Académique Documents
Professionnel Documents
Culture Documents
6430B
Planning for Windows Server
2008 Servers
Volume 2
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, BitLocker, Excel, Forefront,
Hyper-V, Internet Explorer, MS, MSDN, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight,
SQ Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows Live, Windows Media,
Windows NT, Windows PowerShell, Windows Server and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Released: 11/2009
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i. Student Content means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using
Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
Evaluation Software may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to
Microsofts benefit in the format provided below:
Form of Notice:
2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone elses use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsofts prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as NFR or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre
garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont
exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation
pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de
bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte,
de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel
dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne
sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de
votre pays si celles-ci ne le permettent pas.
Welcome!
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners
for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning
experiencewhether youre a professional looking to advance your skills or a
student preparing for a career in IT.
We wish you a great learning experience and ongoing success in your career!
Sincerely,
Microsoft Learning
www.microsoft.com/learning
1
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
Planning for Windows Server 2008 Servers xiii
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Contents
Volume 1
Module 1: Planning Windows Server 2008 Deployment
Lesson 1: Overview of Change Management 1-3
Lesson 2: Planning a Single-Server Installation 1-23
Lesson 3: Performing a Single-Server Installation 1-38
Lesson 4: Automating Windows Server Deployment 1-49
Lab: Planning Windows Server 2008 Deployment 1-60
Volume 2
Module 6: Planning File and Print Services
Lesson 1: Planning and Deploying the File Services Role 6-3
Lesson 2: Managing Storage 6-24
Lesson 3: Planning and Implementing the Distributed File System 6-44
Lesson 4: Planning and Implementing Shared Printing 6-56
Lab: Planning File and Print Services 6-66
In the earliest days of networking, server computers were little more than simple
files or printer sharing devices. The term file-server evolved to describe the
departmental computer to which all users connected to access their files. Over the
years, servers have evolved and provide many additional services, such as e-mail
systems, databases, and other collaborative applications; however, the need to
share files and printers is still one of the most common reasons for organizations
to implement server computers.
Objectives
After completing this module, you will be able to:
Plan and deploy the Windows Server 2008 File Services role.
Manage storage effectively.
Implement an appropriate Distributed File System infrastructure.
Implement shared printing.
Planning File and Print Services 6-3
The File Services role provides the basic features that enable you to create shared
folders and make them available in a number of ways throughout your
organization.
Objectives
After completing this lesson, you will be able to:
Describe the function of each of the File Services role services.
Implement shared folders.
Manage access to shared folders.
Describe the considerations for File Services role.
Deploy the File Services role.
6-4 Planning for Windows Server 2008 Servers
Key Points
Windows Server 2008 implements role-based deployments that enable you to
select the specific services that you want to deploy. This targeted deployment
extends to the elements that make up a role. The File Services role is comprised of
a series of separate functionalities, each of which provides a different feature set;
these functionalities are known as Role Services. The following table describes each
of the File Services Role Services.
Planning File and Print Services 6-5
File Server Installs the Share and Storage Management snap-in. This tool
enables you to more easily manage shared folders and
volumes.
Distributed File The Distributed File System (DFS) enables you to consolidate
System a complex and distributed file share structure into a more
navigable and manageable entity. There are two separate
elements: DFS Namespaces and DFS Replication. You do not
need to install them both. DFS Namespaces provides the
primary functionality of DFS; that is, it enables the
consolidated shared environment that users navigate and
access. DFS Replication provides the multimaster replication
engine that ensures target folders that are part of a
namespace are synchronized.
File Server Resource The File Server Resource Manager (FSRM) is a suite of tools
Manager that enable you to configure and manage storage quotas, file
screens, and generate storage reports.
Services for Network UNIX and compatible operating systems have different folder
File System sharing requirements from Windowsbased client
computers. Services for Network File System (NFS) provide
the necessary services for UNIX client computers to be able to
share files stored on a Windows Server 2008 server.
Windows Search Windows Search Service is a new indexing solution that aims
Service to speed up file searches of the more common areas of the
Windows Server file system. It replaces the Indexing Service
that was provided with earlier versions of Windows Server.
Although Windows Server 2008 provides the Windows Server
2003 Indexing Service, you cannot install both this service
and the Windows Search Service together on the same server.
Use the Indexing Service only when you have a specific
legacy application that requires it.
Note: The Select Role Services wizard prevents you from
selecting both components.
6-6 Planning for Windows Server 2008 Servers
Windows Server 2003 Consists of two separate components: the File Replication
File Services Service (FRS), and the Indexing Service. The FRS provides for
file-level synchronization between file servers that are not
implementing DFS. DFS Replication offers many benefits over
FRS, so unless you need FRS for a legacy application, or to
support integration with earlier versions of Windows Server,
consider using DFS instead.
