). By making performance
counters available through WMI, you can monitor
servers by using scripts. Windows Server 2008 supports
a range of scripting technologies, including Perl;
Microsoft Visual Basic, Scripting Edition (VBScript);
and the Windows PowerShell command-line
interface. Microsoft recommends that you use the new
features that are available through Windows
PowerShell when you script in Windows Server 2008.
Reliability and You can use Microsoft Windows Reliability and

Performance Monitor Performance Monitor to examine how programs you
run affect your computers performance, both in real
time and by collecting log data for later analysis.
Windows Reliability and Performance Monitor uses
performance counters, event trace data, and
configuration information, which can be combined
into data collector sets.
For more information about Microsoft System Center Operations

Manager 2007, see the white paper Introducing Microsoft System
Center Operations Manager 2007 on the Microsoft Download Center
Web site at http://go.microsoft.com/fwlink

Performance Monitor
Key Points
Performance Monitor provides a visual display of Windows performance objects
and counters, either in real time or as a review of historical data. Performance
Monitor features multiple graph views that you can use to review performance log
data. You can create custom views in Performance Monitor that you can export as
data collector sets for use with performance and logging features.
New features of the Windows Reliability and Performance Monitor to Windows
Server 2008 include the following:
Data collector sets. Data collector sets group data collectors into reusable
elements for use with different performance monitoring scenarios.

Wizards and templates for creating logs. Adding counters to log files and
scheduling their start, stop, and duration can now be performed through a
wizard interface. In addition, saving this configuration as a template allows
system administrators to collect the same log on subsequent computers
without repeating the data collector selection and scheduling processes.
Performance Logs and Alerts features have been incorporated into the
Windows Reliability and Performance Monitor for use with any Data Collector
Set.
Resource View. The home page of Windows Reliability and Performance
Monitor is the new Resource View screen, which provides a real-time graphical
overview of CPU, disk, network, and memory usage.
Reliability Monitor. Reliability Monitor calculates a System Stability Index
that reflects whether unexpected problems reduced the reliability of the
system. A graph of the Stability Index over time quickly identifies dates when
problems began to occur.
Unified property configuration for all data collection, including
scheduling. Whether creating a Data Collector Set for one time use or to log
activity on an ongoing basis, the interface for creation, scheduling, and
modification is the same. If a Data Collector Set proves to be useful for future
performance monitoring, it does not need to be re-created. It can be
reconfigured or copied as a template.
User-friendly diagnosis reports. Report generation time is improved and
reports can be created from data collected by using any Data Collector Set.
This allows system administrators to repeat reports and assess how changes
have affected performance or the reports recommendations.
Performance counters are values that are generated by the operating system
or applications to indicate performance measurements. You can use these
measurements for analysis and troubleshooting. You add performance counters to
Performance Monitor by selecting individual counters or by creating custom data
collector sets.

You can view real-time values for performance counters in Performance Monitor by
using one of the following three views:
Line Chart. In the Line Chart view, you can view the value of each monitored
counter in a line chart that shows counter values against time. You can also
view the last, average, minimum, or maximum value for a counter by selecting
it in the user interface.
Histogram. In the Histogram view, you can view the current value for each
counter as a bar in a histogram (bar chart). You can also view the last, average,
minimum, or maximum value for a counter by selecting it in the user interface.
Report. In the Report view, you can view the current value for each counter as
a number in a text-based report.
Note: It is best practice to perform the monitoring activity from a remote computer; that
is, use Performance Monitor and related tools, such as data collector sets, to collect
statistics from a remote computer rather than from the local computer. The process of
running the monitoring tools imposes a load on the monitoring system and affects the
integrity of the data collected from the monitored system if they were one and the same.
You can collect data for any performance-related object from the remote computer. For
example, if the remote computer is running Microsoft Exchange Server or Microsoft SQL
Server, you can access these objects from the monitoring workstation.

Reliability Monitor
Key Points
The Reliability monitor can be accessed through the Reliability and Performance
monitor.
Reliability Monitor provides a system stability overview and trend analysis with
detailed information about individual events that may affect the overall stability of
the system.
Windows Server 2008 uses the Reliability Analysis Component (RAC) to calculate
a reliability index that provides an indication of your overall system stability over
time. RAC also keeps track of any important changes to the system that are likely
to affect stability, such as Windows updates, application installations, and driver
installations. RAC begins collecting data at the time of system installation.
By using the Reliability Monitor, you can see the trends in your system reliability
index correlated with any potentially destabilizing events so that you can easily
trace a reliability change directly to a particular event.

Third-Party Monitoring Tools
Key Points
Third-party tools can help you monitor your server environment.
Hardware vendor tools are useful in detecting performance issues that occur
because of faulty hardware.
Many third-party tools integrate with Operations Manager to provide a centralized
monitoring console for your organization.
Windows Server 2008 provides a range of monitoring tools to meet the
requirements of your operating system. System administrators often require
additional tools to simplify the process of monitoring many computers and
providing a complete picture of their server health. Some programs also require
specific tools to monitor their performance.

Hardware vendors often provide tools to detect problems within hardware. You
should use these tools in conjunction with performance-monitoring tools to locate
and resolve hardware issues.
Operations Manager can monitor third-party products such as Dell OpenManage
and HP Systems Insight Manager. Operations Manager can also integrate with
other monitoring tools such as HP OpenView, IBM Tivoli, and CA Unicenter.

What Are Subscriptions?
Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored in
multiple logs on multiple computers. Event Viewer provides the ability to collect
copies of events from multiple remote computers, and store them locally. To
specify which events to collect, you create an event subscription. After a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Using the event-collecting feature requires that you configure both the forwarding
and the collecting computers. The functionality depends on the Windows Remote
Management (WinRM) and the Windows Event Collector services (Wecsvc). Both
of these services must be running on computers participating in the forwarding
and collecting process.

Identifying Business Requirements
Key Points
Performance tuning is an ongoing exercise where you never achieve perfection.
You should ensure that your server operations run effectively and meet all of your
business SLAs.
You should always attempt to find the most cost-effective solution to a
performance bottleneck.
When you discover a performance issue, you can respond to the event in many
ways. Sometimes, you may want to record the data for future analysis or start a
performance-monitoring tool to collect additional data. Alternatively, you may
decide to do nothing.
By taking measured and appropriate actions to an event, you can ensure that you
continue to meet SLAs and provide appropriate service for your users.

When you must increase server performance, you have several options, including:
Offloading some of the processing onto other servers.
Reconfiguring parameters to improve performance.
Adding more hardware or increasing the speed of existing hardware.
Redesigning the architecture to realize performance improvements.
Recoding the software that is experiencing the bottleneck.
Each of these options provides a solution to increase server performance. However,

you should consider the most cost-effective option for your business.
By comparing the cost of performance degradation to the cost to implement the
performance increase, you can provide a rudimentary value to the business of
implementing a solution.

Lesson 4
Planning Software Updates
In this lesson, you will learn about the various options for software updates and
some of the best practices that you need to follow when performing software
updates.
Objectives
Describe Microsoft Update.
Describe Automatic Updates.
Describe Windows Server Update Services (WSUS).
Determine the best way to deploy WSUS in your organization.
Use best practice with WSUS.

What Is Microsoft Update?
Key Points
Definition
Microsoft Update is a Web site that helps keep your systems up to date.
Use Microsoft Update to obtain updates for Windows operating systems and
applications, updated device drivers, and software. New content is added to the
site regularly, so you can always get the most recent updates to help protect your
server and the client computers on your network.
What Are Updates?

Updates can include security fixes, critical updates, and critical drivers.
These updates resolve known security and stability issues in Windows 2000,
Windows XP, and Windows Server 2003 operating systems. The Microsoft Update
site also has updates for applications such as Microsoft Office, Exchange Server,
and SQL Server.

Update Categories
The categories for the Windows operating system updates are:
Critical updates. Security fixes and other important updates to keep computers
current and networks secure.
Recommended downloads. Latest Windows and Microsoft Internet Explorer
service packs and other important updates.
Windows tools. Utilities and other tools that are provided to enhance
performance, facilitate upgrades, and ease the burden on systems
administrators.
Internet and multimedia updates. Latest Internet Explorer releases, upgrades
to Microsoft Windows Media Player, and more.
Additional Windows downloads. Updates for desktop settings and other
Windows features.
Multilanguage features. Menus and dialog boxes, language support, and Input
Method Editors for a variety of languages.
Deployment guides and other software-related documents are also available.

What Is Automatic Updates?
Key Points
Automatic Updates is a configurable option in Windows. It can download and
install operating system updates without any user intervention. The updates can be
downloaded from the Microsoft Update Web site or a WSUS server. Configuration
of Automatic Updates can be controlled centrally by the administrator.
Automatic Update Options

Automatic Updates gives you flexibility to decide how and when updates will be
installed. The options are:
Automatic. Updates are downloaded automatically and installed at a
scheduled time. This option installs updates for all users and is recommended.
If the computer is turned off at the scheduled update time, Windows will
install the updates the next time you start your computer. This is the
recommended option.
Download updates for me, but let me choose when to install them. Updates
are downloaded automatically, but they are not installed until an administrator
chooses to install them.

Notify me but do not automatically download or install them. Updates are
not downloaded or installed automatically. The notifications are only shown to
administrators logged on to the local machine.
Turn off Automatic Updates. There will be no notifications when updates are
available for your computer. This option is not recommended.
Notification of Available Updates

After a download is complete, an icon appears in the notification area with a
message that the updates are ready to be installed. When you click the icon or
message, Automatic Updates guides you through the installation process. If you
choose not to install a specific update that has been downloaded, Windows deletes
its files from your computer. If you later change your mind, you can download it
by opening the System Properties dialog box, clicking the Automatic Updates tab,
and then clicking Offer Updates Again That I Have Previously Hidden.
Note: If required, the version of Automatic Updates is upgraded the first time a WSUS
server is contacted.
Digital Signatures
To ensure that the programs you download from Microsoft Update are from
Microsoft, all files are digitally signed. The purpose of digital signatures is to ensure
the authenticity and integrity of the signed files. Automatic Updates installs a file
only if it contains this digital signature.

What Is WSUS?
Key Points
WSUS is an optional component for Windows 2000 Server or Window Server
2003 that can be downloaded from the Microsoft Web site. It acts as a central
point on your network for distributing updates to workstations and servers.
Supported Clients
WSUS Service Pack 1 (SP1) supports the following clients:
Windows Vista or later
Windows Server 2008 or later
Windows Server 2003, any edition
Windows XP Professional SP2 or later
Windows 2000 Professional SP4, Windows 2000 Server SP4, or
Windows 2000 Advanced Server with SP4

Supported Software
WSUS 3.0 SP1 will update all of the products listed in the following table.
Applications updated by WSUS

Microsoft Office XP and Microsoft ISA Server 2004 Windows Small Business
newer and Newer Server 2003
Microsoft Data Protection Microsoft Exchange Server Microsoft SQL Server

Manager 2000 and newer 2000 and newer
Windows Defender Microsoft Forefront Windows Live
Server Component
You install the server component of WSUS on a server running Windows Server
2003 or Windows Server 2008 inside your corporate firewall. The firewall must be
configured to allow your internal server to synchronize content with the Microsoft
Update Web site whenever critical updates for Windows are available. The
synchronization can be automatic, or the administrator can perform it manually.
Synchronized updates must be approved before they can be installed by client
computers. This allows testing of updates with corporate applications before
distribution. This is a key benefit of WSUS over Microsoft Update.
Client Component
Automatic Updates is the client software that downloads and installs updates from
a WSUS server. The client must be configured with the location of a WSUS server.
The location can be configured through registry edits or through Group Policy.
Using Group Policy is strongly recommended.
Note: WSUS is not intended to serve as a replacement for enterprise software

distribution solutions, such as Microsoft Systems Management Server or Microsoft Group
Policybased software distribution. Many customers use solutions such as Microsoft
Systems Management Server for complete software management, including responding
to security and virus issues, and these customers should continue using these solutions.
Advanced solutions such as Microsoft Systems Management Server provide the ability to
deploy all software throughout an enterprise, in addition to providing administrative
controls that are critical for medium-size and large organizations.

WSUS Deployment Scenarios
Key Points
To allow for varied situations, you can deploy a WSUS server in several scenarios.
You can choose the deployment scenario that is most appropriate for your
organization. The decision factors may include the number of locations in your
network or the speed of your Internet connection.
Single-Site Network
In a single-site network, a single WSUS server can be sufficient to support as many
as 5,000 clients. This is suitable for most single-site networks.
Independent WSUS Servers

In a multiple-site network, you can configure multiple independent WSUS servers
at each location. This requires that each site use its own Internet connection to
download the updates. Having each site download its own updates reduces the
load on WAN links as compared to using a centralized server to download
updates.

Independent WSUS servers are also managed independently. This scenario is best
suited to organizations with distributed IT support.
Replica WSUS Servers

Another option for multiple-site networks it to use replica WSUS servers. Replica
WSUS servers download their updates and configuration information from a
central WSUS server. This allows the approval of updates to be centralized for
multiple servers.
In this scenario, only one server is exposed to the Internet and it is the only server
that downloads updates from Microsoft Update. This server is set up as the
upstream server, the source from which the replica server synchronizes.
Disconnected WSUS Servers

For organizations that do not allow servers to communicate directly with the
Internet, you can deploy disconnected WSUS servers. In this scenario, you can set
up a server running WSUS that is connected to the Internet but isolated from the
rest of the network. After downloading, testing, and approving the updates on the
isolated server, an administrator would then export the update metadata and
content to external storage, and then, from the external storage, import the update
metadata and content to servers running WSUS within the intranet.

Best Practice for Using WSUS
Key Points
Due to the complex interdependencies between operating system components and
corporate applications, it is strongly recommended that all updates be tested
before deploying them to WSUS clients. This is particularly important for custom
designed or in-house applications that may not be as well written as commercially
available applications.
Guidelines
Use the following guidelines to install updates on the client computers on your
network.
Use computer groups for testing.
Computer groups let you control which computers are approved to install updates.
Using computer groups to install updates on test computers avoids the hassle of
downloading updates for testing through a separate process.

Configure an initial test group.
Create a test group of nonproduction computers for testing updates. These
computers should match your production environment as closely as possible. This
initial testing can be performed by the IT group or designated business users. In
this testing, you can identify obvious problems with installation or functionality. At
this stage, a problem update will have no impact on production.
Configure a business testing group.
Recruit power users from different business groups to act as test groups before
distributing updates to all users. Power users will be able to provide detailed
functional testing of applications. This will catch application-specific errors. At this
stage, a problem update will affect a limited group of users in production.
Deploy updates one department at a time.
Deploying updates to one department at a time will reduce the scope of a problem
if an update causes a problem. Testing can also be done on a per-department basis
because they typically have unique applications.
Remove problem updates.
If an update causes problems, mark it for removal. This will uninstall the update.
Be aware that some updates cannot be uninstalled.

Lab: Planning and Implementing Monitoring
and Maintenance
Scenario
Some of the users at A. Datum Corporation are reporting issues with certain
servers in the New York offices that have been identified as running slowly. The IT
manager, Allison Brown, has forwarded to you some performance log files from the
problematic server. You must evaluate data that is collected from performance logs
and identify where potential problems may exist.
Exercise 1: Evaluating Performance Metrics

Scenario
In this exercise, you will review data collector sets to locate problems and provide
troubleshooting advice to technical specialists.

1. Start the virtual machines, and log on.
2. Identify performance problems with Windows Server 2008 - Part A.
3. Identify performance problems with Windows Server 2008 - Part B.
4. Identify performance problems with Windows Server 2008 - Part C.

Pa$$w0rd.
Pa$$w0rd.
f Task 2: Identify performance problems with Windows Server 2008 -

Part A
You know that the server 6430A-NYC-SVR1 experiences low network traffic and
has limited disk activity, but the help desk is receiving many reports that the server
is slow.
Switch to the SEA-SVR1 computer and review the data collector log at
D:\Labfiles\Mod09\Ex1A\EX1A.blg on the server 6430A-NYC-SVR1.
Question: What appears to be the problem on this server?
Question: Write a brief report that outlines your findings and suggests possible
solutions to the problem.

Part B
You know that the server 6430A-NYC-SVR1 is not running processor-intensive
applications, but the help desk is receiving many reports that the server is slow.
On the SEA-SVR1 computer, review the data collector log at
D:\Labfiles\Mod09\Ex1B\EX1B.blg on the server 6430A-NYC-SVR1.

Part C
You know that the server 6430A-NYC-SVR1 experiences low network traffic and is
not running processor-intensive applications, but the help desk is receiving many
reports that the server is slow.
On the SEA-SVR1 computer, review the data collector log at
D:\Labfiles\Mod09\Ex1C\EX1C.blg on the server 6430A-NYC-SVR1.
Results: After this exercise, you should have identified performance issues with servers
and suggested steps to resolve the problems.

Exercise 2: Monitoring Performance Metrics
Scenario
In this exercise, you will plan the performance metrics that are required to measure
the scalability of a server.
The main task for this exercise is to create a data collector set to measure server
requirements.
f Task 1: Create a data collector set to measure server requirements

On the SEA-SVR1 computer, create a data collector set to measure the
performance requirements of a file server. This forms the base performance
metrics for measuring the capacity of this server.
Question: Which specific counters do you anticipate will require careful analysis?
Results: After this exercise, you should have identified steps to create a data collector
set for measuring file server performance.

Exercise 3: Configuring Data Collector Sets
Scenario
In this exercise, you will configure data collector sets to generate an alert.
The main task for this exercise is to generate an alert by using a data collector set.
f Task 1: Generate an alert by using a data collector set

On the SEA-SVR1 computer, create a user-defined data collector set and
configure an alert to trigger when the CPU reaches a critical state.
Results: After this exercise, you should have created a performance alert by using
Windows System Resource Manager (WSRM).

Exercise 4: Evaluating Trends
Scenario
In this exercise, you will compare your answers to the previous exercises with the
rest of the class, share your answers with other students, and learn alternative
methods to identify performance issues.
The main task for this exercise is to discuss your solutions with the class.

(VMRC) window.

Review Questions
1. What are the benefits of monitoring server performance?
2. What are some of the tasks that you should undertake when you create a
performance baseline for a server?
3. What are the advantages of using a range of monitoring tools?
4. What are the advantages of measuring specific performance counters?
5. What are the advantages of using alerts to identify performance issues?

Planning High Availability and Disaster Recovery 10-1

Module 10
Planning High Availability and Disaster Recovery
Contents:
Lesson 1: Choosing a High-Availability Solution 10-3
Lesson 2: Planning a Backup and Restore Strategy 10-23
Lab: Planning High Availability and Disaster Recovery 10-34

Module Overview
In most organizations these days, there is an increased reliance on the IT

infrastructure. Therefore, it is important that you understand how to plan for the
various high-availability and data recovery solutions provided by Windows Server
2008.
Objectives
Select a high-availability solution.
Select an appropriate backup and restore strategy.

Lesson 1
Choosing a High-Availability Solution
You can use disk fault-tolerance, Windows Server 2008 Network Load Balancing,
and failover clustering to facilitate greater data availability and workload scalability.
Disk fault-tolerance ensures that your server continues to operate despite the
failure of one, or perhaps more than one, of the attached disks.
Network Load Balancing (NLB) is also used to support scalability and availability,
and is designed to work with applications in which maintaining state between
client requests is not critical.
Failover clustering can support both scalability and availability, and is designed to
work with applications that maintain state between client requests.

Objectives
Identify the types of disasters from which you can recover your IT
infrastructure.
Describe RAID.
Describe Network Load Balancing.
Describe failover clustering.
List the hardware requirements of implementing a failover cluster.
Determine when to use failover clustering.
Select an appropriate high-availability solution.

Discussion: What Potential Disasters Can You Protect
Against?
Key Points
This is an open discussion. Think about the sorts of problems that can occur that
will result in either service interruption or data loss; discuss these with the class.

What Is RAID?
Key Points
Hard disks are one of the few components with moving parts in your server
computer. The constant movement inevitably means that the parts wear out, and
the hard disk fails. In order to ensure the continued operation of your server
following a disk failure, you must implement fault tolerance within your storage
sub-system.
Using Redundant Array of Independent Drives (RAID) enables you to provide disk
fault tolerance.
Choosing the RAID Level

Each RAID level involves a trade-off between the following factors:
Cost
Performance
Availability
Reliability

You can determine the best RAID level for your servers by evaluating the read and
write loads of the various data types and then deciding how much you are willing
to spend to achieve the performance and availability/reliability that your
organization requires. The following table describes common RAID levels and their
relative costs, performance, availability, and reliability.
Cost and
Configuration Performance Reliability Availability capacity
RAID 0 Balanced load. Data loss after one Single loss prevents Minimal
(striping) Potential for better failure. access to entire cost.
response times, Single loss affects array. Two-disk
throughput, and entire array. minimum.
concurrency.
Difficult stripe unit
size choice.
RAID 1 Two data sources for Single loss and Single loss and often Twice the
(mirroring) every read request often multiple multiple losses (in cost of
(up to 100% losses (in large large configurations) RAID.
performance boost configurations) are do not prevent Two-disk
on reads). survivable. access. minimum.
However, writes must
update all mirrors.
RAID 0+1 Two data sources for Single loss and Single loss and often Twice the
(striped every read request often multiple multiple losses (in cost of
mirrors) (up to 100% read losses (in large large configurations) RAID 0.
performance boost). configurations) are do not prevent Four-disk
Balanced load. survivable. access. minimum.
Potential for better
response times,
throughput, and
concurrency.
However, writes must
update mirrors and
you are faced with a
difficult stripe unit
size choice.

(continued)
Configuration Performance Reliability Availability Cost and

capacity
RAID 5 Balanced load. Single loss Single loss does not One
(rotated Potential for better survivable; prevent access. additional
parity) read response times, however, in- However, multiple disk
throughput, and progress write losses prevent required.
concurrency. requests might access to entire Three-disk
still corrupt. array. minimum.
However, up to 75%
write performance hit. Multiple losses To speed
affect entire array. reconstruction,
Read performance
degrades in failure After a single loss, application access
mode. array is vulnerable might be slowed or
until stopped.
reconstructed.
RAID 6 (two Balanced load. Single loss Single loss does not Two
separate Potential for better survivable; prevent access. additional
erasure codes) read response times, however, in- More than two disks
throughput, and progress write losses prevent required.
concurrency. requests might access to entire Five-disk
still corrupt. array. minimum.
However, up to 83%
write performance hit. Note that more To speed
than two losses reconstruction,
Read performance
affect entire array. application access
degrades in failure
mode. After two losses, might be slowed or
array is vulnerable stopped.
All sectors must be
until
read for
reconstructed.
reconstruction: major
slowdown.
Danger of data in
invalid state after
power loss and
recovery.

(continued)
Configuration Performance Reliability Availability Cost and

capacity
RAID 1+0 Mirrored sets in a RAID 1+0 creates The array can have Minimum
(mirrored sets striped set provide an a second striped multiple drive losses of 4 disks.
in a striped increase in set to mirrored as long as no mirror Must use an
set) performance with an drives. loses all of its drives. even
increase in complexity. Performance is number of
better because all disks.
remaining disks
are used.
The following are sample uses for various RAID levels:

RAID 0: Temporary or reconstructible data, workloads that tend to develop
hot spots in the data, and workloads with high degrees of unrelated
concurrency.
RAID 1: Database logs, critical data, and concurrent sequential streams.
RAID 0+1: A general-purpose combination of performance and reliability for
critical data, workloads with hot spots, and high-concurrency workloads.
RAID 5: Web pages, semi-critical data, workloads without small writes,
scenarios where capital and operating costs are an overriding factor, and read-
dominated workloads.
RAID 6: Data mining, critical data (assuming quick replacement or hot spares),
workloads without small writes, scenarios where cost is a major factor, and
read-dominated workloads.
RAID 1+0: The primary use for a stripe of mirrors is for high transaction
databases. The lack of parity to calculate gives it a faster write speed. This
increases the risks of RAID 10; if a drive fails, the remaining drive in the mirror
is a single point of failure. To reduce this risk, vendors support a hot spare
drive, which automatically replaces and rebuilds a failed drive in the array.

Additional Considerations
If you use more than two disks, RAID 0+1 is usually a better solution than
RAID 1.
When determining the number of physical disks that you should include in
RAID 0, RAID 5, and RAID 0+1 virtual disks, consider the following
information:
Bandwidth (and often response time) improves as you add disks.
Reliability, in terms of mean time to failure for the array, decreases as you
add disks.
Usable storage capacity increases as you add disks. For striped arrays, the
trade-off is in data isolation (small arrays) and better load balancing (large
arrays).
For RAID 1 arrays, the trade-off is in better cost/capacity (mirrorsthat is, a
depth of two) and the ability to withstand multiple disk failures (shadows
that is, depths of three or even four). Read and write performance issues can
also play a role in RAID 1 array size.
For RAID 5 arrays, the trade-off is in better data isolation and mean time
between failures (MTBF) for small arrays and better cost/capacity for large
arrays.

What Is Network Load Balancing?
Key Points
Network Load Balancing (NLB) provides high availability and scalability for
TCP/IP-based services, including Web servers, File Transfer Protocol (FTP) servers,
other mission-critical servers, and COM+ applications. In an NLB configuration,
multiple servers run independently, and do not share any resources. Client
requests are distributed among the servers, and in the event of a server failure, NLB
detects the problem and distributes the load to another server. NLB allows you to
increase network service performance and availability.
Performance
NLB supports server performance scaling by distributing incoming network traffic
among one or more virtual IP addresses assigned to the NLB cluster. The hosts in
the cluster concurrently respond to different client requests, even multiple requests
from the same client. For example, a Web browser might obtain each of the
multiple images in a single Web page from different hosts within an NLB cluster.
This speeds up processing and shortens the response time to clients.

High Availability
NLB supports high availability by redirecting incoming network traffic to working
cluster hosts if a host fails or is offline. Existing connections to an offline host are
lost, but the Internet services remain available. In most cases, for example with
Web servers, client software automatically retries the failed connections, and the
clients experience a delay of only a few moments before receiving a response.
Many applications work with NLB. In general, NLB can load balance any
application or service that uses TCP/IP as its network protocol and is associated
with a specific TCP or User Datagram Protocol (UDP) port.
Some examples are listed in the following table.
Protocol Examples
HTTP and HTTPS Microsoft Internet Information Services (IIS): Port 80
FTP Microsoft IIS: Port 20, port 21, and ports 1024-65535
SMTP Microsoft Exchange Server: Port 25
RDP Terminal Services: Port 3389
PPTP & IPSec Virtual private network (VPN) servers: 1723 for PPTP
Windows Media Windows Media Server: TCP on port 80, 554, and 1755; UDP
over HTTP on port 1755 and 5005
CIFS Print Services
HTTP & HTTPS Microsoft Internet Security and Acceleration Server (ISA)
Scalability
NLB allows administrators to scale network services to meet client demand. New
servers can be added to a load balancing cluster without rewriting applications or
reconfiguring clients. The Load Balancing cluster does not need to be taken offline
to add new capacity, and members of the Load Balancing cluster do not need to be
based on identical hardware.

What Is Failover Clustering?
Key Points
A failover cluster is a group of independent computers that work together to
increase the availability of applications and services. Physical cables and software
connect the clustered servers, known as nodes. If one of the cluster nodes fails,
another node begins to provide service (a process known as failover). Therefore,
users experience a minimum of service disruptions.
In the Windows Server 2008 Enterprise and Windows Server 2008 Datacenter
operating system editions, the improvements to failover clusters, formerly known
as server clusters, are aimed at simplifying clusters, making them more secure, and
enhancing cluster stability.
Note: The failover cluster feature is not available in the Windows Web Server 2008 or
Windows Server 2008 Standard editions.

New Failover Cluster Functionality
Failover clusters include the following new functionality:
New validation feature. With this feature, you can ensure that your system,
storage, and network configuration is suitable for a cluster. You can use the
new validation wizard in failover clusters to perform tests that include specific
simulations of cluster actions, and fall into the following categories:
System Configuration tests. These tests analyze whether the selected
servers meet specific requirements, such as the requirement that the
servers must run the same operating system version and software updates.
Network tests. These tests analyze whether the planned cluster networks
meet specific requirements, such as requirements for network
redundancy.
Storage tests. These tests analyze whether the storage meets specific
requirements, such as whether the storage correctly supports the
necessary small computer system interface (SCSI) commands and handles
simulated cluster actions correctly.
Support for globally unique identifier (GUID) partition table (GPT) disks in
cluster storage. GPT disks provide increased disk size and robustness.
Specifically, unlike master boot record (MBR) disks, GPT disks can have
partitions larger than two terabytes and have built-in redundancy in the way
partition information is stored. With failover clusters, you can use either type
of disk.
Additional Reading
For additional information about clustering, see Course 6423A: Implementing and
Managing Windows Server 2008 Clustering.

Failover Cluster Requirements
Key Points
Carefully review the hardware on which you plan to deploy a failover cluster
to ensure that it is compatible with Windows Server 2008. This is especially
necessary if you are currently using that hardware for a server cluster running
Windows Server 2003. Hardware that supports a server cluster running Windows
Server 2003 does not necessarily support a failover cluster running Windows
Server 2008.
Note: You cannot perform a rolling upgrade from a server cluster running Windows
Server 2003 to a failover cluster running Windows Server 2008. However, after you create
a failover cluster running Windows Server 2008, you can use a wizard to migrate certain
resource settings to it from a server cluster running Windows Server 2003.

The following hardware is required in a failover cluster:
Servers. Microsoft recommends that you use a set of matching computers that
contain the same or similar components.
Network adapters and cable (for network communication). The network
hardware, like other components in the failover cluster solution, must be
marked as Certified for Windows Server 2008. If you use iSCSI, your
network adapters must be dedicated to either network communication or
iSCSI, but not both.
In the network infrastructure that connects your cluster nodes, avoid having
single points of failure. There are multiple ways to accomplish this. You can
connect your cluster nodes by multiple, distinct networks. Alternatively, you
can connect your cluster nodes with one network that is constructed with
teamed network adapters, redundant switches, redundant routers, or similar
hardware that removes single points of failure.
Device controllers or appropriate adapters for the storage. For Serial Attached
SCSI or Fiber Channel: If you are using Serial Attached SCSI or Fiber Channel,
the mass-storage device controllers that are dedicated to the cluster storage in
all clustered servers should be identical. They should also use the same
firmware version.
For iSCSI: If you are using iSCSI, each clustered server must have one or
more network adapters or host bus adapters that are dedicated to the
cluster storage. The network you use for iSCSI cannot be used for network
communication. In all clustered servers, the network adapters you use to
connect to the iSCSI storage target should be identical, and we recommend
that you use Gigabit Ethernet or higher. For iSCSI, you cannot use teamed
network adapters, because iSCSI does not support them.
Storage. You must use shared storage that is compatible with Windows Server
2008. In most cases, the storage should contain multiple, separate disks or
logical unit numbers (LUNs) that are configured at the hardware level. For
some clusters, one disk functions as the witness disk, while other disks
contain the files required for the clustered services or applications.
Storage requirements include the following:
To use the native disk support included in failover clustering, use basic
disks, not dynamic disks.
Microsoft recommends that you format the partitions with the NTFS file
system. (For the witness disk, the partition must be NTFS).
For the partition style of the disk, you can use either MBR or GPT.

Note: A witness disk is a disk in the cluster storage that is designated to hold a copy of
the cluster configuration database. A failover cluster has a witness disk only if this is
specified as part of the quorum configuration.
Important: Microsoft supports a failover cluster solution only if all the hardware
components are marked as Certified for Windows Server 2008. Additionally, the
complete configuration (servers, network, and storage) must pass all tests in the Validate
a Configuration Wizard, which is included in the Failover Cluster Management snap-in.
Additional Reading
For more information about iSCSI, see the iSCSI Cluster Support FAQ on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=61375.
For information about hardware compatibility for Windows Server 2008, see the
Windows Server catalog at http://go.microsoft.com/fwlink/?LinkID=59821.
For information about the maximum number of servers that you can have in a
failover cluster, see the Edition Comparison by Technical Specification page of the
Windows Server 2008 Web site at http://go.microsoft.com/fwlink/?LinkId=92091.

Failover Clustering Scenarios
Key Points
There are several scenarios in which failover clustering can be used as a high-
availability solution.
File Server
Failover clustering can be used to provide high availability for shared folders. The
highly available shared folders are stored on a shared storage device such as SAS or
an iSCSI SAN.
The clustered nodes use a heartbeat signal to check whether each node is alive.
In a two-node cluster, if one node fails, the remaining node must pick up all of the
file shares.
To ensure the highest availability, the cluster should host the maximum number of
shares that can be hosted by a single node. 2-node server clusters are focused on
high availability, not scale-out, therefore you should not expect to hold more
shares on a 2-node cluster than a single node.

In a 4-node cluster, you have other options that may be more appropriate,
depending on the failure scenarios that you want to protect against. For example, if
you want to survive one node failing at any point in time, you can configure the
shares so that if one node fails, its work is spread across the remaining three nodes.
This means that each node could be loaded to 66 percent of the maximum number
of shares and still be within the maximum limit of a single node in the event of a
single failure. In this case, the cluster can host three times the number of shares
that a single server can host. If you want to survive two nodes failing, then a 4-node
cluster can hold twice as many shares (because if two nodes fail, the remaining two
nodes need to pick up the load from the two failed servers) and so on.
Application Server
Failover clustering can be used to provide high availability for an application such
as a Web-based application. This scenario may use a combination of failover
clustering and NLB to make an application highly available.
An example of this scenario is a highly available Web application that uses a back-
end failover cluster to make the static Web content and the Microsoft SQL Server
database(s) used by the Web site highly available. Multiple front-end IIS servers
using NLB would be used to provide scalability and availability for the Web
service.
In this scenario, there is redundancy for both front-end and back-end
infrastructure.
Database Server
As in previous scenarios, the highly available resource (in this case one or more
SQL databases) is stored on a shared storage device.
The clustered nodes use a heartbeat signal to check whether each node is alive, at
both the operating system level and the SQL Server level. At the operating system
level, the nodes in the cluster are in constant communication, validating the health
of all the nodes.
During failover of the SQL Server instance, SQL Server resources start up on the
new node. Windows clustering starts the SQL Server service for that instance on
the new node and SQL Server goes through the recovery process to start the
databases. After the service is started and the master database is online, the SQL
Server resource is considered to be up. Now the user databases will go through the
normal recovery process, which means that any completed transactions in the
transaction log are rolled forward (the Redo phase), and any incomplete
transactions are rolled back (the Undo phase).

Hyper-V Server
If you want to consolidate multiple servers (as virtual machines) on one physical
server but want to avoid causing that server to become a single point of failure, you
can create a failover cluster in which all servers (nodes) run Hyper-V and are
configured to run one or more virtual machines as needed.

Choosing Between NLB and Failover Clustering
Key Points
It is important to understand how failover clustering and NLB contrast. The
following table compares the functionality and recommended uses for failover
Clustering and NLB.
Failover Clustering NLB

Used for databases, e-mail services, line of Used for Web servers, firewalls, Web
business (LOB) applications, and custom services, or other stateless applications
applications
Provides high availability, scalability for Provides high availability and scalability
stateful applications and server for stateless applications
consolidation

(continued)
Failover Clustering NLB
Can be deployed on a single network or Generally deployed on a single network

geographically distributed but can span multiple networks if
properly configured
Supports clusters up to eight nodes Supports clusters up to 32 nodes
Requires the use of shared or replicated Doesnt require any special hardware or
storage on cluster-compatible hardware software; works out of the box

Lesson 2
Planning a Backup and Restore Strategy
Windows Backup has been improved in Windows Server 2008, with new features
such as Complete PC Backup. Backup with Windows Server 2008 uses Volume
Shadow Copy Service (VSS) and block-level backup technology to efficiently back
up and recover the operating system, files and folders. After the first full backup is
created, Backup automatically runs incremental backups by saving only the data
that has changed since the last backup.
Objectives
Describe the fundamental considerations of a backup strategy.
Determine what data must be backed up.
Describe Shadow Copies.
Determine how to implement shadow copies.
Plan a suitable backup strategy.

Basics of Backup
Key Points
There are many ways in which you can unintentionally lose information on a
computer: a power surge, lightning, floods, hardware failures, and malicious
software. One of the most important considerations in an organization is backing
up your important information to prevent this potential information loss.
What to Back Up
Deciding what to back up is one consideration when developing a backup plan.
On a home computer, a user may want to back up bank records and other financial
information, digital photographs, software purchased and downloaded from the
Internet, music purchased and downloaded from the Internet, the e-mail address
book, a Microsoft Office Outlook calendar, and any other personal documents.
This decision is even more critical for businesses. Business information loss may
significantly disrupt business productivity. In most situations, a full data backup is
desirable. The key question for the organization is what data is vital to the
company? This may be things like customer or client database information, payroll
records, product information, and so forth.

What Media to Use
After the decision is made about what data to backup, the next step is to determine
where to store the backup. Options for storage include external or internal hard
drives, CDs, DVDs, USB flash drives, and in some third-party backup systems, tape
devices.
Where to Store the Backups

To provide greater security, an organization should store these backups in an off-
site location. This would be helpful in a situation such as a fire where data would
have been potentially destroyed.
Who Should Perform the Backup/Restore Operations

The final fundamental consideration is who should perform backup, and perhaps
more critically, restore operations. After you have implemented a backup strategy,
you could automate the backup process; indeed, most backup solutions are
automated. However, it might occasionally be necessary to perform ad-hoc backup
operations. You should consider carefully which users can perform this task.
When you need to restore data, it is important that the right data is restored, and to
the correct location. For this reason, restore operations, aside from user-initiated
single file operations, should only be conducted by skilled administrative
personnel.
You can use the Windows Server built-in groups to assign the necessary backup
and restore privileges, or you can create your own groups as needed.
Windows Server Backup

Windows Server Backup provides a snap-in administrative tool and the WBAdmin
command (wbadmin.exe). Both the snap-in and the command line allow you to
perform manual or automated backups to an internal or external disk volume, a
remote share, or optical media. Backing up to tape is no longer supported by
Windows Server Backup.

The system state back up concept is still present in Windows Server 2008 however
it contains much more data than in previous versions of Windows because of
interdependencies between server roles, physical configuration and Active
Directory.
Note that the legacy backup tool, NTBackup, is no longer supported. Furthermore,
Windows Server Backup is unable to restore backups made by NTBackup. You can
download a version of NTBackup that is compatible with Windows Server 2008
and supported for restoring legacy backup files onto Windows Server 2008 when
you need to recover data. However, NTBackup should not be used to perform any
new backup operations.