Note: By default, the SYSVOL folder is replicated by using
FRS. You can reconfigure your domain controllers to use
DFS Replication to replicate SYSVOL provided that your
domain is in Windows Server 2008 functional mode.
When you decide to deploy the File Services role, you can select only the specific
role services that you need.
Planning File and Print Services 6-7
Key Points
Note: Public folder sharing does not provide for granular control over permissions to
shared resources.
Basic Sharing
Basic folder sharing enables you to share a folder quickly and easily by right-
clicking the folder, and clicking Share. Although Windows creates the share name
automatically, you must define the permissions manually. The following table lists
the four simple share permissions that you can assign in this way.
Contributor Modify, Read and Execute, List This permission allows a user or group
Folder Contents, Read, Write full read and write access, but they
may not change permissions or
ownership.
Owner All (Full Control, Modify, Read The user who creates the share
and Execute, List Folder receives this permission. A share has
Contents, Read, Write) only one owner, and this permission
type grants full control of the share
and its contents.
Co-owner All (Full Control, Modify, Read The share owner can grant additional
and Execute, List Folder users Co-owner permission, which
Contents, Read, Write) entitles them to the same permissions
level as the Owner.
Planning File and Print Services 6-9
To use Advanced Sharing, right-click the folder that you want to share, click
Properties, click the Sharing tab, and then click Advanced Sharing.
There are only four different levels of shared folder permissions: full control,
change, read, and access denied. The following table summarizes the advanced
share permissions available.
Permission Description
Key Points
To ensure the proper protection for your files when you share them, it is important
that you understand file-system security. NTFS file system permissions enable you
to define the access level that users have to files on the network or locally at your
Windows Server 2008 computer. You grant permissions on a file or folder for a
named user or group. An Access Control List (ACL) stores these permissions, and
controls what the user or group can do to the file or folder. The Local Security
Authority (LSA) enforces these permissions each time a user accesses the file or
folder.
6-12 Planning for Windows Server 2008 Servers
Read and Execute Enables user to read files and start programs.
Full Control Gives complete control of the folder, its contents, and
permissions.
Read and Execute Enables user to see folder contents and start programs.
List Folder Contents Provides no permission over files in folder, but enables user
to see them.
Permissions Inheritance
You can apply NTFS file system permissions at the file or the folder level. If you
apply permissions at the folder level, files and subfolders within the folder inherit
those permissions. If you set permissions at the file level, they apply only to that
file.
By grouping files together in folders, and assigning permissions to that folder, you
can manage permissions more efficiently. Consider an example. Alice Ciccu is in
charge of administering the Transport department files to which all other transport
users require read and write access. By setting the permissions on the Transport
Data folder so that user Alice Ciccu has Full Control permission and the Transport
group has Modify permission, inheritance will ensure that Alice and the Transport
group will receive the appropriate permissions in all the subfolders and files.
Planning File and Print Services 6-13
Combined Permissions
When allowing access to network resources on an NTFS volume, you should use
the most restrictive NTFS file system permissions to control access to folders and
files, and use the most restrictive shared folder permissions to control network
access.
When you create a shared folder on a partition that is formatted with the NTFS file
system, both the shared folder permissions and the NTFS file system permissions
combine to secure file resources. NTFS file system permissions apply whether
users access the resource locally or over a network.
Best Practice
Use the following guidance to help establish and maintain your NTFS file and
folder permissions.
Avoid using the Everyone group. If you enable a guest user account on your
computer, the Everyone group includes anyone. Therefore, you should remove
the Everyone group from any permission lists, and replace it with the
Authenticated Users group.
Group files into a hierarchy. This enables you to more easily rely on folder
inheritance when configuring permissions.
6-14 Planning for Windows Server 2008 Servers
Note: Be aware that if you grant your users Full Control of their home folders, it is
possible that they can remove administrator permissions; you can easily recover your
permissions, should you need to, but some administrators take the view that even on
home folders, users should only ever be assigned Modify permissions.
Planning File and Print Services 6-15
Key Points
Encrypting File System (EFS) is a system for encrypting data files that is included
as part of Windows 2000, Windows XP, Windows Server 2003, Windows Vista,
and Windows Server 2008. EFS generates a unique symmetrical encryption key to
encrypt each file and folder. The symmetrical key is stored in the file header.
Comparing EFS to NTFS permissions:
NTFS controls access to files and folders but these settings can be modified by
someone who did not create them if they have an appropriate set of
credentials.