Discussion: What Needs to Be Backed Up?
Key Points
This is an open discussion. Consider your own organization, and determine where
critical data exists; discuss what data needs to be backed up.

What Are Shadow Copies?
Key Points
The Previous Versions feature in Windows Server 2008 enables your users to
access previous versions of files and folders on your network. This is useful
because users can:
Recover files that were deleted accidentally. If you delete a file accidentally, you
can open a previous version and copy it to a safe location.
Recover from accidentally overwriting a file. If you overwrite a file accidentally,
you can recover a previous version of the file.
Compare versions of a file while working. You can use previous versions when
you want to check what has changed between two versions of a file.
Users can access previous versions using the folder Properties dialog box. Available
versions appear on the Previous Versions tab under Folder Versions.
To enable previous file versions access, you must enable shadow copies of shared
folders on the file server. Shadow copies are copies of files that are located on the
server and appear as previous versions.

Previous versions are read-only. You cannot make changes to a previous version of
the file as it exists on the server. Additionally, previous versions are periodically
deleted and can disappear at any time. If you want to ensure access to a previous
version of a file, you should copy it to a safe place.
A shadow copy volume appears as a complete, read-only copy of a volume at the
point-in-time of creation. Shadow copies are also known as snapshots or restore
points. These snapshots are used by backup and restore applications, including
Windows Server 2008 backup features.
Performing manual backups is a useful tool for data protection; however, Windows
Server 2008 provides another level of defense with built-in file protection. This
feature is what makes shadow copies a great self-service solution for enterprises.
The shadow copies, or snapshots, are saved each day, and the changes are tracked
at the block level and stored on the same volume (up to 15 percent of the disk set
aside). The shadow copies can then be selected during System Restore.
A shadow copy can be represented by blocks of data.
There is a separate area for the shadow copy storage.
When a change in the data occurs, VSS will replace the changes on system
files.
An administrator can then roll back the system with System Restore or copy-
on-write.
The copy-on-write method creates shadow copies that are differential rather than
full copies of the original data. This method makes a copy of the original data
before it is overwritten with new changes. When a change to the original volume
occurs, but before it is written to disk, the block about to be modified is read and
then written to a differences area, which preserves a copy of the data block before
it is overwritten with the change. Using the blocks in the differences area and
unchanged blocks in the original volume, a shadow copy can be logically
constructed that represents the shadow copy at the point in time in which it was
created.

Shadow Copy Considerations
Key Points
When using Shadow Copy, there are some considerations that you should keep in
mind, such as those in the following topics.
Shadow Copy Support in Client Operating Systems

Shadow copies can be accessed by computers running Windows Server 2008,
Windows Server 2003, and by computers running Windows XP Professional on
which you have installed the Previous Versions Client pack (Twcli32.msi). You can
install this file manually on clients or deploy the file by using the software
distribution component of Group Policy.
If you have not yet deployed these operating systems or client packs on your
clients, you can deploy a single computer (or as many as necessary) from which
users can restore previous versions of files. You can also distribute the client pack
on a case-by-case basis to users who request that files be restored.

Shadow Copy Support in Server Operating Systems
Shadow copies are available only on file servers running Windows Server 2008
and Windows Server 2003.
Shadow Copy Support on Server Clusters

If you use Shadow Copies for Shared Folders on mounted volumes in a cluster, do
not place the storage volume on a volume that is mounted to the source volume. In
addition, do not mount the source volume to the storage volume. Otherwise, the
cluster dependency between the Physical Disk resources of the mount point
volume and the volume it is mounted to will interfere with the cluster dependency
that is introduced by VSS between the source and storage volumes.
File System Requirements

Shadow copies are available only on NTFS volumes.
Recommended Scenarios for Using Shadow Copies

Shadow copies work best when the server stores user files such as documents,
spreadsheets, and graphics files. Do not use shadow copies to provide access to
previous versions of application or e-mail databases.
Amount of Volume Space to Allocate to Shadow Copies

When you enable shadow copies on a volume, you can specify the maximum
amount of volume space to be used for the shadow copies. The default limit is 10
percent of the source volume (the volume being copied). Increase the limit for
volumes where users frequently change files. Also, setting the limit too small
causes the oldest shadow copies to be deleted frequently, which defeats the
purpose of shadow copies and which will likely frustrate users. In fact, if the
amount of changes is greater than the amount of space allocated to storing shadow
copies, no shadow copy is created. Therefore, carefully consider the amount of disk
space that you want to set aside for shadow copies, while keeping in mind user
expectations for how many versions they want to be available. Your users might
expect only a single shadow copy to be available, or they might expect three days
or three weeks worth of shadow copies. The more shadow copies the users expect,
the more storage you need to allocate for storing them.
Note: Regardless of the volume space that you allocate for shadow copies, you can have
a maximum of 64 shadow copies for any volume. When the sixty-fifth shadow copy is
taken, the oldest shadow copy is purged.

Frequency at Which Windows Server 2008 Creates Shadow Copies
By default, Windows Server 2008 creates shadow copies at 7:00 A.M. and at 12:00
noon Monday through Friday. However, you can change the schedule to better
accommodate users. Keep in mind that the more shadow copies you create,
the more disk space the shadow copies can consume, especially if files change
frequently. When you determine the schedule, avoid scheduling shadow copies to
occur more than once per hour.
Storing Shadow Copies on Separate Disks

You can dedicate a volume on separate disks for storing the shadow copies of
another volume on the same file server. For example, if user files are stored on
H:\, you might use another volume, such as S:\, to store the shadow copies.
Using a separate volume on separate disks provides better performance, and it is
recommended for heavily used file servers. If you plan to use a separate volume for
the storage area (where the shadow copies are stored), be sure to change the
maximum size to No Limit to reflect the space available on the storage area volume
instead of the source volume (where the user files are stored).
Note: If you plan to store the shadow copies on the same volume as the user files, note
that a burst of disk I/O can cause all shadow copies to be deleted. If you cannot tolerate
the sudden deletion of shadow copies, use a volume that will not be shadow copied,
preferably on separate disks, for storing shadow copies.
Additional Reading
For more information on restoring a previous version of a file or folder, see
Windows Server 2008 Help Topic: How do I restore a previous version of a file or
folder?
For more information on best practices for shadow copies of shared folders, see
Best Practices for Shadow Copies of Shared Folders at http://go.microsoft.com
/fwlink/?LinkID=139994.

Discussion: Backup Considerations
Key Points
Question: To whom should you restrict backup operations?
Question: Why is using the Shadow Copies facility not a replacement for formal
backups?
Question: What are the disadvantages of tape media?
Question: How frequently should you back up critical data?


Lab: Planning High Availability and Disaster
Recovery
The sales department at A. Datum Corporation has an application that has a Web-
based front end. The back end is provided by a Microsoft SQL Server database
application. Recently, a failure in the front end caused system unavailability for
several hours. Joe Healy, the Sales manager, has contacted Allison Brown, the IT
manager, and requested she finds a solution for the availability issue.

Exercise 1: Planning for Branch Office High Availability and
Data Recovery
Note: Your instructor may run this exercise as a class discussion.
Scenario
Read any of the supporting documentation, and then propose a high-availability
solution that meets the requirements in the High Availability for Sales Database
document.
Update the High Availability for Sales Database document with your
proposals.

E-mail thread of correspondence with Alan Steiner:
Gregory Weber
From: Alan Steiner [Alan@adatum.com]
Sent: 14 February 2010 13:30
Subject: Re: Sales Database
Greg,
The sales database is currently in the head office only, although that is set to
change; were creating a distributed version of the database later this year. The
distributed version will work essentially the same way, but there will be localized
versions of the databases replicated among the sales branch offices. It has a SQL
Server back-end, and the front-end is Web-based; IIS provides the front-end access.
The actual database is stored on disks attached to an iSCSI SAN.
The outage was caused when the Web server hosting the front end suffered a
power supply failure; it just started to smoke and then went offline!
In terms of backup, we currently perform a full backup to tape each Friday using a
third-party system; thereafter, we perform incremental backups to tape each work
day evening. Of course, SQL Server is performing replication during the working
day, so multiple instances of the data do exist. It would be nice to be able to
perform the backups more quickly.
Hope all that helps you,
Alan
----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 14 February 2010 12:29
To: Alan@adatum.com
Subject: Sales Database
Alan,
Ive got to come up with a solution to that database outage in Sales last month.
What can you tell me about it? Also, while I think about it, how is backup handled?
Thanks,
Greg

High Availability for Sales Database

Date 16th February
To provide a high-availability solution that ensures that the failure of any single
component will not cause the Sales database to become unavailable.
To ensure that the database is recoverable in the event of multiple disk failures.
All servers are installed with Windows Server 2008 Enterprise Edition.
Proposals
1. In the current system, what component(s) is a point of failure?
2. For each element, how would you propose to prevent a system failure resulting
from a component failure?
3. What Windows Server 2008 role or feature could help provide for each of these
proposals?
4. After implementing the roles or features proposed, is there any remaining

component that represents a single point of failure?
5. Have you any recommendations regarding this component(s)?


f Task 2: Update the High Availability for Sales Database document with
your proposals
Answer the questions in the High Availability for Sales Database document.
Results: After this exercise, you should have a completed High Availability for Sales
Database proposal document.

Exercise 2: Implementing the High Availability and Disaster
Recovery Plan
Scenario
You will now implement a part of your high-availability and recovery plan.
2. Install NLB and IIS on both SEA-SVR1 and SEA-SVR2.
3. Create a simple Web site on both servers.
4. Create the NLB cluster.
5. Install Windows Server Backup Features and enable Shadow Copies on
SEA-SVR1.
6. Secure the backup process.
7. Perform a backup.
8. Test the NLB cluster.

Pa$$w0rd.
Pa$$w0rd.
Pa$$w0rd.

f Task 2: Install NLB on SEA-SVR1
2. Use Server Manager to add the Network Load Balancing feature.
f Task 3: Install IIS on SEA-SVR1

1. Use Server Manager to add the Web Server (IIS) server role.
2. Accept defaults during the role installation process.
f Task 4: Create a Web site on SEA-SVR1

1. Open a command prompt, and enter the following commands to copy a
simple Web site to the local server:
Cd\inetpub\wwwroot
Xcopy \\sea-dc1\c$\inetpub\wwwroot\intranet\*.* /s
2. Close the command prompt.

2. Use Server Manager to add the Network Load Balancing feature.

1. Use Server Manager to add the Web Server (IIS) server role.
2. Accept defaults during the role installation process.

1. Open a command prompt, and enter the following commands to copy a
simple Web site to the local server:
Cd\inetpub\wwwroot
f Task 8: Create the NLB cluster

1. Switch to the SEA-DC1 computer and open Server Manager.
2. Add the Network Load Balancing Tools Feature. This is located under Remote
Server Administration Tools | Feature Administration Tools.
3. Open Network Load Balancing Manager and create a new cluster:
In the New Cluster: Connect dialog box, in the Host field, type
SEA-SVR1, click Connect, and then click Next.
On the Cluster IP Addresses page, click Add.
In the Add IP Address dialog box, in the IPv4 address field, type
10.10.10.10, and press TAB. Then in the Subnet mask field, type
255.255.0.0.
Click OK, and then click Next.
On the Cluster Parameters page, in the Full Internet name field, type
webfarm.adatum.com.
Click Multicast, and then click Next.
On the Port Rules page, click Edit.
In the Add/Edit Port Rule dialog box, in the From field, type 80, and in
the To field, type 80.
Under Protocols, click TCP.
For Affinity, click None.
Click OK, and then click Finish.
In the console tree, right-click webfarm.adatum.com, and then click Add
Host to Cluster.

In the Add Host to Cluster: Connect dialog box, in the Host field, type
SEA-SVR2, and then click Connect.
Click Next.
On the Host Parameters page, click Next.
On the Port Rules page, click Finish.
f Task 9: Configure DNS records

1. Open DNS Manager.
2. Create a new Host Record with the following properties, and then close DNS
Manager:
Location: Adatum.com zone
Name: webfarm
Note: Only enter the name webfarm; the domain suffix is added automatically.
IP address: 10.10.10.10
Note: You will test the cluster at the end of the exercise.
f Task 10: Install the Windows Server Backup features

2. Use Server Manager to add the Windows Server Backup Features server
feature.
f Task 11: Enable shadow copies

1. Click Start, click Computer, right-click Local Disk (C:), and then click
Configure Shadow Copies.
2. Enable shadow copies.

3. Modify the shadow copy schedule to include both Saturdays and Sundays.
4. Create a manual shadow copy.
f Task 12: Verify the presence of previous versions of the Web site
1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub,
right-click wwwroot, and then click Properties.
2. Verify that there are previous versions listed.
f Task 13: Establish groups to secure the backup process

1. Open Server Manager once more.
2. In Server Manager, expand Configuration, expand Local Users and Groups,
and then click Groups.
3. Modify the local Backup Operators group to include the member Joe from the
Adatun.com domain.
4. Log off.
f Task 14: Perform a backup of the branch server

1. Log on to 6430B-SEA-SVR1 as ADATUM\Joe with the password Pa$$w0rd.
2. Load Windows Server Backup.
3. Perform a one-off backup with the following properties:
Backup configuration: Custom
Destination: \\sea-dc1\public
Advanced option: Vss copy backup (recommended)
4. After the backup has started, close Windows Server Backup.

f Task 15: Test the NLB cluster
2. Open Microsoft Internet Explorer.
3. In the Internet Explorer address bar, type http://webfarm.adatum.com, and
then press ENTER.
The A Datum Intranet appears.
4. Turn off the SEA-SVR1 computer. In the Close box, select Turn off machine
and discard changes. Click OK.
5. On SEA-DC1, type http://webfarm.Adatum.com, and then press ENTER.
Note: Even though an NLB Cluster member is unavailable, the Web site is still available.
Results: After this exercise, you should have successfully implemented your high-
availability and recovery plan.

(VMRC) window.

Review Questions
1. You plan to deploy a Web farm. You want to provide a fault tolerant front end
for client computers connecting from the Internet. Which would be the most
suitable technology?
2. You want to implement a RAID solution that provides good read performance
and reasonable fault tolerance; however, lower cost is a factor. Which RAID
standard(s) would be suitable?
3. Which editions of Windows Server 2008 support the failover clustering

feature?

4. Where do you store shared folders that are part of a File Server cluster?
5. Shadow copies work on the principal of providing incremental copies of

configured volumes at the block level. True or False?
Planning Virtualization 11-1

Module 11
Planning Virtualization
Contents:
Lesson 1: Overview of Server Virtualization 9-4
Lesson 2: Business Scenarios for Server Virtualization 9-13
Lesson 3: Overview of System Center Virtual Machine Manager 9-20
Lesson 4: Planning Host Resources 9-31
Lab: Planning Virtualization 9-42

Module Overview
Virtualization is a commonly used technology for increasing the efficiency and

availability of applications and services. Microsoft has several virtualization
products. Hyper-V is the hypervisor included with Windows Server 2008. For
organizations with multiple virtualization hosts, System Center Virtual Machine
Manager (VMM) can be used to centrally manage all aspects of virtualization.
When you plan the implementation of virtualization, you need to consider how
host resources are allocated to the virtual machines.

Objectives
Describe virtualization and the technologies that can be used to implement
virtualization.
Describe the business scenarios for virtualization.
Describe how System Center Virtual Machine Manager can be used to manage
a virtual environment.
Plan host resources.

Lesson 1
Overview of Server Virtualization
Server virtualization uses a hypervisor to all multiple operating systems to run

concurrently on a single computer. Microsoft provides Virtual PC, Virtual Server,
and Hyper-V to implement server virtualization. Each is has unique requirements
and benefits and is appropriate in different scenarios.
Objectives
Describe virtualization.
Describe Virtual PC.
Describe Virtual Server.
Describe Hyper-V.

What Is Virtualization?
Key Points
Note: See the animation What Is Virtualization. Open the file

crse10068ae_01_01_01_ani01.swf from the Animations folder.
Virtualization enables multiple operating system instances to run on a single

computer. For example, a single computer could run multiple instances of
Windows Server 2008 at the same time, with each instance dedicated to running a
different application. Each instance is referred to as a virtual machine. Each virtual
machine is independent of the other and can be restarted and managed separately.
Also, the operating system running in each virtual machine can be different.
A hypervisor is used to enable virtualization. The hypervisor controls
communication between the virtual machines and resources such as memory or
hard disks. Depending on the virtualization technology used, a hypervisor may run
on bare metal or within a host operating system. The hypervisor may also present
emulated hardware to the guest operating systems in the virtual machines.

Microsoft has several virtualization products. Microsoft Virtual PC is used on
desktop computers to run virtual machines for testing. Microsoft Virtual Server is
designed to run production servers in a virtual environment, with Windows Server
2003 as a host. Hyper-V is a server role that enables Windows Server 2008 to act as
a host for virtual machines.

What Is Virtual PC?
Key Points
Microsoft Virtual PC is a virtualization technology for running multiple operating
system instances on a desktop computer. The latest version is Virtual PC 2007
Service Pack 1 (SP1) and can be downloaded from the Microsoft Web site.
The supported host operating systems for Virtual PC 2007 are:
Windows XP Professional (x86 and x64)
Windows XP Tablet PC Edition
Windows Server 2003 (x86 and x64)
Windows Vista Business, Enterprise, and Ultimate Editions (x86 and x64)
The primary use for Virtual PC is for testing scenarios where only a few virtual
machines with limited resources are required. Virtual PC uses only a single
processor core, which limits the volume of processing that all virtual machines can
do. Also, Virtual PC supports only 32-bit guest operating systems. This limits the
maximum memory to 4 GB.

A major benefit to using Virtual PC is the ability to move data between the host and
guest. This allows you to easily move files to the guest without create a file share
and ensuring compatibility of network settings between the host and guest.
Many operating systems will run as a guest in Virtual PC. The supported guest
operating systems for Virtual PC are:
Windows Vista Ultimate
Windows Vista Enterprise
Windows Vista Business
Windows XP Professional
Windows XP Tablet PC Edition
Windows 2000 Professional
Windows 98 Second Edition
IBM OS/2 Warp 4 Fixpack 15, OS/2 Warp Convenience Pack 1, and OS/2
Warp Convenience Pack 2

What Is Virtual Server?
Key Points
Microsoft Virtual Server is designed to run production servers in a virtual
environment. The latest version is Virtual Server 2005 R2 SP1 and can be
downloaded from the Microsoft Web site.
The supported host operating systems for Virtual Server are:
Windows Server 2003 (x86 and x64)
Windows XP (x86 and x64, nonproduction)
Windows Vista (x86 and x64, nonproduction)
Like Virtual PC, Virtual Server can be used to create a test environment for new
applications and operating system changes. Virtual Server supports multiple CPU
cores for each virtual machine and you can control how CPU cores are allocated to
each virtual machine. However, guest operating systems are limited to 32-bit
editions and, consequently, 4 GB of RAM per virtual machine.