EFS controls access to file contents regardless of the permissions that are set
on the file or folder and can only be accessed only by the person who has
encrypted them (or other allowed user), even if somebody has gained physical
access to the computer. It is only possible to use EFS to encrypt files when
they are stored on an NTFS formatted volume.
6-16 Planning for Windows Server 2008 Servers
Note: EFS files can be shared with individual users, but not groups because there is no
mechanism to assign a certificate to a group.
Note: When the password of a local user is reset by an administrator, Windows is unable
to read the private key stored in the users profile. The key must be recovered from a
backup or a recovery agent must be used to recover the files.
You should also consider the use of smart cards and storing keys on these cards as
part of your EFS strategy. This will require a user the insert the smart card to access
encrypted files and would add an additional layer of security.
Question: Why would EFS be used to encrypt data in addition to using NTFS
permissions?
6-18 Planning for Windows Server 2008 Servers
Key Points
When encrypting data, you should be aware that, if the EFS keys are lost and there
are no recovery agents or key archival process in place, the EFS keys are not
recoverable, i.e. you also lose access to the data. There is no other solution
available to access data if keys are lost. Therefore a large part of planning for using
the EFS feature is to ensure that you can recover files in the event that keys are lost.
To allow for the recovery of encrypted files if keys are lost, EFS uses Data Recovery
Agents (DRA)s. The DRA has the ability to access and open any encrypted file. As
such it is a powerful facility and must be strictly controlled. You can use Group
Policy to specify one or more user accounts as Data Recovery Agents. By default the
Administrator account is designated as the data recovery agent in the Default
Domain group policy object.
Recovery Keys are special purpose certificates that are then used by the Data
Recovery Agents to decrypt the data when keys are lost. When an account is
designated as a recovery agent, a recovery certificate or key is then created for the
specified DRA account. You should backup the recovery keys assigned to a DRA by
exporting them to external storage and keeping them in a safe place.
Planning File and Print Services 6-19
Note: Users are able to open encrypted files after their certificate expires. This allows the
user to open the files and update the existing keys with new keys. However, new files
cannot be encrypted by using keys from an expired certificate.
Key Points
When planning for File Services, there are several key considerations that you must
keep in mind.
Performance
File-servers are by their nature fairly disk-intensive devices. Consequently, the two
critical performance-related resources in your file server are the physical disk and
the physical memory.
Remember that a Windows-based computer that has insufficient physical memory
uses the paging file to manage applications memory needs, while a computer with
more physical memory than is currently required is more favorably disposed
toward the Windows cache managers request for memory resources.
By adding memory to your file-server, you reduce paging and also ensure there is
plenty of memory for file-caching. In addition, use high-performance disk
subsystem components to help to optimize the file retrieval and storage processes.
Planning File and Print Services 6-21
Key Points
Deploy the File Services role.
Create a folder and share it.
Secure the folder.
Question: What other methods can you use for configuring a shared folder and
securing it?
High-level steps:
1. Deploy the file services role at the SEA-SVR1 server.
2. Create and share the transport-data folder.
3. Secure the permissions on the transport-data folder.
6-24 Planning for Windows Server 2008 Servers
Key Points
Capacity Management
Capacity management is the process of planning, analyzing, sizing, and optimizing
methods that aim to satisfy an organizations increase in data storage demands. As
the data that you need to store and access increases, so does your need for capacity
management.
To enable you to meet the storage capacity requirements of your organization,
consider the following points:
Keep track of how much storage capacity is available.
Determine how much storage space you need for future expansion.
Knowing how the company is currently using storage makes planning for future
storage requirements much more predictable. You can determine who is using data
and what they are storing. Without policies and controls in place, users may often
use storage for noncompliant uses.
6-26 Planning for Windows Server 2008 Servers
After you analyze how storage is being used, resource management policies
become much easier to define. These policies determine the efficient and proper
use of available storage capacity, and having these policies in place allows for more
predictability when planning for future capacity. These policies should reflect the
companys needs, and any external compliance requirements. Policies might also
vary within a company. For example, some departments may require more storage
than others, and some departments may want to store files in specific ways.
Situations may occur in which a newly defined policy does not suit the needs of a
particular group of users. In these situations, it may be necessary to implement
policies that attempt to slow storage growth, and realign the groups operation
procedures with the organization.
The final step after analyzing and defining policies is to implement the policies.
Tools such as FSRM perform the tasks necessary for analyzing storage usage,
planning storage policies, and implementing the policies.