Management of Virtual Server is performed through a Web-based application
on the host. This makes it easy to manage virtual machines remotely, which is
required for many data centers. In general, Virtual Server provides features that
make it easier to manage than Virtual PC. This includes centralized management of
multiple Virtual Server hosts by using System Center Virtual Machines Manager.
Virtual Server also supports more operating systems than Virtual PC. The following
guest operating systems are supported in Virtual Server:
Windows Server 2003
Windows 2000 Server
Windows NT 4.0
Windows XP SP2
Red Hat Enterprise Linux versions 2.1, 3.0, and 4.0
Red Hat Linux versions 7.3 and 9.0
SUSE Linux Enterprise Server 9.0
SUSE Linux versions 9.2, 9.3, and 10.0

What Is Hyper-V?
Key Points
Hyper-V is a server role included in 64-bit editions of Windows Server 2008
(Standard, Enterprise, and Datacenter) to host virtual machines. When the Hyper-
V role is installed on a computer, the Windows hypervisor is installed and begins
running after the computer is restarted. The Windows hypervisor is a bare metal
hypervisor that runs before the operating system.
Partitions
The instance of Windows Server 2008 with the Hyper-V role installed is the parent
partition. Child partitions are the virtual machines created to run new operating
system instances. If the parent partition fails, the child partitions will also fail. For
this reason, it is common to use the Server Core installation option of Windows
Server 2008 as the operating system in the parent partition. Using the Server Core
installation option reduces the attack surface of the parent partition and,
consequently, reduces the risk of failure. However, using the Server Core
installation option does not prevent failures of the parent partition due to other
reasons, such as hardware failure or unstable drivers.

Drivers
Hyper-V uses a microkernelized hypervisor rather than a monolithic hypervisor.
This means that drivers are not part of the hypervisor. A microkernelized
hypervisor uses the drivers in the parent partition. This increases the reliability of
the hypervisor and performance. Child partitions use high-performance synthetic
drivers that are also referred to as enlightenments.
Note: Both Virtual PC and Virtual Server use a monolithic hypervisor that runs inside of
Windows.
Synthetic drivers are implemented on the guest operating system by installing

integration components. The integration components are available for Window
2000 Server, Windows Server 2003, Windows Server 2008, SUSE Linux Enterprise
Server 10, Windows Vista, and Windows XP.
Hyper-V Hardware Requirements

Hyper-V is not capable of running on all computers. The following hardware
requirements must be met:
64-bit x86 processor
Hardware-assisted virtualization, with AMD-Virtualization (AMD-V) or Intel
Virtualization Technology (Intel VT)
Hardware-enabled Data Execution Prevention (DEP), with AMD No Execute
(AMD NX) or Intel Execute Disable (Intel XD)

Lesson 2
Business Scenarios for Server Virtualization
Server virtualization provides unique benefits for various scenarios. Server

consolidation increases efficiency and reduces hardware maintenance. Test
environments are less costly and more flexible when virtualized. When
virtualization is implemented for production servers, additional options, such as
Quick Migration, are available to increase server uptime.
Objectives
Describe server consolidation.
Describe virtualization for test environments.
Describe using virtualization for business continuity.

Using Virtualization for Server Consolidation
Key Points
Many organizations prefer to host only a single application on a server. This
simplifies management and maintenance. When multiple applications are on a
server, it is possible that an update to one application may cause problems with
another application. Also, sometimes the best way to fix a nonfunctional
application is to restart the server. When multiple applications are on a single
server, the server reboot affects many users, not just the users of the
nonfunctioning application.
When there are many application servers with a single application, in many cases,
the utilization of system resources is very low. The processor utilization of a server
often averages less than 10 percent.
Maintenance of older application servers is also an issue. As hardware becomes
older, it will start to fail. In some cases, the application server may have poor
documentation and may be difficult to re-create. It may be very expensive or
difficult to rebuild the server on new hardware.

Server consolidation is the process of converting physical servers to virtual
machines and then running many virtual machines on just a few virtualization
hosts. This has the following benefits:
More efficient utilization of hardware. You can place multiple virtual
machines on a single host to more fully use resources. For example, instead of
eight physical servers with 10 percent processor utilization, you can have a
single virtualization host with eight virtual machines and 80 percent processor
utilization. Typically, more efficient utilization of hardware results in reduced
hardware costs.
Reduced hardware maintenance. Fewer physical servers reduce the amount
of hardware maintenance that must be performed. Maintenance includes tasks
such as BIOS updates and firmware updates.
Simplified support of older operating systems. It is difficult to find drivers to
run older operating systems on newer hardware. By moving older operating
systems to a virtual environment, you avoid the need to find drivers for new
hardware.
Reduced power utilization. In most cases, a server virtualization project
retires older, inefficient hardware and uses newer, more efficient hardware.
When this is combined with a reduced number of physical servers, the
reduction in power utilization can be substantial.

Using Virtualization for Test Environments
Key Points
It is a best practice to test all changes to a computing environment in a test lab
before implementing them in your live environment. This helps to ensure that
changes do not have unintended consequences. For example, you should test
software updates and configuration changes.
To make testing as reliable as possible, the test lab should closely resemble your
production environment. However, in some cases, this may require many servers.
The cost of creating a test lab with many physical servers is quite high and many
organizations simply do not have the physical space to host a test lab with many
physical servers. In the past, when an organization could not afford a test lab,
testing was not performed, which created a higher risk of problems when changes
were implemented.

The benefits of virtualization for test environments are:
Reduced hardware cost. Virtualization helps you create a test lab by reducing
the physical hardware requirements. With a single virtualization host, you can
run four or more virtual machines. This allows you to replicate complex
environments with required servers.
Fast reconfiguration. Virtualization allows you to reconfigure a test lab in
minutes instead of hours. In a traditional test lab using only physical servers,
you need to reimage the operating system to switch between test
environments. When virtualization is used, you shut down one set of virtual
machines and start another.
Some limitations of virtualized test environments are:

Limited performance testing. To do performance testing, such as load testing,
the test environment must exactly match the production environment. So,
testing performance on a virtual machine is not relevant unless the production
server is also virtualized and allocated the same resources.
Unable to test hardware related changes. A virtualized environment is
isolated from the physical hardware that it runs on. So, you cannot use a
virtualized environment to test hardware drivers or firmware updates.

Using Virtualization for Business Continuity
Key Points
Virtualization enables several scenarios that increase server availability and
simplify disaster recovery. Most of the benefit is due to the independence of the
virtual machine from the physical hardware of the virtualization hosts. This
independence makes it easy to move a virtualized server from one virtualization
host to another.
Business continuity scenarios include:
Simplified disaster recovery. It is difficult to restore a backup from one
physical server to another physical server with different hardware. A virtual
machine can simply be moved to a new virtualization host and started there
because there are not hardware incompatibilities. If the virtual machine files
are located on a storage area network (SAN), downtime can be only a minute.

Additional backup options. To perform a backup on a physical server, you
run an agent on that server that communicates with a central backup server.
You can also install a backup agent in virtual machines to perform a backup
the same way. However, you also have the option to only perform a backup of
the virtualization host. The backup of the virtualization host includes the
virtual machines. The backup can be performed while the virtual machines are
running.
When Microsoft Data Protection Manager is used to backup a virtualization
host, you can perform almost continuous backups. In this scenario, snapshots
are taken up to every 30 minutes.
For more information about performing backups of virtual machines, see

Protecting Virtualized Environments with System Center Data Protection
Manager 2007 on the Microsoft Web site at http://go.microsoft.com
Quick migration. When the clustering feature of Windows Server 2008 is

combined with Hyper-V, you can perform Quick Migration of a virtual
machine from one virtualization host to another. When a quick migration is
performed, the virtual machine is paused while it is moved to another
virtualization host. The outage is very short because the virtual machine files
are stored on a SAN.
Windows Server 2008 R2 supports Live Migration which allows a

clustered virtual machine to be moved between virtualization hosts
without any downtime. For more information about Live Migration, see
Hyper-V Live Migration Overview & Architecture on the Microsoft Web
site at http://go.microsoft.com/fwlink/?LinkID=166445&clcid=0x409.
Snapshots. When operating system and application updates are performed,

there is always a risk of a problem occurring after the update is complete.
When virtualization is used, you can take a snapshot of the virtual machine
before the update is performed. Then, if there is a problem after the update,
you can revert to the snapshot.

Lesson 3
Overview of System Center Virtual Machine
Manager
Microsoft provides Virtual PC, Virtual Server, and Hyper-V to implement server
virtualization. Each has unique requirements and benefits and is appropriate in
different scenarios.
Objectives
Describe System Center Virtual Machine Manager.
Describe how VMM can be used for server consolidation.
Describe how VMM can be used for provisioning resources.
Describe how VMM can be used to enhance business continuity.
Describe how VMM can be used to optimize performance.

What Is VMM?
Key Points
System Center Virtual Machine Manager (VMM) is a product for managing
multiple virtualization hosts and their virtual machines through a single console. It
is a solution that solves many of the challenges introduced by virtualized
infrastructure.
Intelligent Placement
Choosing an appropriate Hyper-V host for a virtual machine is important to ensure
the good performance of the machine. When adding a new virtual machine to a
host, you need to ensure that the host has sufficient resources available. For
example, there must be sufficient free memory on the host to run the virtual
machine.
Intelligent Placement analyzes the performance characteristics of a server that is
being virtualized and the hosts available to place a virtual machine on. Based on
the analysis, hosts are ranked for you to choose from.

Reporting
Monitoring of a virtualized environment can be difficult. When combined with
System Center Operations Manager, VMM provides reports to help you to monitor
your virtualized environment and identify virtualization candidates.
Not every server is an ideal candidate for virtualization. The best candidates for
virtualization typically have low resource requirements. Low memory utilization
enables many virtual machines to be run on a single Hyper-V host.
P2V Conversion
Moving an existing server to new hardware is never an easy process because new
drivers need to be installed. The move from physical hardware to a virtual machine
is similar. The operating system needs to have new drivers installed to access the
virtual storage and network adapter.
VMM automates the conversion of physical computers into virtual machines
through a process known as physical-to-virtual (P2V) conversion. P2V conversion
can either be online or offline. When online conversion is performed, downtime is
reduced.
Library
With VMM, you can create a library of templates and resources for virtual
machines. This helps you to quickly create virtual machines with the required
configuration.
Self-Service Provisioning
Self-service provisioning in VMM helps you to delegate the ability to create virtual
machines to Active Directory directory service users. You can restrict these users
to control the virtual machines they can create, the hosts that they can create them
on, and the resources that the virtual machines can use.
Multivendor Virtualization Platform Support
VMM is capable of managing not only Hyper-V hosts but also Virtual Server and
VMWare ESX hosts. This helps you to centralize the management of virtual
machines in a heterogeneous environment.

Using VMM for Server Consolidation
Key Points
Server consolidation is the process by which multiple physical servers are
virtualized and run as virtual machines on a lesser number of virtualization hosts.
This reduction in physical servers results in higher resource utilization on the
virtualization hosts. Having a lower number of physical servers reduces hardware
costs, power utilization, and data center cooling requirements. When virtual
machines with similar security requirements are consolidated onto a single host,
security can also be increased. For example, computers to be isolated on the same
network segment can be placed on the same host.
Identification of Virtualization Candidates
Microsoft System Center Operations Manager 2007 can be used to collect long-
term performance data from virtualization candidates. VMM uses the performance
data from SCOM to generate a report on processor, physical memory, disk usage,
and network throughput.

You can also use the Microsoft Assessment and Planning Toolkit (MAP) to evaluate
virtualization candidates. MAP will gather performance data from the virtualization
candidates and provide reports. However, MAP does not integrate directly with
VMM.
P2V Conversions
P2V conversions need to be simple and avoid downtime. VMM provides a wizard
to complete the P2V conversion while the source server is still running. This
process is scriptable for large-scale conversions. The wizard uses Background
Intelligent Transfer Services (BITS) to copy data from the source to the virtual
machine. Drivers for storage, memory, CPU, and network are replaced as part of
the process while preserving settings. To perform an online conversion, the source
computer must be running Windows Server 2008, Windows Vista, Windows
Server 2003 SP1, Windows Server 2003 R2, or Windows XP SP2.
Identification of Appropriate Hosts
Placing virtual machines on hosts with appropriate free resources is important to
ensure the performance of virtual machines. Intelligent Placement uses
performance data and available resources from hosts and the requirements of the
virtual machine to determine the best hosts for placement. When integrated with
SCOM, the actual performance data from the virtual machine is also used.

Using VMM to Provision Resources
Key Points
Note: See the animation What Is Virtualization. Open the file

crse10068ae_01_02_02_ani01.swf from the Animations folder.
Provisioning a physical server can take days or even weeks if new hardware is
required. The time required to provision a physical server includes the time for
gaining approvals for server purchase, ordering the server, and configuring the
server. When VMM is used to create virtual machines, a new virtual machine can
be provisioned in just minutes. The central component in provisioning is the
library.

The library contains resources for building virtual machines. The resources in a
library include virtual disks, International Organization for Standardization (ISO)
files, and templates. The operating system for new virtual machines is stored in the
library, on a virtual disk that has been Sysprepped. A new virtual machine can be
created by using individual library components or a template. Alternatively, an
existing virtual machine can be copied.
Provisioning can be delegated to other users. A delegated administrator uses the
VMM Administrator Console to perform actions within the scope defined by the
administrator. The scope can be limited to specific libraries or hosts. A self-service
user creates and manages virtual machines through the VMM Self-Service Portal.
You can restrict self-service users to creating virtual machines on specific hosts and
limit the actions they can perform on virtual machines. Quotas can be used to limit
the number of virtual machines created or resources used by self-service users. Self-
service users are often configured for test lab or development environments.
Companion CD Content
Provisioning a physical server can take days or even weeks if new hardware is
required. The time required to provision a physical server includes the time for
gaining approvals for server purchase, ordering the server, and configuring the
server. When VMM is used to create virtual machines, a new virtual machine can
be provisioned in just minutes. The central component in provisioning is the
library.
The library contains resources for building virtual machines. The resources in a
library include virtual disks, ISO files, and templates. The operating system for new
virtual machines is stored in the library, on a virtual disk that has been Sysprepped.
A new virtual machine can be created by using individual library components or a
template. Alternatively, an existing virtual machine can be copied.
Provisioning can be delegated to other users. A delegated administrator uses the
VMM Administrator Console to perform actions within the scope defined by the
administrator. The scope can be limited to specific libraries or hosts. A self-service
user creates and manages virtual machines through the VMM Self-Service Portal.
You can restrict self-service users to creating virtual machines on specific hosts and
limit the actions they can perform on virtual machines. Quotas can be used to limit
the number of virtual machines created or resources used by self-service users. Self-
service users are often configured for test lab or development environments.

Using VMM to Enhance Business Continuity
Key Points
VMM does not provide any new functionality for virtual machines that enhance
business continuity. However, VMM does effectively manage business continuity
features that are provided by the virtualization host.
Clustering
VMM integrates with Windows Server 2008 failover clustering to provide highly
available virtual machines. After a host cluster has been configured, you use the
VMM Administrator Console to designate virtual machines as highly available.
Highly available virtual machines can fail over from one virtualization host in the
cluster to another.

Quick Migration
When virtual machines are configured as highly available, you can perform a quick
migration between hosts in the failover cluster. Quick Migration pauses the virtual
machine and migrates it to another host in just a few seconds. Quick Migration can
be started from within VMM.
You can use Quick Migration to move virtual machines to an alternate host when
performing host maintenance. Moving virtual machines between hosts without
Quick Migration requires restarting the virtual machines.
Live Migration
Live Migration moves the virtual machine from one host to another, without any
downtime. The VMotion feature of VMware hosts provides live migration of virtual
machines and can be triggered within VMM. Live migration support is not
available for Windows Server 2008 Hyper-V hosts or Virtual Server hosts. Support
for live migration is planned for Hyper-V in Windows Server 2008 R2 as a feature
named Live Migration.

Using VMM for Performance and Resource Optimization
Key Points
Ensuring optimal performance for virtual machines is a time-consuming process.
To ensure optimal performance, you must:
Monitor virtual machines and hosts.
Define events that indicate a problem.
Act on events to resolve a problem.
VMM includes Performance and Resource Optimization (PRO) to simplify and

automate this process. PRO uses performance data and events from SCOM to
identify concerns and perform actions based on these concerns. This can be used
to balance resource utilization between hosts or migrate virtual machines to
another host after a minor hardware failure.

When PRO is enabled for hosts and virtual machines, PRO tips are generated.
These tips describe remedial action to be taken. You can define whether the PRO
tips are to be implemented automatically or manually. The rules for generating
PRO tips are contained in the VMM 2008 Management Pack, which is imported
into SCOM. You can customize these rules and create your own.
VMM also includes a reporting feature that helps you monitor virtualization hosts
and virtual machines. One of the most useful reports shows resource utilization
trends over time. This helps you identify hosts that are short on memory or
processor capacity before it becomes a problem. Reporting requires integration
with SCOM.

Lesson 4
Planning Host Resources
Server virtualization uses a hypervisor to all multiple operating systems to run

concurrently on a single computer. Microsoft provides Virtual PC, Virtual Server,
and Hyper-V to implement server virtualization. Each has unique requirements and
benefits and is appropriate in different scenarios.
Objectives
Describe considerations for planning disk configuration.
Describe considerations for planning network configuration.
Describe considerations for planning memory utilization.
Describe considerations for planning processor utilization.
Describe considerations for planning host clustering.

Considerations for Planning Disk Configuration
Key Points
Hyper-V hosts provide multiple ways by which disks can be accessed by the host
and virtual machines. This provides the flexibility to meet the needs of your
specific deployment.
Most virtual machines are configured using virtual disks. Virtual disks are files with
the .vhd extension that store all of the content in virtual machine disks. Each .vhd
file corresponds to a disk of a virtual machine. The .vhd file can be located on local
storage or a SAN.

Considerations for planning disk configuration include:
Use fixed virtual disks to increase performance. A fixed-size virtual disk is
created as the maximum size of the virtual disk. This prevents fragmentation,
but increases disk utilization.
Use dynamic virtual disks to decrease disk utilization. The main benefit of
dynamic disks is that they only grow up to the size of the data they contain.
However, because they dynamically expand, they can become fragmented and
reduce performance.
Use passthrough disks for volumes larger than 2 terabytes (TB). A
passthrough disk allows a physical disk to be attached directly to a virtual
machine. This avoids the maximum size limit of 2 TB that applies to virtual
disks and increases disk performance. When passthrough disks are used, you
cannot use snapshots or dynamic expansion. You can configure passthrough
disks for a physical disk on the host or a Logical Unit Number (LUN) on a
SAN.
Use a SAN to enable faster migration of virtual machines between hosts. When
a SAN is used to store a virtual disk, you can migrate a virtual machine to a
new host by moving that SAN storage to the new host. Quick Migration and
highly available virtual machines rely on using a SAN for storage. The SAN can
be iSCSI or Fiber Channel.
Understand the input/output (I/O) of all virtual machines. The I/O capacity of
the disk subsystem in a host must be fast enough to support the total I/O of all
virtual machines. RAID 0 provides high speed, but no redundancy. RAID 10
combines high speed with a high level of redundancy.

Considerations for Network Configuration
Key Points
Network configuration is critical for virtualized environments, because multiple
virtual machines share the same connectivity. That increases the need for both
speed and reliability. The capacity of the network connectivity for the virtualization
host must exceed the network requirements of all running virtual machines.
Network configuration options include:
VLANs. VLANs are commonly used by organizations to segment network
traffic traveling through their switches. Traffic is often segmented by IP
address for routing, but can also be segmented by other characteristics such as
MAC address range to isolate Voice over IP (VoIP) traffic. The networking
configuration supports the use of VLANs so that virtual machines can be
places on specific VLANs.

Multiple network adapter cards. If you want to physically separate network
traffic for virtual machines, you can use multiple network adapter cards. You
create an external network for each network adapter card. Then virtual
machines are placed on external networks. This increases the overall network
capacity of the host when both network adapters are connected to the same
network.
Teaming network adapter cards. Teaming of network adapter cards allows
two network cards to act as a single unit. This increases network performance
and availability. Teaming relies on software provided by the network adapter
card manufacturer. If teaming is part of your Hyper-V hosts plan, ensure that
teaming software for your hardware has been released for Hyper-V.
Private networks. Many test environments need to be isolated from the
production network environment due to naming or IP addressing conflicts.
You can use private networks to isolate virtual machines from the production
network. A private network exists only inside a virtualization host and is not
connected to the external network in any way.
Companion CD Content
Network configuration is critical for virtualized environments, because multiple
virtual machines share the same connectivity. That increases the need for both
speed and reliability. The capacity of the network connectivity for the virtualization
host must exceed the network requirements of all running virtual machines.
Network configuration options include:
VLANs. VLANs are commonly used by organizations to segment network
traffic traveling through their switches. Traffic is often segmented by IP
address for routing, but can also be segmented by other characteristics such as
MAC address range to isolate Voice over IP (VoIP) traffic. The networking
configuration supports the use of VLANs so that virtual machines can be
places on specific VLANs.
Multiple network adapter cards. If you want to physically separate network
traffic for virtual machines, you can use multiple network adapter cards. You
create an external network for each network adapter card. Then virtual
machines are placed on external networks. This increases the overall network
capacity of the host when both network adapters are connected to the same
network.

Teaming network adapter cards. Teaming of network adapter cards allows
two network cards to act as a single unit. This increases network performance
and availability. Teaming relies on software provided by the network adapter
card manufacturer. If teaming is part of your Hyper-V hosts plan, ensure that
teaming software for your hardware has been released for Hyper-V.
Private networks. Many test environments need to be isolated from the
production network environment due to naming or IP addressing conflicts.
You can use private networks to isolate virtual machines from the production
network. A private network exists only inside a virtualization host and is not
connected to the external network in any way.

Considerations for Memory Utilization
Key Points
Hyper-V is included only in 64-bit editions of Windows Server 2008. Using a 64-bit
operating system allows each Hyper-V host to support a large amount of memory.
In theory, 64-bit hardware can address 16 exabytes of memory. However, this is
practically limited by server hardware design and the operating system.
Some considerations for memory utilization are:
Determine the total memory allocated to each virtual machine. The memory
required in a virtualization host is the total of the memory allocated to each
virtual machine and memory required by the host operating system.
Each Hyper-V guest supports up to 64 GB of memory. This makes
virtualization possible for applications servers with large memory
requirements such as database servers and Microsoft Exchange Server servers.
Turning off a virtual machine reduces memory requirements. When you turn
off or shut down a virtual machine, it no longer uses memory on the host. In
test environments, it is common to shut down one virtual machine in order to
free memory to run another.

Considerations for Processor Utilization
Key Points
The virtual machines placed on a virtualization host all share the physical
processing power of that server. Hyper-V supports the use of multiple processors
and multiple cores per processor. This allows each host to provide a large volume
of processing capacity to the virtual machines.
Do not overload the host. You need to take care that the demands of the
virtual machines are not in excess of what the physical host can provide. If you
place virtual machines with too much demand for processing power on a host,
then application performance in the virtual machines will be reduced.
Consider utilization patterns. When placing virtual machines on hosts, try to
select virtual machines that do not have peak utilization at the same time. For
example, some virtual machines, such as domain controllers, will have their
highest utilization when users arrive in the morning, while other virtual
machines, such as application servers, will have their highest utilization later in
the day as users begin performing their daily tasks.

Use multiple processors and multicore processors in virtualization hosts. You
should implement servers with multiple processors and multicore processors
to increase the scalability of virtualization hosts.
Allocate virtual machines to specific processor cores. To ensure that specific
virtual machines have enough processing power, you can allocate a processor
core specifically to a virtual machine. This gives the virtual machine exclusive
access to that processing capacity. Providing a virtual machine with exclusive
access to processing power ensures that performance of that virtual machine is
not reduced when other virtual machines on that host consume lots of
processing power.

Considerations for Host Clustering
Key Points
Host clustering creates highly available virtual machines. The virtualization hosts
are part of a failover cluster and each virtual machine is a clustered application. If a
virtualization host fails, the virtual machines from that host are restarted on a
different host. The failover process takes a few minutes because it takes that long
for the operating system to boot up in the restarted virtual machines.
Considerations for host clustering include:
At least two Hyper-V hosts are required. To create a cluster you need at least
two Hyper-V hosts running Windows Server 2008, Enterprise or Datacenter
editions. The Standard edition is not capable of performing clustering. You can
use more hosts to have additional nodes in the cluster and more flexibility for
failover.

Plan failover carefully. When virtual machines fail over from one host to
another, you need to ensure that you are not overloading the host. If you
overload the processor, network, or disk I/O, then virtual machines will have
reduced performance. If the memory is not allocated appropriately, then some
virtual machines may not be able to run.
Hosts must be connected to the same shared storage. The virtual disks for
each virtual machine must be stored on a SAN. When a virtual machine fails
over to a new host, the new host takes control of the shared disk where the
virtual disks are stored and starts the virtual machine.
Each virtual machine has its own LUN. Each virtual machine must have an
independent LUN on the SAN. This allows each virtual machine to fail over
independently. Failover clustering requires exclusive access to a SAN disk for
each host.
Note: Host clustering in Windows Server 2008 R2 supports sharing of LUNs for highly
available virtual machines.

Lab: Planning Virtualization
Exercise 1: Creating a Virtualization Plan

Scenario
A. Datum Corporation has an IT management committee that is responsible for
overall technology direction. The committee recently asked you to provide them
with an overview of server virtualization benefits. Several weeks after that
presentation, you are approached by your manager to create a plan for a pilot
project for implementing Hyper-V as a virtualization host in your data center.
Your manager has sent you an e-mail detailing the overall requirements for the
project and a list of servers. You need to create a plan for the pilot project.
Create a plan for a virtualization pilot project.

E-mail thread of correspondence with Allison Brown:
Gregory Weber
Sent: 4 Aug 2009 10:22
Attachments: Servers.doc
Subject: Security Plan for Finance Application
Greg,
Thanks again for taking the lead on this project. I need my most knowledgeable
server person to take care of this for me. I really dont trust anyone else to come up
with the right answers.
The IT management committee likes the idea of beginning to virtualize our servers.
The cost savings and flexibility were very compelling for them.
I need you to come up with a plan for our pilot project. We have a limited budget,
so the pilot will involve only a single host for now, and try to keep the
requirements somewhat modest.
What I need in the plan is:
Which servers will be virtualized?
How will those servers be virtualized?
Why were those servers selected?
Do we need any additional tools besides Hyper-V?
What are the hardware specifications for the server?
Which operating system should be used on the hosts?
Ive attached a list of our servers and their specification to get you started.
Regards
Allison

Servers.doc
Processor Memory
Name Purchase date utilization utilization Disk space
ExchangeNode1 July 2007 50% 3GB 120 GB
ExchangeNode2 July 2007 4% 500 MB 20GB
FinanceApp June 2009 20% 1.5 GB 30 GB
SQLProd Sept 2006 70% 2 GB 80 GB
PServer Feb 2002 15% 500 MB 7 GB
File1 Feb 2002 10% 500 MB 200 GB
PayrollApp Oct 2005 5% 500 MB 20 GB
Terminal June 2006 70% 1.5 GB 30 GB
SQLTest Nov 2004 30% 1 GB 80 GB
Billing Mar 2008 20% 1 GB 40 GB
Notes:
ExchangeNode1 and ExchangeNode2 are part of a cluster.
PayrollApp is used only twice a month for submitting payroll information to
the bank.
SQLProd is used by applications in production.
SQLTest is used only by technical support staff when testing updates to
applications.
Billing is used each day to perform time tracking and is considered mission
critical.

Determine if you need any more information and ask your instructor to clarify
if required.
f Task 2: Create a plan for a virtualization pilot project

Which operating system should be used on the host?
Results: After this exercise, you should have a completed plan for a virtualization pilot
project.

Exercise 2: Implementing Virtualization (Optional)
Scenario
After completing your plan for a virtualization pilot project, you need to install and
configure a Hyper-V host. Then you need to create a virtual machine to test the
functionality of the host.
1. Configure the computer BIOS for Hyper-V.
2. Install Windows Server 2008 on the host.
3. Install the Hyper-V role update.
4. Install the Hyper-V role.
5. Create a new virtual machine.
6. Install Windows Server 2008 in the virtual machine.
Note: The BIOS configuration steps in this exercise are correct for a Dell Optiplex 755
with an Intel processor. The steps may vary depending on the model of the computer
you are using, BIOS revision, and the processor type. For example, the name of specific
settings may be different or already enabled. Ask your instructor for help if required.
f Task 1: Configure the computer BIOS for Hyper-V

1. Enter the computer BIOS setup.
2. Enable support for Hyper-V in the BIOS settings.
Virtualization: On
VT for Direct I/O: On
Trusted Execution: Off
Execute Disable: On
3. Save the changes to the BIOS settings.

f Task 2: Install Windows Server 2008 on the host
1. Start your computer by using the Windows Server 2008 installation DVD.
Note: You will be provided with the software required to complete this lab from your
instructor. It may or may not be a DVD.
2. Install Windows Server 2008 Enterprise edition (x64).

Language: US English
Do not activate automatically online
Version: Windows Server 2008 (Full Installation) x64
Accept the license agreement
Delete any existing partitions
Select Disk 0 for installation
Enter Pa$$w0rd as the password
3. Configure the host name as SEA-HOSTx, where x is a number assigned by
your instructor.
f Task 3: Install the Hyper-V role update

1. Log on as Administrator with the password Pa$$w0rd.
2. Copy the Hyper-V update, Windows6.0-KB950050-x64.msu, to the
computer.
3. Run Windows6.0-KB950050-x64.msu.
f Task 4: Install the Hyper-V role

2. Use the Server Manager console to install the Hyper-V role.
Network adapter: Local Area Connection

f Task 5: Create a new virtual machine
Use the Hyper-V Manager console to create a new virtual machine.
Name: SEA-VMx, where x is number assigned by your instructor
Memory: 1024
Network: your network card
Virtual hard disk settings: default
f Task 6: Install Windows Server 2008 on the virtual machine

1. Start the virtual machine by using the Windows Server 2008 installation DVD.
2. Install the Windows Server 2008 Enterprise edition (x64).
Language: US English
Do not activate automatically online
Version: Windows Server 2008 (Full Installation) x64
Accept the license agreement
Select Disk 0 for installation
Enter password as Pa$$w0rd
3. Install Hyper-V Integration Services from the Action menu.
Results: After this exercise, you should have successfully implemented a Hyper-V host
and created a virtual machine.

Review Questions
1. What is the difference between a microkernelized hypervisor and a monolithic
hypervisor?
2. What are the benefits of using virtualization for server consolidation?
3. How does VMM simplify the provisioning of new servers?
4. Where are the virtual disks stored when a host cluster is implemented?

Common Issues Related to Virtual Machine Performance
Identify the causes for the following common issues related to virtual machine
performance and fill in the troubleshooting tips. For answers, refer to relevant
lessons in the module.
Issue Troubleshooting tip

Insufficient disk performance
Insufficient processing performance
Insufficient network performance
Real-World Issues and Scenarios

1. You are an IT architect at a large insurance provider with seven physical
locations, 12,000 users, and 220 servers. Your organization wants to use server
virtualization to reduce management and hardware costs by combining
existing servers on new hardware. What criteria will you use when you select
servers for consolidation?
2. You are an IT architect at a large insurance provider. You have migrated many
important applications to VMs and want to increase the availability of those
VMs. How can availability of VMs be increased when you use Hyper-V?
3. You are the manager responsible for controlling the process that is used for
testing new application updates and releases at a large insurance provider. In
the past, you have maintained development, test, and production servers for
all applications. This resulted in hundreds of servers being stored in the data
center. How can you use Hyper-V to reduce hardware costs for development
and testing?

Best Practices Related to Selecting Virtualization Candidates
Supplement or modify the following best practices for your own work situations:
Select candidates with low CPU utilization.
Select candidates with low memory utilization.
For initial conversion, select low-impact servers.
Select candidates with older hardware.
Use VMM reporting to locate virtualization candidates.

Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.
Lab: Planning File and Print Services L6-57

Module 6: Planning File and Print Services
Lab: Planning File and Print
Services
Exercise 1: Planning File and Print Services for a Branch
Office
f Task 2: Update the Sales Branch Offices: File and Print Services
document with your proposals
Answer the questions in the Sales Branch Offices: File and Print Services
document.


Date 15 October
Deploy the required services to the branch sales offices to meet the needs outlined
in the Requirements document.
The requirements are summarized as follows:
Deploy server roles to support file and print services.
Create a single UNC name to allow access to all sales shared resources. This single
UNC name should not be a single point of failure.
Provide for a means of synchronizing data between the branch and head office
sales shared folders.
Impose restrictions to prevent creation of executable files in data areas.
Impose hard limit on amount of disk space each user can consume in the data
folder.
Deploy printers to client computers quickly and easily.
L6-58 Module 6: Planning File and Print Services

(continued)
Proposals
1. What server roles will you need to deploy to the branch servers to satisfy these
requirements?
Answer: File Services and Print Services
2. Will you need to make any changes to the infrastructure at the head office to
support these requirements?
Answer: Certain File Services service roles will need to be available to support
DFS.
3. What folder and shared folder permissions would you recommend for sales
data areas?
Answer: Data folders should be secured with the Modify permission for the
relevant global groupin this case, SalesGG. The shared folder can be
configured as Everyone Full Control because the agreed upon permissions are
therefore Modify for the SalesGG through the share onto the folder.
4. How will you address the requirement for a single UNC name for all sales
shared resources and avoid a single point of failure?
Answer: By deploying a DFS domain-based name space and adding folders to
the namespace. Adding additional namespace servers will provide fault
tolerance of the namespace.
5. How will you synchronize the sales data at each location?
Answer: By using DFS-R. A full mesh topology would be suitable.
6. What role or feature enables you to impose a restriction on the types of files
that users can create in designated folders?
Answer: FSRM file screening.
7. What role or feature enables you to impose a restriction on the disk space
users can consume in designated folders?
Answer: FSRM quotas.

(continued)
8. Provide additional details about the specifics of the process you will use to
provide for the previous two requirements:
Answer: File screen: the Block Executable Files would be an appropriate
template on which to base the file screen.
Quotas: use of the 200 MB Limit Reports to User template is indicated.
9. How do you intend to deploy printers to client computers?
Answer: Creating, sharing, and then deploying with group policy.
Results: After this exercise, you should have a completed Sales Branch Offices: File and
Print Services document.

Exercise 2: Implementing File and Print Services in a Branch
Office
Pa$$w0rd.
Pa$$w0rd.
f Task 2: Deploy the required server roles at the branch server

2. Click Start, and then click Server Manager.
3. In Server Manager, in the navigation tree, click Roles.
4. In the results pane, under Roles Summary, click Add Roles.
5. In the Add Roles Wizard, on the Before You Begin page, click Next.
6. On the Select Server Roles page, in the Roles list, select both the File Services
and Print Services check boxes, and then click Next.
7. On the Print Services page, click Next.
8. On the Select Role Services page, click Next.
9. On the File Services page, click Next.

10. On the Select Role Services page, select the following check boxes, and then
click Next:
a. File Server
b. Distributed File System
c. File Server Resource Manager
11. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.
12. On the Configure Storage Usage Monitoring page, click Next.
13. On the Confirm Installation Selections page, click Install.
14. On the Installation Results page, click Close.
f Task 3: Add additional role services on the SEA-DC1 computer

4. In the results pane, under Roles Summary, click File Services.
5. In the results pane, click Add Role Services.
6. On the Select Role Services page, select the Distributed File System check
box, and then click Next.
7. On the Create a DFS Namespace page, click Create a namespace later using
the DFS Management snap-in in Server Manager, and then click Next.

f Task 4: Create, secure, and share the Sales-data folders
1. Click Start, click Computer, and then double-click Allfiles (D:).
2. Click Organize, and then click New Folder.
3. Type Sales-data, and then press ENTER.
4. Right-click Sales-data, and then click Properties.
5. In the Sales-data Properties dialog box, on the Security tab, click Advanced.
6. In the Advanced Security Settings for Sales-data dialog box, click Edit, clear
the Include inheritable permissions from this objects parent check box,
and then click Copy.
7. In the Advanced Security Settings for Sales-data dialog box, click OK.
8. Click OK again, and in the Sales-data Properties dialog box, click Edit.
9. In the Permissions for Sales-data dialog box, in the Group or user names
list, click Users (ADATUM\Users), and then click Remove.
10. Click Add, and in the Select Users, Computers, or Groups dialog box, in the
Enter the object names to select (examples): box, type SalesGG, click Check
Names, and then click OK.
11. In the Permissions for Sales-data dialog box, in the Permissions for SalesGG
list, select the Allow/Modify check box, and then click OK.
12. In the Sales-data Properties dialog box, click the Sharing tab.
13. Click Advanced Sharing, and in the Advanced Sharing dialog box, select the
Share this folder check box, and then click Permissions.
14. In the Permissions for Sales-data dialog box, select the Allow/Full Control
check box, and then click OK.
15. In the Advanced Sharing dialog box, click OK.
16. In the Sales-data Properties dialog box, click Close.
17. Close Windows Explorer.
19. Click Start, click Computer, and then double-click Local Disk (C:).

20. Click Organize, and then click New Folder.
21. Type Sales-data, and then press ENTER.
22. Right-click Sales-data, and then click Properties.
23. In the Sales-data Properties dialog box, on the Security tab, click Advanced.
24. In the Advanced Security Settings for Sales-data dialog box, click Edit, clear
the Include inheritable permissions from this objects parent check box,
and then click Copy.
25. In the Advanced Security Settings for Sales-data dialog box, click OK.
26. Click OK again, and in the Sales-data Properties dialog box, click Edit.
27. In the Permissions for Sales-data dialog box, in the Group or user names
list, click Users (SEA-SVR1\Users), and then click Remove.
28. Click Add, and in the Select Users, Computers, or Groups dialog box, in the
Enter the object names to select (examples): box, type SalesGG, click Check
29. In the Permissions for Sales-data dialog box, in the Permissions for SalesGG
list, select the Allow/Modify check box, and then click OK.
30. In the Sales-data Properties dialog box, click the Sharing tab.
31. Click Advanced Sharing, and in the Advanced Sharing dialog box, select the
Share this folder check box, and then click Permissions.
32. In the Permissions for Sales-data dialog box, select the Allow/Full Control
check box, and then click OK.
33. In the Advanced Sharing dialog box, click OK.
34. In the Sales-data Properties dialog box, click the Close.
35. Close Windows Explorer.
f Task 5: Configure a DFS namespace

2. Click Start, point to Administrative Tools, and then click DFS Management.
3. In DFS Management, in the navigation tree, click Namespaces.