Planning File and Print Services 6-27
Windows-based tool or
Solution Explanation application
Data and Media Migration Allows data movement File Server Migration Tool
from different media types (FSMT)
Key Points
FSRM is a complete set of tools that allows administrators to address the following
key file-server management challenges:
Capacity management. Monitors usage patterns and utilization levels. FSRM
addresses the challenge of analyzing how storage is being used in the
enterprise environment.
Policy management. Restricts which files are stored on the server. This
addresses the challenge of verifying that the stored and managed data is of an
appropriate nature, without requiring manual intervention. It also can prevent
accidental policy breaches if users inadvertently try to store noncompliant
files.
Planning File and Print Services 6-29
Function Description
Create quotas to limit the Allows you to set the maximum amount of space allotted
space allowed for a to a user. It also allows the administrator to be notified if
volume or folder the quota is exceeded.
Create file screens Enables file filtering based on file extensions. Common
file categories can be grouped together to create file
groups.
Define quota and file Allows you to customize and implement a detailed
screening templates company storage policy.
Generate scheduled or Allows you to create reports on a regular basis for review,
on-demand storage or create reports on demand, which allows you to quickly
reports generate a report for immediate consumption.
6-30 Planning for Windows Server 2008 Servers
Key Points
You use Quota management to create quotas that limit the space allowed for a
volume or folder, and to generate notifications when quota limits are approached
or exceeded. FSRM provides quota templates that you can apply easily to new
volumes or folders and that you can use across an organization. You also can auto-
apply quota templates to all existing folders in a volume or folder, as well as to any
new subfolders created in the future.
In FSRM, you can create quotas that limit the space allowed for a volume or folder,
and then generate notifications when the quota limits are approached or exceeded.
By creating a quota for a volume or folder, you limit the disk space that is allocated
for it. The quota limit applies to the entire folder subtree.
Planning File and Print Services 6-31
Notification Thresholds
To determine what happens as users approach the quota limit, you can configure
notification thresholds. For each threshold that you define, you can:
Send e-mail notifications.
Log an event.
Run a command or script.
Generate storage reports.
For example, when a folder reaches 85 percent of its quota limit, you might want
to notify the user who saved the file and their administrator, and then send another
notification when the quota limit is reached. In some cases, you might then want to
run a script that raises the quota limit automatically when a threshold is reached.
The following table outlines the advantages of using the FSRM quota management
tools compared to NTFS disk quotas.
Key Points
Many organizations face issues with network users storing unauthorized or
personal data on corporate file servers. Not only does this misuse valuable storage
space, but it also increases the backup process duration, and might violate privacy
or security compliance issues within the company. You can use file screening to
manage the types of files that users can save on corporate file servers.
A file screen provides a flexible method to control the types of files that are saved
on company servers. For example, you can ensure that music files are not stored in
personal folders on a server, yet still allow storage of specific media file types that
support legal rights management or comply with company policies. In the same
scenario, you might want to assign special privileges to the companys vice
president, allowing storage of any file types in his or her personal folder.
You also can implement a screening process to notify you by e-mail when an
unauthorized file type has been stored on a shared folder. The e-mail message can
include information such as the name of the user who stored the file and its exact
location so that you can take appropriate precautionary steps.
6-34 Planning for Windows Server 2008 Servers
For example, an Audio Files file group might include the following file name
patterns:
Files to include: *.mp*. Includes all audio files created in current and future
MPEG formats (MPG, MP2, MP3, and so on).
Files to exclude: *.mpp. Excludes files created in Microsoft Project (.mpp
files), which would otherwise be included by the *.mp* inclusion rule.
FSRM provides several default file groups. You can define additional file groups, or
change the files to be included and excluded. Any changes that you make to a file
group affect all existing file screens, templates, and reports to which the file group
has been added.
To simplify file screen management, you should base your file screens on file
screen templates. A file screen template defines the following:
File groups to block. You can select what file groups to block in the file screen
template. You also can create or modify new file groups from the File Screen
Template Properties dialog box.
Screening types to perform. You can configure two screening types in a file
screen template: Active screening does not allow users to save any files related
to the selected file groups configured with the template. Passive screening still
allows users to save files but provides notifications for monitoring.
Notifications to be generated. Similar to quota templates, file screen
templates provide the ability to configure notifications by means of e-mail
messages, event logs, and reports. You also can configure specific commands
or scripts to run when a file screening event takes place.
Planning File and Print Services 6-35
Key Points
To assist in capacity planning, you must be able to configure and generate
extensive reports based on current storage numbers. In this topic, you will learn
how to configure, schedule, and generate storage reports by using FSRM.
Storage reports provide information about file usage on a file server. The FSRM
Storage Reports Management feature allows you to generate storage reports on
demand and schedule periodic storage reports that help identify trends in disk
usage. You also can create reports to monitor attempts to save unauthorized files
by all users or a selected group of users.