4. In the action pane, click New Namespace.
5. In the New Namespace Wizard, on the Namespace Server page, in the Server
box, type SEA-DC1, and then click Next.
6. On the Namespace Name and Settings page, in the Name box, type Sales,
and then click Next.
7. On the Namespace Type page, click Domain-based namespace, and then
click Next.
8. On the Review Settings and Create Namespace page, click Create.
9. On the Confirmation page, click Close.
f Task 6: Add a namespace server

1. In DFS Management, in the navigation tree, click Namespaces, and in the
results pane, right-click \\Adatum.com\Sales, and then click Add Namespace
Server.
2. In the Add Namespace Server dialog box, in the Namespace server box, type
SEA-SVR1, and then click OK.
3. In the Warning dialog box, click Yes.
4. In DFS Management, expand Namespaces, click \\Adatum.com\Sales, and
then in the results pane, click the Namespace Servers tab.
f Task 7: Add a DFS folder

1. In DFS Management, in the navigation tree, right-click \\Adatum.com\Sales,
and then click New Folder.
2. In the New Folder dialog box, in the Name box, type Corporate Sales Data.
3. Click Add, and in the Add Folder Target dialog box, in the Path to folder
target box, type \\sea-dc1\sales-data, and then click OK.
4. In the New Folder dialog box, click OK.

f Task 8: Add a folder target
1. In DFS Management, expand Namespace, expand \\Adatum.com\Sales,
right-click Corporate Sales Data, and then click Add Folder Target.
2. In the New Folder Target dialog box, in the Path to folder target box, type
\\sea-svr1\Sales-data, and then click OK.
3. In the Replication dialog box, click Yes.
f Task 9: Create a Replication group

1. In the Replicate Folder Wizard, click Next.
2. On the Replication Eligibility page, click Next.
3. On the Primary Member page, in the Primary member list, click SEA-DC1,
4. On the Topology Selection page, click Full Mesh, and then click Next.
5. On the Replication Group Schedule and Bandwidth page, click Next.
6. On the Review Settings and Create Replication Group page, click Create.
7. On the Confirmation page, click Close.
8. In the Replication Delay dialog box, click OK.
9. Close DFS Management.
f Task 10: Configure quotas on the branch server

2. Click Start, point to Administrative Tools, and then click File Server
Resource Manager.
3. In File Server Resource Manager (Local), expand Quota Management, and
then click Quotas.
4. Right-click Quotas, and then click Create Quota.
5. In the Create Quota dialog box, in the Quota path box, type C:\Sales-data.
6. Click Auto apply template and create quotas on existing and new
subfolders.

7. In the Quota template list, click 200 MB Limit Reports to User.
8. Click Create.
f Task 11: Configure a file screen for the branch server

1. In the navigation tree, expand File Screening Management, and then click
File Screens.
2. Right-click File Screens, and then click Create File Screen.
3. In the Create File Screen dialog box, in the File screen path box, type
C:\Sales-data, and in the list, click Block Executable Files. Then click Create.
f Task 12: Configure FSRM options

1. In the navigation tree, right-click File Server Resource Manager (Local), and
then click Configure Options.
2. Scroll along the tabs, and then click the File Screen Audit tab.
3. Select the Record file screening activity in auditing database check box, and
then click OK.
f Task 13: Test the file screen settings

2. Click Start, right-click Computer, and then click Map Network Drive.
3. In the Map Network Drive dialog box, in the Folder box, type \\sea-
svr1\sales-data, and then click Finish.
4. Click Start, point to All Programs, click Accessories, and then click
Command Prompt.
5. At the command prompt, type the following commands, pressing ENTER after
each one:
a. Z:
b. Copy c:\windows\*.exe
Question: Were you successful?
Answer: No

7. In File Server Resource Manager, click Storage Reports and Management.
8. In the action pane, click Generate Reports Now.
9. In the Storage Report Task Properties dialog box, click Add.
10. In the Browse For Folder dialog box, expand Local Disk (C:), click Sales-
data, and then click OK.
11. In the Select reports to generate list, select the File Screening Audit check
box and then click OK.
12. In the Generate Storage Reports dialog box, click OK.
Question: In Internet Explorer, examine the report. Which user attempted to
create executables in the C:\Sales-data folder?
Answer: ADATUM\Joe.
13. Close all open Windows.
f Task 14: Deploy a shared printer with group policy

1. On SEA-SVR1, click Start, point to Administrative tools, and then click Print
Management.
2. In Print Management, expand Print Server, expand SEA-SVR1(local), and
then click Printers.
3. Right-click Printers, and then click Add Printer.
4. In the Network Printer Installation Wizard, on the Printer Installation page,
click Add a new printer using an existing port, and in the list, click LPT1:
(Printer Port).
5. Click Next, and on the Printer Driver page, click Next.
6. On the Printer Installation page, in the Manufacturer list, click Canon, in the
Printers list, click Canon Inkjet MP700, and then click Next.
7. On the Printer Name and Sharing Settings page, click Next.
8. On the Printer Found page, click Next, and then click Finish.
9. Right-click Canon Inkjet MP700, and then Deploy with Group Policy.

10. In the Deploy with Group Policy dialog box, click Browse.
11. In the Browse for a Group Policy Object dialog box, click Default Domain
Policy, and then click OK.
12. In the Deploy with Group Policy dialog box, select the The users that this
GPO applies to (per user) check box, and then click Add and OK.
13. In the Printer Management dialog box, click OK.
14. Click OK to close the Deploy with Group Policy dialog box.
f Task 15: Test the printer deployment

2. At the command prompt, type gpupdate /force, and press ENTER.
3. Log off.
5. Click Start, click Control Panel, and then click Printer.
Question: Is the Canon printer listed?
Answer: Yes.
Results: After this exercise, you should have successfully configured file and print
services for the branch office.

(VMRC) window.
Lab: Planning Server and Network Security L7-69

Module 7: Planning Server and Network
Security
Lab: Planning Server and Network
Security
Exercise 1: Creating a Plan for Server and Network Security
f Task 2: Create a security plan for the new finance application

the Defense-in-Depth model related to the new finance application.

Data Application data is Locate application
accessed by database on a secure
unauthorized users server with limited
Application data is permissions
accessed from Use connection security
unauthorized computers rules to restrict access to
appropriate computers in
an inbound rule
Application Application is vulnerable Apply application

to denial of service patches as they become
Application is vulnerable available
to buffer overflow
attacks
L7-70 Module 7: Planning Server and Network Security

(continued)

Host Operating system Ensure that operating
vulnerability results in system updates are
denial of service applied
Hardware failure results Ensure the hardware in
in loss of service server is redundant
Passwords are guessed Ensure that complex
for a user account with passwords are required
access to data Use the Security
Configuration Wizard to
reduce the attack surface
Use NAP to prevent
malware
Internal network Data is viewed while in Use SSL to encrypt data

transit and authentication
Perimeter Internet users gain Use firewalls to prevent

access to the application access to the application
server from the Internet
Physical security Server data is accessed Store the server in a

by using a boot CD secure location where
The service is physically unauthorized staff do not
damaged by accident have access
Policies, procedures, An administrator makes Document all procedures

and awareness changes to the server related to the server,
without authorization, such as maintenance
resulting in a service windows and
outage configuration
Enforce a change
management process

f Task 3: Create a plan for preventing malware on the network
the Defense-in-Depth model related to preventing malware on the network.

Data
Application Application installations Allow only administrators to
E-mail attachments install new applications
Application flaws Implement malware
scanning for all incoming e-
Web pages
mail
Ensure that applications are
updated when updates are
released
Use SmartScreen Filter in
Microsoft Internet
Explorer 8
Host Portable storage Prevent the use of portable

Operating system flaws storage devices for
computers
Portable computers
Ensure that Windows
updates are being applied
Use real-time scanning in
Windows Defender
Use NAP to prevent
unhealthy computers from
connecting to the network
Run antivirus software that
can be centrally monitored
with daily updates
Internal network Portable computers Use intrusion detection to

monitor for unusual
network traffic
Perimeter Web pages Implement malware

scanning on a Web proxy

(continued)

Physical security
Policies, procedures, Staff may try to Create an acceptable use

and awareness circumvent security policy and ensure that staff
policies with portable are educated about its
storage. contents
Results: After this exercise, you should have a completed security plan for the new
finance application and a plan for preventing malware on the network.

Exercise 2: Implementing Windows Firewall Rules
f Task 1: Start the virtual machines and log on
Pa$$w0rd.
5. Log on to 6430B-SEA-CL1 as ADATUM\Administrator with the password
Pa$$w0rd.
f Task 2: Create a group for the finance computers

1. On SEA-DC1, click Start, point to Administrative Tools, and click Active
Directory Users and Computers.
2. In the Active Directory Users and Computers window, if necessary, expand
Adatum.com and then click Computers.
3. Right-click Computers, point to New, and then click Group.
4. In the Group name box, type Finance Computers and then click OK.
5. Right-click SEA-CL1 and click Add to a group.
6. In the Enter the object names to select box, type Finance Computers and
then click OK.
7. Click OK to clear the message about successful completion.

f Task 3: Create a connection security rule for authentication to the
finance server
1. On SEA-DC1, click Start, point to Administrative Tools, and click Group
Policy Management.
2. In Group Policy Management, expand Forest: Adatum.com, expand
Domains, and click Adatum.com.
3. Right-click Adatum.com and click Create a GPO in this domain, and Link it
here.
4. In the New GPO window, in the Name box, type Secure Financial
Application and click OK.
5. Right-click Secure Financial Application, and click Edit.
6. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Windows Settings, expand Security
Settings, expand Windows Firewall with Advanced Security, expand
Windows Firewall with Advanced Security, and click Connection Security
Rules.
7. Right-click Connection Security Rules and click New Rule.
8. In the New Connection Security Rule Wizard window, on the Rule Type page,
click Server-to-server, and then click Next.
9. On the Endpoints page, in the Endpoint 1 area, click These IP addresses, and
then click Add.
10. In the IP Address window, in the This IP address or subnet box, type
10.10.0.10, and then click OK.
11. On the Endpoints page, click Next.
12. On the Requirements page, click Request authentication for inbound and
outbound connections, and then click Next.
13. On the Authentication Method page, click Advanced and then click
Customize.
14. In the Customize Advanced Authentication Methods window, in the First
authentication area, click Add, click Computer (Kerberos V5), and click OK.

15. In the Customize Advanced Authentication Methods window, click OK and
then click Next.
16. On the Profile page, click Next.
17. On the Name page, in the Name box, type Enable Authentication and then
click Finish.
f Task 4: Create a firewall rule to restrict access to the finance

application
1. On SEA-DC1, click Start, point to Administrative Tools, and click Windows
Firewall with Advanced Security.
2. In the left pane, click Inbound Rules.
3. Right-click Inbound Rules and then click New Rule.
4. In the New Inbound Rule Wizard window, on the Rule Type page, click Port
5. On the Protocol and Ports page, click TCP.
6. In the Specific local ports box, type 80,443 and then click Next.
7. On the Action page, click Allow the connection if it is secure, select the
Require the connections to be encrypted check box, and then click Next.
8. On the Users and Computers page, select the Only allow connections from
these computers check box and then click Add.
9. In the Enter the object names to select box, type Finance Computers and
then click OK.
10. Click Next to continue.
11. On the Profile page, click Next.
12. On the Name page, in the Name box, type Restrict Access to Finance
Application and then click Finish.

f Task 5: Force Group Policy updates
1. On SEA-DC1, click Start, click Run, type gpupdate, and press ENTER.
2. On SEA-CL1, click Start, click Run, type gpupdate, and press ETER.
3. Restart SEA-CL1 and log on as Adatum\Administrator with a password of
Pa$$w0rd.
f Task 6: Test the application of rules

1. On SEA-CL1, click Start and click Internet.
2. In Internet Explorer, in the address bar, type http://10.10.0.10 and then
press ENTER.
3. Click Start, type Firewall, and then click Windows Firewall with Advanced
Security.
4. Expand Monitoring, expand Security Associations, and then click Main
Mode. Notice that there is a connection between 10.10.0.50 and 10.10.0.10.
Note: Negotiation of IPsec policies may be slow in the virtualized environment. A wait of
2 or 3 minutes is possible before the negotiation is complete and you are able to access
the Web site at 10.10.0.10.
Results: After this exercise, you should have successfully implemented firewall rules.

Exercise 3: Implementing a VPN Server
f Task 1: Install Active Directory Certificate Services
1. On SEA-DC1, click Start and click Server Manager.
2. In the left pane, click Roles and then click Add Roles.
3. Click Next to begin the Add Roles Wizard.
4. Select the Active Directory Certificate Services check box and click Next.
5. Click Next on the Introduction to Active Directory Certificate Services page.
6. Ensure that the Certification Authority check box is selected.
7. Select the Certification Authority Web Enrollment check box, click Add
Required Role Services, and click Next.
8. Ensure that Enterprise is selected, and click Next.
9. Ensure that Root CA is selected, and click Next.
10. Ensure that Create a new private key is selected, and click Next.
11. Click Next to accept the default cryptography settings.
12. Click Next to accept the default CA name of Adatum-SEA-DC1-CA.
13. Click Next to accept the default validity period of 5 years.
14. Click Next to accept the default database and log locations.
15. Click Next on the Web Server (IIS) page.
16. Click Next on the Select Role Services page.
17. Click Install on the Confirm Installation Selections page.
18. After installation is complete, click Close and close Server Manager.
f Task 2: Create an SSL certificate

1. On SEA-DC1, click Start, point to Administrative Tools, and click Internet
Information Services (IIS) Manager.
2. In the left pane, click SEA-DC1 (Adatum\Administrator) and double-click
Server Certificates.
3. In the actions pane, click Create Domain Certificate.

4. Enter the following and then click Next:
a. Common name: SEA-DC1.Adatum.com
b. Organization: A. Datum
c. Organizational unit: IT
d. City/locality: Seattle
e. State/province: Washington
f. Country/region: US
5. In the Specify Online Certification Authority box, type Adatum-SEA-DC1-
CA\SEA-DC1.Adatum.com.
6. In the Friendly name box, type WebSSL and click Finish.
7. Close Internet Information Services (IIS) Manager.
f Task 3: Configure RRAS

1. On SEA-DC1, click Start, point to Administrative Tools, and click Routing
and Remote Access.
2. Right-click SEA-DC1 (local) and click Configure and Enable Routing and
Remote Access.
3. Click Next to start the Routing And Remote Access Server Setup Wizard.
4. Click Custom configuration and click Next.
Note: A custom configuration is required because this server has only a single network
card. In most cases, you could use the Remote Access (Dial-Up Or VPN) configuration.
5. Select the VPN access check box and click Next.

6. Click Finish.
7. Click Start Service.

f Task 4: Create a network policy to allow VPN access
1. On SEA-DC1, click Start, point to Administrative Tools, and click Network
Policy Server.
2. In the left pane, expand Policies and click Network Policies.
3. Right-click Network Policies and click New.
4. In the Policy name box, type Allow Domain Admins, and then click Next.
5. In the Specify Conditions window, click Add.
6. Click Windows Groups and click Add.
7. Click Add Groups, type Domain Admins, and click OK.
8. Click OK, and then click Next.
9. Click Access granted and then click Next.
10. Click Next to accept the default authentication types.
11. Click Next to accept the default constraints.
12. Click Next to accept the default settings.
13. Click Finish and close Network Policy Server.
f Task 5: Configure the client with a trusted root certificate

1. On SEA-CL1, click Start and click Internet.
2. In the address bar, type http://SEA-DC1.Adatum.com/certsrv and press
ENTER.
4. Click Download a CA certificate, certificate chain, or CRL.
5. If necessary, click Close to clear the information about the information bar.
6. Click Download CA certificate and click Open.
7. When the Certificate window opens, click Install Certificate.
8. Click Next to start the Certificate Import Wizard.
9. Select Automatically select the certificate store based on the type of
certificate and click Next.
10. Click Finish.

11. Click OK to close the Certificate Import Wizard dialog box.
12. Click OK to close the Certificate window.
13. Close Internet Explorer.
14. Click Start, and in the Start Search box, type mmc, then press ENTER.
15. Click File and click Add/Remove Snap-in.
16. Double-click Certificates, click My user account and click Finish.
17. Double-click Certificates, click Computer account, and click Next.
18. Click Local computer: (the computer this console is running on) and click
Finish.
19. Click OK.
20. In the left pane, expand Certificates Current User, expand Intermediate
Certification Authorities, and click Certificates.
21. Right-click Adatum-SEA-DC1-CA and click Copy.
22. In the left pane, expand Certificates (Local Computer), expand Trusted Root
Certification Authorities, and then click Certificates.
23. Right-click Certificates and click Paste.
24. Close the MMC window.
25. Click No when prompted to save settings.
f Task 6: Configure and test an SSTP VPN connection

1. On SEA-CL1, click Start and click Connect To.
2. Click Set up a connection or network.
3. Click Connect to a workplace and click Next.
4. Click Use my Internet connection (VPN).
5. Click Ill set up an Internet connection later.
6. In the Internet address box, type SEA-DC1.Adatum.com.
7. In the Destination name box, type Adatum VPN and then click Next.

8. Click Create without entering a username and password.
9. Click Close.
10. Click Start and click Connect To.
11. Right-click Adatum VPN and click Properties.
12. Click the Networking tab.
13. In the Type of VPN box, select Secure Socket Tunneling Protocol (SSTP)
and then click OK.
14. Click Connect.
16. Click Close to close the Connect To A Network window.
17. Click Start and click Connect To.
Verify that the status of the connection is connected.
18. Click Disconnect.
Note: If you experience an error during your connection attempt, review the
configuration of your SSTP listener by using the instructions from Setting Up
The SSTP Listener And Verifying It in the Routing and Remote Access Blog at
http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstp-listener-
and-verification.aspx. In particular, you must manually remove and replace the certificate
used by SSTP if you want to change it.

Exercise 4: Implementing NAP with DHCP Enforcement
f Task 1: Install Network Policy Server
1. On SEA-DC1, click Start and click Server Manager.
2. In the left pane, expand Roles and then click Network Policy and Access
Services.
3. If necessary, scroll down, and then click Add Role Services.
4. On the Select Role Services page, select the Network Policy Server check
box, and then click Next.
6. When installation is complete, click Close.
f Task 2: Configure NPS

1. On SEA-DC1, click Start, point to Administrative Tools, and then click
Network Policy Server.
2. If necessary, in the left pane, click NPS (Local).
3. In the Standard Configuration area, select Network Access Protection
(NAP) and click Configure NAP.
4. In the drop-down list box, select Dynamic Host Configuration Protocol
(DHCP) as the connection method.
5. Accept NAP DHCP as the policy name, and click Next.
6. Click Next to skip the configuration of RADIUS clients. This is not necessary
because DHCP is running on the NPS server.
7. On the Specify DHCP Scopes page, click Next.
8. On the Configure User Group and Machine Groups page, click Next.
9. On the Specify a NAP Remediation Server Group and URL page, click Next.

10. On the Define NAP Health Policy page, ensure that the following are selected,
a. Windows Security Health Validator
b. Enable auto-remediation of client computers
c. Deny full network access to NAP-ineligible client computers. Allow access
to a restricted network only.
11. Review the settings and click Finish.
12. Expand Policies and click Connection Request Policies. Notice that a NAP
DHCP policy has been created by the wizard.
13. Click Network Policies. Notice that several policies for NAP have been created
by the wizard.
14. Click Health Policies. Notice that two policies for NAP have been created by
the wizard.
15. Close Network Policy Server.
f Task 3: Configure DHCP

1. Click Start, point to Administrative Tools, and then click DHCP.
2. Expand SEA-DC1.adatum.com, expand IPv4, and then click Scope
[10.10.0.0] Adatum.
3. Right-click Scope [10.10.0.0] Adatum, and click Properties.
4. Click the Network Access Protection tab, click Enable for this scope, click
Use default Network Access Protection profile, and then click OK.
5. Expand Scope [10.10.0.0] Adatum Scope, click Scope Options, right-click
Scope Options, and click Configure Options.
6. Click the Advanced tab, and in the User class box, select Default Network
Access Protection Class.
7. Select the 006 DNS Servers check box. In the IP Address box, type
10.10.0.10, and then click Add.
8. Select the 015 DNS Domain Name check box. In the String value box, type
restricted.adatum.com, and click OK.
9. Close DHCP.

f Task 4: Configure NAP Client by using Group Policy
1. On SEA-DC1, click Start, point to Administrative Tools, and then click Active
Directory Users and Computers.
2. In the left pane, right-click Adatum.com, point to New, and click
Organizational Unit.
3. In the Name box, type NAP Clients, and then click OK.
4. In the left pane, click Computers.
5. Right-click SEA-CL1 and click Move.
6. Click NAP Clients, and click OK.
8. Click Start, point to Administrative Tools, and click Group Policy
Management.
9. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, and
then click NAP Clients.
10. Right-click NAP Clients and click Create a GPO in this domain, and Link it
here.
11. In the Name box, type DHCP NAP Client and click OK.
12. Right-click DHCP NAP Client and click Edit.
13. In the left pane, browse to Computer Configuration\Policies\Administrative
Templates\Windows Components\Security Center.
14. Double-click Turn on Security Center (Domain PCs only), click Enabled,
and then click OK.
15. Browse to Computer Configuration\Policies\Windows Settings\Security
Settings\System Services and double-click Network Access Protection
Agent.
16. Select the Define this policy setting check box, click Automatic, and click
OK.
17. In the left pane, in Security Settings, expand Network Access Protection,
expand NAP Client Configuration, and then click Enforcement Clients.
18. Right-click DHCP Quarantine Enforcement Client and click Enable.

19. In the left pane, right-click NAP Client Configuration and click Apply.
20. Close the Group Policy Management Editor.
21. Close Group Policy Management.
f Task 5: Configure networking on the client

1. Restart SEA-CL1, and log on as Adatum\Administrator with a password of
Pa$$w0rd.
2. Click Start, in the Start Search box, type cmd, and then press ENTER.
3. Type gpupdate and press ENTER.
If an error occurs, wait a few moments and try again. The error is the
result of the authentication negotiation for the connection security rule in
a previous exercise.
To verify connectivity to SEA-DC1, you can use Internet Explorer to access
the http://10.10.0.10 Web site.
5. Click Start, right-click Network, and click Properties.
6. Under Tasks, click Manage network connections.
7. Right-click Local Area Connection and click Properties.
8. Click Internet Protocol Version 4 (TCP/IPv4) and click the Properties
button.
9. Click Obtain an IP address automatically, click Obtain DNS server address
automatically, and then click OK.
10. Click Close and close all open windows.
Wait a few moments, and in most cases a warning about limited network
access will appear in the system tray. If this warning does not appear after a
few moments, continue with the next step. You will verify that the client
computer is on the restricted network in step 12.
11. Click Start, in the Start Search box, type cmd, and then press ENTER.
12. At the command prompt, type ipconfig /all and press ENTER. Notice that an
IPv4 address has been configured, but the subnet mask is 255.255.255.255
and the Connection-specific DNS suffix is restricted.adatum.com.

f Task 6: Configure the SHV
1. On SEA-DC1, click Start, point to Administrative Tools, and then click
Network Policy Server.
2. In the left pane, expand Network Access Protection and click System Health
Validators.
3. Right-click Windows Security Health Validator, and click Properties.
4. Click the Configure button.
5. On the Windows Vista tab, deselect all check boxes except A firewall is
enabled for all network connections, and then click OK.
6. Click OK to close the Windows Security Health Validator Properties window.
7. Close Network Policy Server.
f Task 7: Test compliance and auto-remediation on the client

1. On SEA-CL1, click Start, type cmd, and press ENTER.
2. Type ipconfig /renew and press ENTER. Notice that SEA-CL1 now has a
default gateway, a subnet mask of 255.255.0.0, and the Connection-specific
DNS suffix is Adatum.com.
4. Click Start, and click Control Panel.
5. Click Security, and click Windows Firewall.
6. Click Change settings.
7. Click Off and click OK. Notice that Windows Firewall status is off only briefly
before being turned back on by the NAP client.

(VMRC) window.
Lab: Planning Server Administration L8-87

Module 8: Planning Server Administration
Lab: Planning Server
Administration
Exercise 1: Planning for Branch Office Administration
f Task 2: Update the Branch Office Delegation document with your

proposals
Answer the questions in the Branch Office Delegation document.

Date 5th November
Determine which tasks can be delegated to Joe Healy in Sales.
Specify how this delegation will be achieved.
None
Proposals
1. Which features will you need to install on a recently deployed departmental
server to support administrative delegation?
Answer: Answers will vary, but in order to support the Windows PowerShell
scripts, the server will require Windows PowerShell. Because client computers
are not allowed to host management and administration tools, the local server
must have the Remote Server Administration Tools feature installed.
L8-88 Module 8: Planning Server Administration

(continued)
2. How will you manage the requirement that Joe needs to be able to manage
which GPOs apply to the Sales OU without giving him the ability to edit the
GPO settings?
Answer: Assign a group to which Joe belongs, the Manage Group Policy links
Active Directory permission on the Sales OU.
3. What delegated permissions will you give to Joe in Active Directory?
Answer: Aside from the Manage Group Policy links permission, these
additional permissions are required on the Sales OU in order to administer
Users, Groups, and Computers:
Create and delete computer objects
4. How will you achieve this?
Answer: The Delegate Control wizard will enable you to establish most of
these permissions as common tasks. However, the computer administration
permissions need to be assigned manually, or as custom tasks.
5. Because you are not permitted to grant Joe any delegated permissions
directly, how will you achieve the required delegation?
Answer: Create a global group and add Joe to the group; grant that group
permissions.
Results: After this exercise, you should have a completed Branch Office Delegation
proposal document.

Exercise 2: Delegating Administration to Branch Office
Personnel
Pa$$w0rd.
Pa$$w0rd.
f Task 2: Create the necessary security group

2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. In Active Directory Users and Computers, click the Sales organizational unit.
4. Right-click Sales, click New, and then click Group.
5. In the New Object Group dialog box, in the Group name box, type Sales-
Admins, and then click OK.
6. In the results pane, double-click Sales-Admins.
7. In the Sales-Admins Properties dialog box, click the Members tab, and then
click Add.
8. In the Select Users, Contacts, Computers, or Groups dialog box, in the Enter
the object names to select (examples) box, type Joe, click Check Names, and
then click OK.
9. In the Sales-Admins Properties dialog box, click OK.

f Task 3: Delegate control of the Sales organizational unit
1. In the navigation pane, right-click Sales, and then click Delegate Control.
2. In the Delegation of Control Wizard, click Next.
3. On the Users or Groups page, click Add.
4. In the Select Users, Computers, or Groups dialog box, in the Enter the
object names to select (examples) box, type Sales-admins, click Check
5. On the Users or Groups page, click Next.
6. On the Tasks to Delegate page, in the Delegate the following common tasks
list, select the following check boxes, and then click Next:
Manage Group Policy links
7. On the Completing the Delegation of Control Wizard page, click Finish.
8. In Active Directory Users and Computers, click View, and then click
Advanced Features.
9. Right-click Sales, and then click Properties.
10. In the Sales Properties dialog box, click the Security tab, and then click
Advanced.
11. In the Advanced Security Settings for Sales dialog box, click Add.
12. In the Select User, Computer, or Group dialog box, in the Enter the object
name to select (examples) box, type Sales-admins, click Check Names, and
then click OK.
13. In the Permission Entry for Sales dialog box, in the Permissions list, select
the following check boxes, and then click OK:
Create Computer objects/Allow
Delete Computer objects/Allow

14. In the Advanced Security Settings for Sales dialog box, click Add.
15. In the Select User, Computer, or Group dialog box, in the Enter the object
name to select (examples) box, type Sales-admins, click Check Names, and
then click OK.
16. In the Permission Entry for Sales dialog box, in the Apply to list, click
Descendant Computer objects.
17. In the Permissions list, click Full control/Allow, and then click OK.
18. In the Advanced Security Settings for Sales dialog box, click OK.
19. In the Sales Properties dialog box, click OK.
f Task 4: Configure group membership on the SEA-SVR1 server

3. In Server Manager, in the navigation tree, expand Configuration, expand
Local Users and Groups, and then click Groups.
4. In the Groups list, double-click Administrators.
5. In the Administrators Properties dialog box, click Add, and in the Select
Users, Computers, or Groups dialog box, in the Enter the object names to
select (examples) box, type Sales-admins, click Check Names, and then click
OK.
6. In the Administrators Properties dialog box, click OK.
f Task 5: Enable remote desktop on SEA-SVR1

1. Click Start, right-click Computer, and then click Properties.
2. In the Tasks list, click Remote settings.
3. In the System Properties dialog box, click Allow connections only from
computers running Remote Desktop with Network Level Authentication
(more secure).
4. In the Remote Desktop dialog box, click OK.
5. In the System Properties dialog box, click Select Users.

6. In the Remote Desktop Users dialog box, click Add.
7. In the Select Users or Groups dialog box, in the Enter the object name to
select (examples) box, type Sales-admins, click Check Names, and then click
OK.
8. In the Remote Desktop Users dialog box, click OK.
9. In the System Properties dialog box, click OK.
10. Close System.
f Task 6: Install Windows PowerShell and RSAT on SEA-SVR1

2. In Server Manager, in the navigation tree, click Features.
3. In the results pane, under Features Summary, click Add Features.
4. In the Add Features Wizard, on the Select Features page, expand Remote
Server Administration Tools.
5. Expand Role Administration Tools, and then select the Active Directory
Domain Services Tools check box.
6. Select the Windows PowerShell check box, and then click Next.
7. On the Confirm Installation Selections page, click Install, and then when
prompted, click Close, and in the Add Features Wizard dialog box, click Yes.
Pa$$w0rd.
9. In the Resume Configuration Wizard, click Close.
f Task 7: Perform branch administration

Note: if you are already logged on as Joe, please log off and then proceed with the lab.
2. Log on as ADATUM\Joe with the password Pa$$w0rd.


3. Click Start, and in the Start Search box, type mstsc.exe, and then press
ENTER.
4. In the Remote Desktop Connection dialog box, in the Computer list, type
10.10.0.100, and then click Connect.
5. In the Windows Security dialog box, in the User name box, type
adatum\Joe.
6. In the Password box, type Pa$$w0rd, and then click OK.
7. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
8. In the User Account Control dialog box, click Continue.
9. In Active Directory Users and Computers, expand Adatum.com, and then
click the Sales organizational unit.
10. In the results pane, right-click Tom Higginbotham, and then click Delete.
11. In the Active Directory Domain Services dialog box, click Yes.
12. Right-click Sales, click New, and then click Computer.
13. In the New Object Computer dialog box, in the Computer name box, type
Sales-1 and then click OK.
f Task 8: Create and run a Windows PowerShell script

1. Click Start, point to All Programs, click Windows PowerShell 1.0, right-click
Windows PowerShell, and then click Run as administrator.
2. In the User Account Control dialog box, click Continue.
3. At the Windows PowerShell Command Prompt, type notepad user.ps1 and
then press ENTER.
4. In the Notepad dialog box, click Yes.
5. In Notepad, type the following lines of code:
$objOU = [ADSI]"LDAP://OU=sales,DC=Adatum,DC=com"
$objUSR = $objOU.Create("User","cn=Tom Higginbotham")
$objUSR.Put("SAMACCOUNTNAME","Tom")
$objUSR.SetInfo()
6. Click File, click Save, and then close Notepad.


7. At the Windows PowerShell Command Prompt, type set-executionpolicy
remotesigned, and then press ENTER.
8. At the Windows PowerShell Command Prompt, type ./user.ps1 and then
press ENTER.
9. Switch to Active Directory Users and Computers.
10. Refresh the view.
11. Right-click Tom Higginbotham, and then click Enable Account.

(VMRC) window.
Lab: Planning and Implementing Monitoring and Maintenance L9-95

Module 9: Planning and Implementing
Monitoring and Maintenance
Lab: Planning and Implementing
Monitoring and Maintenance
Exercise 1: Evaluating Performance Metrics
Pa$$w0rd.
Pa$$w0rd.

Part A
You know that the server 6430A-NYC-SVR1 experiences low network traffic and
has limited disk activity, but the help desk is receiving many reports that the server
is slow.
2. Click Start, point to Administrative Tools, and then click Reliability and
Performance Monitor.
3. Expand Monitoring Tools, and then click Performance Monitor.
L9-96 Module 9: Planning and Implementing Monitoring and Maintenance

4. In Performance Monitor, click the View Log Data button (CTRL+L).
5. In the Performance Monitor Properties dialog box, on the Source tab, click
Log Files, and then click Add.
6. In the Select Log File dialog box, in the File name box, type
D:\Labfiles\Mod09\Ex1A\EX1A.blg, and then click Open.
7. In the Performance Monitor Properties dialog box, click OK.
8. In Performance Monitor, click Add (CTRL+I).
9. In the Add Counters dialog box, under Available counters, expand
Processor, and then click % Processor Time.
10. Under Instances of selected object, click 0, and then click Add.
11. In the Add Counters dialog box, under Available counters, expand System,
click Processor Queue Length, click Add, and then click OK.
12. View the graph of the CPU usage on 6430A-NYC-SVR1:
a. The maximum value is 100 percent.
b. The average value is 82.58 percent.
14. In the Add Counters dialog box, under Available counters, expand Process,
and then click % Processor Time.
15. Under Instances of selected object, select <All Instances>, click Add, and
then click OK.
16. Review the % Processor Time used by each process. It is useful to use the
Highlight button (CTRL+ H) to view each instance. Identify the process that is
consuming the CPU.
Answer: The cpustres process is consuming most of the CPU time.
17. Close Reliability and Performance Monitor.

f Task 3: Identify performance problems with Windows Server 2008
Part B
You know that the server 6430A-NYC-SVR1 is not running processor-intensive
applications, but the help desk is receiving many reports that the server is slow.
3. In Performance Monitor, click View Log Data (CTRL+L).
Log files, and then click Add.
D:\Labfiles\Mod09\Ex1B\EX1B.blg, and then click Open.
8. In the Add Counters dialog box, under Available counters, expand Physical
Disk, and then click Avg. Disk Queue Length.
9. Under Instances of selected object, click 0 C:, and then click Add.
10. Under Available counters, click Current Disk Queue Length.
12. Under Available counters, click Disk Transfers/sec.
14. Under Available counters, expand Process, and then click IO Data Bytes/sec.
15. Under Instances of selected object, click <All Instances>, click Add, and then
click OK.
16. Review the IO Data Bytes/sec values for each process. It is useful to use the
Highlight button (Ctrl+H) to view each instance. Identify the process that is
consuming the disk transfer capacity.
Answer: The explorer process is consuming the disk resources.
17. Close the Reliability and Performance Monitor.

f Task 4: Identify performance problems with Windows Server 2008
Part C
You know that the server 6430A-NYC-SVR1 experiences low network traffic and is
not running processor-intensive applications, but the help desk is receiving many
reports that the server is slow.
3. In Performance Monitor, click View Log Data (CTRL+L).
Log files, and then click Add.
D:\Labfiles\Mod09\Ex1C\EX1C.blg, and then click Open.
8. In the Add Counters dialog box, under Available counters, expand Process,
and then click Working Set -Private.
9. Under Instances of selected object, click <All Instances>, and then click Add.
10. Under Available counters, expand Paging File, click % Usage, hold down
CTRL, and then click % Usage Peak.
11. Under Instances of selected object, click \??\C:\pagefile.sys, and then click
Add.
12. Under Available counters, expand Memory, click % Committed Bytes In
Use, hold down CTRL and click Available MBytes, Committed Bytes, Page
Faults/sec, Pages/sec, Pool Nonpaged Bytes, Pool Paged Bytes, click Add,
and then click OK.
13. View the graph of the memory and process usage on 6430A-NYC-SVR1.
Review the minimum and maximum values for each process to locate the
problem. (The value for Available Mbytes drops to 4 MB.). Review the
Working Set - Private value for each process. It is useful to use the highlight
button (CTRL+H) to view each instance. Determine which process is
consuming memory.
Answer: The leakyapp processes are consuming memory.

Exercise 2: Monitoring Performance Metrics
f Task 1: Create a data collector set to measure server requirements
1. In Reliability and Performance Monitor, expand Data Collector Sets, and then
click User Defined.
2. On the Action menu, point to New, and then click Data Collector Set.
3. In the Create new Data Collector Set dialog box, in the Name box, type File-
Server-Monitoring, and then click Next.
4. On the Which template would you like to use? page, ensure that System
Performance is selected, and then click Next.
5. On the Where would you like the data to be saved? page, accept the default
location, and then click Next.
6. On the Create the data collector set? page, click Finish.
7. In Reliability and Performance Monitor, double-click File-Server-Monitoring,
and then double-click Performance Counter. Review the properties and add
any additional objects and counters that are required. In the Performance
Counter Properties dialog box, click OK.
8. Right-click File-Server-Monitoring, and then click Properties.
9. In the File-Server-Monitoring Properties dialog box, on the Stop Condition
tab, in the Overall duration box, type 2, and then click OK.
10. In Reliability and Performance Monitor, right-click File-Server-Monitoring,
and then click Start.
11. In Reliability and Performance Monitor, on the Action menu, click Latest
Report.
12. Review the collected data. (After approximately two minutes, the report should
show the results of the data collector.)
13. Close the Reliability and Performance Monitor.

Exercise 3: Configuring Data Collector Sets
f Task 1: Generate an alert by using a data collector set
Create a user-defined data collector set and configure an alert to trigger when the
CPU reaches a critical state.
1. Click Start, point to All Programs, point to Administrative Tools, and then
click Reliability and Performance Monitor.
2. Select Data Collector Sets, and then double-click User Defined.
3. On the Action menu, point to New, and then click Data Collector Set.
4. In the Create new Data Collector Set dialog box, in the Name box, type High-
CPU-Monitoring
5. Click Create manually (Advanced), and then click Next.
6. On the What type of data do you want to include? page, click Performance
Counter Alert, and then click Next.
7. On the Which performance counters would you like to monitor? page, click
Add.
8. Under Available counters, expand Processor, and then click %Processor
Time.
9. Under Instances of selected object, click 0, click Add, and then click OK.
10. On the Which performance counters would you like to monitor? page, in
the Limit box, type 95 and then click Next.
11. On the Create the data collector set? page, click Finish.
12. In Reliability and Performance Monitor, double-click High-CPU-Monitoring,
and then double-click DataCollector01. (You may need to adjust the sample
interval time to trigger the alert.)
13. In the DataCollector01 Properties dialog box, on the Alert Action tab, select
the Log an entry in the application event log check box, and then click OK.
14. Close Reliability and Performance Monitor.

Exercise 4: Evaluating Trends
Scenario
In this exercise, you will compare your answers to the previous exercises with the
rest of the class, share your answers with other students, and learn alternative
methods to identify performance issues.
The main task for this exercise is to discuss your solutions with the class.
You should compare the performance counters that have been used and explain
why you have used specific counters to make your decision. You should also
consider other counters that other students have used.

(VMRC) window.
Lab: Planning High Availability and Disaster Recovery L10-103

Module 10: Planning High Availability and
Disaster Recovery
Lab: Planning High Availability and
Disaster Recovery
Exercise 1: Planning for Branch Office High Availability and
Data Recovery
f Task 2: Update the High Availability for Sales Database document with
your proposals
Answer the questions in the High Availability for Sales Database document.

Date 16th February
To provide a high-availability solution that ensures that the failure of any single
component will not cause the Sales database to become unavailable.
To ensure that the database is recoverable in the event of multiple disk failures.
All servers are installed with Windows Server 2008 Enterprise Edition.
L10-104 Module 10: Planning High Availability and Disaster Recovery

(continued)
1. In the current system, what component(s) is a point of failure?
Answer: The back-end database; the front-end Web servers; the storage that
hosts the database; the supply of power to all systems.
2. For each element, how would you propose to prevent a system failure
resulting from a component failure?
Answer: The back-end database. Implement Failover Clustering; this is
required because the database is statefulthat is, it contains data that
changes, and each client computers view of the system is different at a point
in time.
The front-end Web servers. Implement Network Load Balancing; the front end
is stateless, and contains no changing data. Client computers are indifferent as
to which Web server they connect through.
The storage that hosts the database. Consider implementing a RAID solution
for the storage that hosts the database.
The supply of power to all systems. An uninterruptable power supply (UPS)
does provide some uptime during a power failure, and often enough to
properly shut down a database to avoid corruption.
3. What Windows Server 2008 role or feature could help provide for each of
these proposals?
Answer: Windows Server 2008 provides the Network Load Balancing and
Failover Clustering features. Although disk fault tolerance can be provided
through the software, it is usually more appropriate to implement a fault-
tolerant array through hardware.
4. After implementing the roles or features proposed, is there any remaining
component that represents a single point of failure?
Answer: Loss or unavailability of a datacenter.
5. Have you any recommendations regarding this component(s)?
Answer: Alan Steiner mentioned that the database is to be replicated among
the branches. This will provide a contingency in the event of link-failure.
Results: After this exercise, you should have a completed High Availability for Sales
Database proposal document.

Exercise 2: Implementing the High Availability and Disaster
Recovery Plan
Pa$$w0rd.
Pa$$w0rd.
Pa$$w0rd.

3. In the navigation tree, click Features.
4. In the results pane, click Add Features.
5. In the Add Features Wizard, select the Network Load Balancing check box,

2. In the results pane, click Add Roles.
3. In the Add Roles Wizard, click Next.
4. In the Roles list, select the Web Server (IIS) check box. Then in the Add
Roles Wizard dialog box, click Add Required Features, and click Next.
5. On the Web Server (IIS) page, click Next.

1. Click Start, and then click Command Prompt.
2. Type the following commands at the command prompt, and press ENTER
after each command:
Cd\inetpub\wwwroot
Exit

5. In the Add Features Wizard, select the Network Load Balancing check box,


2. In the results pane, click Add Roles.
3. In the Add Roles Wizard, click Next.
4. In the Roles list, select the Web Server (IIS) check box. Then in the Add
Roles Wizard dialog box, click Add Required Features, and click Next.
5. On the Web Server (IIS) page, click Next.

1. Click Start, and then click Command Prompt.
2. Type the following commands at the command prompt, and press ENTER
after each command:
Cd\inetpub\wwwroot
Exit
f Task 8: Create the NLB cluster


5. In the Features list, expand Remote Server Administration Tools, expand
Feature Administration Tools, select the Network Load Balancing Tools
check box, and then click Next.
6. Click Install, and then click Close.
8. Click Start, point to Administrative Tools, and then click Network Load
Balancing Manager.
9. When the Network Load Balancing Manager window opens, maximize the
window.
10. In the navigation tree, right-click Network Load Balancing Clusters, and then
click New Cluster.
11. In the New Cluster: Connect dialog box, in the Host field, type SEA-SVR1,
and then click Connect.
12. Click Next.
13. Click Next on the Host Parameters page.
14. On the Cluster IP Addresses page, click Add.
15. In the Add IP Address dialog box, in the IPv4 address field, type 10.10.10.10,
and press TAB. Then in the Subnet mask field, type 255.255.0.0.
16. Click OK, and then click Next.
17. On the Cluster Parameters page, in the Full Internet name field, type
webfarm.adatum.com.
18. Click Multicast, and then click Next.
19. On the Port Rules page, click Edit.
20. In the Add/Edit Port Rule dialog box, in the From field, type 80, and in the
To field, type 80.
21. Under Protocols, click TCP.
22. For Affinity, click None.
23. Click OK, and then click Finish.

24. In the console tree, right-click webfarm.adatum.com, and then click Add Host
to Cluster.
25. In the Add Host to Cluster: Connect dialog box, in the Host field, type
SEA-SVR2, and then click Connect.
26. Click Next.
27. On the Host Parameters page, click Next.
28. On the Port Rules page, click Finish.
f Task 9: Configure DNS records

1. Click Start, point to Administrative Tools, and then click DNS.
2. In DNS Manager, expand SEA-DC1, expand Forward Lookup Zones, expand
adatum.com, and then right-click Adatum.com.
3. Click New Host (A or AAAA).
4. In the New Host dialog box, in the Name box, type webfarm.
5. In the IP address box, type 10.10.10.10, and then click Add Host.
6. In the DNS dialog box, click OK.
7. In the New Host dialog box, click Done.
8. Close DNS Manager.
Note: You will test the cluster at the end of the exercise.
f Task 10: Install the Windows Server Backup features

2. Click Start, and then click Server Manager
3. In Server Manager, in the navigation tree, click Features.
5. In the Features list, select the Windows Server Backup Features check box,

7. On the Installation Result page, click Close, and then close Server Manager.
f Task 11: Enable shadow copies

1. Click Start, click Computer, right-click Local Disk (C:), and then click
Configure Shadow Copies.
2. In the Shadow Copies dialog box, click Enable.
3. In the Enable Shadow Copies dialog box, click Yes.
4. In the Shadow Copies dialog box, click Settings.
5. In the Settings dialog box, click Schedule.
6. In the C:\ dialog box, select both the Sat and Sun check boxes, and then click
OK.
7. In the Settings dialog box, click OK.
8. In the Shadow Copies dialog box, click Create Now, and then click OK.
f Task 12: Verify the presence of previous versions of the Web site
1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub,
right-click wwwroot, and then click Properties.
2. In the wwwroot Properties dialog box, click the Previous Versions tab.
3. Verify that there are previous versions listed, and then click OK.
f Task 13: Establish groups to secure the backup process

2. In Server Manager, expand Configuration, expand Local Users and Groups,
and then click Groups.
3. In the Groups list, double-click Backup Operators.
4. In the Backup Operators Properties dialog box, click Add.
5. In the Select Users, Computers, or Groups dialog box, in the Enter the
object names to select (examples) box, type Joe, click Check Names, and
then click OK.

6. In the Backup Operators Properties dialog box, click OK.
7. Log off.
f Task 14: Perform a backup of the branch server

1. Log on to 6430B-SEA-SVR1 as ADATUM\Joe with the password Pa$$w0rd.
2. Click Start, point to Administrative Tools, and then click Windows Server
Backup.
3. In the User Account Control dialog box, in the Password box, type
Pa$$w0rd, and then click OK.
4. In Windows Server Backup (Local), in the actions pane, click Backup Once.
5. In the Backup Once Wizard, on the Backup options page, click Next.
6. On the Select backup configuration page, click Custom, and then click Next.
7. On the Select backup items page, click Next.
8. On the Specify destination type, click Remote shared folder, and then click
Next.
9. On the Specify remote folder page, in the Type the path to the remote
shared folder box, type \\sea-dc1\public, and then click Next.
10. On the Specify advanced option page, click Vss copy backup
(recommended), and then click Next.
11. On the Confirmation page, click Backup.
12. After the backup has started, click Close.
13. Close Windows Server Backup.
f Task 15: Test the NLB cluster

2. Click Start, point to All Programs, and then click Internet Explorer.
3. In the Microsoft Internet Explorer address bar, type
http://webfarm.adatum.com, and then press ENTER.
The A Datum Intranet appears.

4. Turn off the SEA-SVR1 computer. In the Close box, select Turn off machine
and discard changes. Click OK.
5. On SEA-DC1, in the Internet Explorer address bar, type
http://webfarm.Adatum.com, and then press ENTER.
Note: Even though an NLB Cluster member is unavailable, the Web site is still available.
Results: After this exercise, you should have successfully implemented your high-
availability and recovery plan.

(VMRC) window.
Lab: Planning Virtualization L11-113

Module 11: Planning Virtualization
Lab: Planning Virtualization
Exercise 1: Creating a Virtualization Plan
Determine if you need any more information and ask your instructor to clarify
if required.
f Task 2: Create a plan for a virtualization pilot project
Note: Your answers may vary from the lab answer key in this plan. There are several
acceptable combinations of servers to virtualize. This is only one example.

Answer: The first servers to be virtualized are SQLTest and PServer.
Answer: Those servers were selected because there were relatively low
utilization for memory, older hardware, and relatively low risk. If they were
unavailable for a few hours it would not impact production too much.
Answer: A physical-to-virtual conversion will be performed to convert the
servers. This is faster and more reliable than just backing up and restoring the
servers.
Answer: Yes, System Center Virtual Machine Manager is required to perform
the physical-to-virtual migrations. This tool will also be beneficial for
centralized management as our virtualization environment grows.
L11-114 Module 11: Planning Virtualization

Answer: The requirements for virtualizing these servers are relatively light, but
we should buy sufficient hardware that we can use for additional virtual
machines down the road. I suggest the following specifications:
Dual processor, quad core
24 GB of RAM
6 hot swap SCSI drives, two disks mirrored for the host operating system,
and 3 disks in a RAID 5 array with a hot spare for the virtual machines
Which operating system should be used on the host?
Answer: To run Hyper-V, we need a 64-bit version of Windows Server 2008.
Standard edition supports up to 32 GB of RAM, which is more than adequate
for our needs. Standard edition also supports up to 4 processors, which also
meets our needs.
We already own licenses for the virtual machines we will be creating, so
licensing is not a concern. However, in the long run we may want to consider
Enterprise or Datacenter editions because they include multiple virtualization
licenses.
Results: After this exercise, you should have a completed plan for a virtualization pilot
project.

Exercise 2: Implementing Virtualization (Optional)
f Task 1: Configure the computer BIOS for Hyper-V
Note: The first set of BIOS configuration steps in this exercise are correct for a Dell
Optiplex 755 with an Intel processor. Also included are steps for a HP DC5850 machine.
The steps will vary depending on the model of the computer you are using, BIOS
revision, and the processor type. For example, the name of specific settings may be
different or already enabled. Ask your instructor for help if required.
1. Start your computer.

2. Press F2 to enter the BIOS setup.
3. Use the down arrow key to select Performance, and then press ENTER to
expand Performance.
4. Use the down arrow key to select Virtualization, and then press ENTER.
5. Select On, and then press ENTER.
6. Use the down arrow key to select VT for Direct I/O, and then press ENTER.
8. Use the down arrow key to select Trusted Execution, and then press ENTER.
9. Select Off, and then press ENTER.
10. Use the down arrow key to select Security, and then press ENTER to expand
Security.
11. Use the down arrow key to select Execute Disable, and then press ENTER.
13. Press ESC.
14. Select Save/Exit, and then and press ENTER.

The following are BIOS setting steps are based on an HP DC5850.
Configure the computer BIOS for Hyper-V:
1. Start your computer.
2. Press F10 to enter the BIOS setup.
3. Select English, and then press ENTER.
4. Use the right arrow key to select the Security menu, press the down arrow key
to select System Security, and then press ENTER.
5. Press the down arrow key once, and then press the right arrow key once to
enable the Virtualization Technology. Press ENTER.
6. Press F10 to accept the changes.
7. Press the left arrow key to select the File menu.
8. Use the down arrow key to select Save Changes and Exit, and then press
ENTER.
f Task 2: Install Windows Server 2008 on the host

1. Place the Windows Server 2008 DVD in the DVD drive, and then restart your
computer.
Note: You will be provided with the software required to complete the lab installation
from your Instructor. It may or may not be a DVD.
2. To access the boot menu of a Dell Optiplex 755 computer, press F12. Read the
POST screen of your computer to determine the appropriate key for your
computer.
3. Select the DVD-ROM drive, and then press ENTER.
4. If prompted, press a key to start the computer from DVD.
5. To accept the default language as US English, click Next.
6. Click Install now.
7. Clear the Automatically activate Windows when Im online check box, and
then click Next.

8. To clear the warning, click No.
9. Click Windows Server 2008 Enterprise (Full Installation) x64, select the
I have selected the version of Windows that I purchased check box, and
then click Next.
10. Select the I accept the license terms check box, and then click Next.
11. Click Custom (advanced).
12. Click Drive options (advanced).
13. To delete all existing partitions, click an existing partition.
14. Click Delete.
15. Click OK to confirm.
16. Repeat steps 13-15 to delete all partitions.
17. Click Disk 0, and then click Next.
18. After the computer restarts, click OK.
19. In the New password and Confirm password boxes, type Pa$$w0rd, and
then press ENTER.
20. To clear the password change confirmation message, click OK.
21. In the Initial Configuration Tasks window, click Provide computer name
and domain.
22. In the System Properties window, on the Computer Name tab, click Change.
23. In the Computer name box, type SEA-HOSTx, where x is number assigned by
your instructor, and then click OK.
24. To close the message about restarting to apply changes, click OK.
25. In the System Properties window, click Close.
26. Click Restart Now.

f Task 3: Install the Hyper-V role update
2. Obtain the Hyper-V update, Windows6.0-KB950050-x64.msu, by going to
http://go.microsoft.com/fwlink/?LinkId=152668.
3. Place the update on the desktop of SEA-HOSTx.
4. To begin installation, double-click Windows6.0-KB950050-x64.msu, and
then click OK.
5. When installation is complete, click Restart Now.
f Task 4: Install the Hyper-V role

1. Log on as Administrator with a password of Pa$$w0rd.
3. In the left pane of Server Manager, click Roles.
4. In the right pane of the console, click Add Roles, and then click Next.
5. Select the Hyper-V check box, and then click Next.
6. Read the Introduction to Hyper-V page, and then click Next.
7. Select the Local Area Connection check box, and then click Next.
8. Click Install.
9. When the role installation is complete, click Close.
10. When prompted to restart, click Yes.
12. Wait for the installation of the Hyper-V role to complete, and then click Close.

f Task 5: Create a new virtual machine
1. Click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In the left pane of the Hyper-V Manager console, click SEA-HOST1.
3. In the actions pane, click New, and then click Virtual Machine.
4. On the Before You Begin page, click Next.
5. In the Name box, type SEA-VMx, where x is a number assigned by your
instructor, and then click Next.
6. In the Memory box, type 1024, and then click Next.
7. In the Network list, select your network adapter, and then click Next.
8. To accept the default virtual hard disk settings, click Next.
9. On the Installation Options page, click Next.
10. Click Finish.
f Task 6: Install Windows Server 2008 on the virtual machine

1. Place the Windows Server 2008 installation DVD in your DVD drive.
2. In the Virtual Machines area of the Hyper-V Manager console, right-click
SEA-VMx, and then click Settings.
3. In the Hardware area, click DVD Drive.
4. In the right pane, click Physical CD/DVD drive, and then click OK.
5. In the Virtual Machines area, right-click SEA-VMx, and then click Start.
6. In the Virtual Machines area, right-click SEA-VMx, and then click Connect.
This opens a new window for viewing the SEA-VMx virtual machine.
7. In the SEA-VMx On Localhost Virtual Machine Connection window, click
Next to install using the default language of US English, and then click Install
Now.
8. Clear the Automatically activate Windows when Im online check box, and
then click Next.
9. To clear the warning, click No.

10. Click Windows Server 2008 Enterprise (Full Installation) x64, select the
I have selected the version of Windows that I purchased check box, and
then click Next.
11. Select the I accept the license terms check box, and then click Next.
12. Click Custom (advanced).
13. Click Disk 0 Unallocated Space, and then click Next.
14. After the computer restarts, click OK.
15. In the New password and Confirm password boxes, type Pa$$w0rd, and
then press ENTER.
16. To clear the password change confirmation message, click OK.
17. In the SEA-VMx On Localhost Virtual Machine Connection window, click
Action, and then click Insert Integration Services Setup Disk.
18. In the Autoplay window, click Install Hyper-V Integration Services.
19. To upgrade or repair the installation, click OK.
20. To restart, click Yes.
Results: After this exercise, you should have successfully implemented a Hyper-V host
and created a virtual machine.

6430B-ENU TrainerHandbook Volume2 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

6430B-ENU TrainerHandbook Volume2 PDF

Transféré par

Droits d'auteur :

Formats disponibles

OFFICIAL MICROSOFT LEARNING PRODUCT

Be sure to access the extended learning content on your

Product Number: 6430B

Part Number: X16-38601

Microsoft Certied Trainers and InstructorsYour instructor is a technical and

Certication Exam BenetsAfter training, consider taking a Microsoft Certication

Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer

Andy WarrenSubject Matter Expert

Byron WrightSubject Matter Expert

Module 2: Planning Network Infrastructure for Windows Server 2008

Module 3: Planning for Active Directory

Module 4: Planning for Group Policy

Module 5: Planning Application Servers

Lab Answer Keys

Module 7: Planning Server and Network Security

Module 8: Planning Server Administration

Module 9: Planning and Implementing Monitoring and Maintenance

Module 10: Planning High Availability and Disaster Recovery

Module 11: Planning Virtualization

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Role Service Description

MCT USE ONLY. STUDENT USE PROHIBITED

Role Service Description

MCT USE ONLY. STUDENT USE PROHIBITED

Public Folder Sharing

MCT USE ONLY. STUDENT USE PROHIBITED

Share Associated NTFS File System

MCT USE ONLY. STUDENT USE PROHIBITED

Full Control Allows a user or group to manage permissions, to change ownership,

Change Allows Read and Write access, but no management permissions.

Read Allows Read-only access.

Deny Specifically denies Full Control, Change, or Read permissions to the

Share permissions normally combine to provide the highest share permissions

Note: By default, Read permissions are assigned to the Everyone group.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

File Permissions Description

Full Control Gives complete control of the file and permissions.

Modify Enables user to change file content and delete files.

Read Provides Read-only access.

Write Provides Read and Write access.

The following table lists the available folder permissions.

Folder Permissions Description

Modify Provides Read and Write access.

Read Provides Read-only access.

Write Enables user to change file content and delete files.

MCT USE ONLY. STUDENT USE PROHIBITED

Note: Explicitly allowed permissions take precedence over an inherited deny.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Implementation of EFS would be suitable in a situation where the access to content

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Question: What planning documentation is there in your organization for EFS?

MCT USE ONLY. STUDENT USE PROHIBITED