Planning File and Print Services 6-37
You can create report tasks that schedule one or more periodic reports, or you can
generate reports optionally on demand and display the reports immediately. For
on-demand reports, as with scheduled reports, current data is gathered before the
report is generated.
6-38 Planning for Windows Server 2008 Servers
The Scheduled Report Tasks node results pane includes the report task. Tasks are
identified by the reports to be generated, the namespace on which the report will
be created, and the report schedule. You also can view the current report status
(whether the report is running), the last run time and the result of that run, and
the next scheduled run time.
Planning File and Print Services 6-39
Key Points
Configure FSRM quotas.
Configure FSRM file screens.
Produce an FSRM storage report.
Question: How could you benefit from using quotas in your organization?
Question: How could you benefit from using file screens in your organization?
6-40 Planning for Windows Server 2008 Servers
Key Points
Traditional file-servers have tended to rely on direct-attached storage (DAS). In this
configuration, disks are either attached internally to a file-server, or else attached
locally in a disk array. DAS provides some storage management issues. These
issues include:
Inflexible resource sharing. Despite the fact that specific servers in your
organization might have excess storage, there is no easy way for this excess
storage to be redeployed to other servers that have additional storage
requirements. After a server has no more room for additional storage, the most
common way to add storage resources is to add a new server. The
disadvantages of this approach are increased capital expenditures and greater
management complexity.
6-42 Planning for Windows Server 2008 Servers
Note: If the majority of documents that users must access are file based, NAS solutions
provide the most effective and low-cost networked storage solution. On the other hand,
if the greatest amount of information to be shared is produced by database applications,
SANs have been the most popular solution. For those many organizations that must
share both block-based and file-based data, a joint NAS-SAN solution can effectively
meet both needs.
Planning File and Print Services 6-43
SANs are designed to enable centralization of storage resources, while at the same
time overcoming the distance and connectivity limitations posed by DAS. Parallel
SCSI interconnections limit DAS devices to a distance of 25 meters and can
connect a maximum of only 16 devices. A typical SAN implementation can extend
the distance limitation to 10 kilometers or more and enable an essentially
unlimited number of devices to attach to the network. These factors allow SANs to
effectively uncouple storage from the server and to pool on a network where
storage can be shared and easily provisioned, without the problems of scaling
associated with DAS.
In the Windows Server 2008 operating system, DFS enables you to create one or
more hierarchies of shared folders from across your network and replicate the
contents of those folders between servers where necessary; these hierarchies are
known as namespaces.
Objectives
After completing this lesson, you will be able to:
Describe DFS.
Plan a DFS namespace.
Plan DFS replication.
Use DFS to provide for data storage scenarios.
Planning File and Print Services 6-45
Key Points
DFS technologies in Windows Server 2008 provide a simplified way to access files
that are dispersed geographically throughout an organization. DFS also offers wide
area network (WAN)friendly file replication between servers. DFS technologies
include:
DFS Namespaces
DFS Replication
Remote Differential Compression
DFS Namespaces
DFS Namespaces allows administrators to group shared folders located on
different servers into one or more logically structured namespaces. Each
namespace appears to users as a single shared folder with a series of subfolders.
The subfolders typically point to shared folders that are located on various servers
in multiple geographical sites throughout the organization.
6-46 Planning for Windows Server 2008 Servers
Note: RDC is not used on files smaller than 64 KB. In this case, the file is compressed
before it is replicated.
Additional Reading
Distributed File System Technology Center:
http://go.microsoft.com/fwlink/?LinkId=102236&clcid=0x409
Overview of the Distributed File System Solution in Microsoft Windows Server
2003 R2: http://go.microsoft.com/fwlink/?LinkId=102237&clcid=0x409
About Remote Differential Compression:
http://go.microsoft.com/fwlink/?LinkId=102239&clcid=0x409
Planning File and Print Services 6-47
Key Points
Domain-Based Namespace
A domain-based namespace is a DFS namespace that you create on a domain
member server, which uses the domain name in the DFS path. You can install
multiple namespace servers to host the same domain-based DFS namespace.
A domain-based namespace can be used when:
Namespace high availability is required.
You need to hide the name of the namespace servers from users. This also
makes it easier to replace a namespace server or migrate the namespace to a
different server. Users will then use the \\domainname\namespace format as
opposed to the \\servername\namespace format.
6-48 Planning for Windows Server 2008 Servers
Note: Access-based directory enumeration allows users to list only the files and folders
to which they have access when browsing content on the file server. This eliminates user
confusion that can be caused when users connect to a file server and encounter a large
number of files and folders that they cannot access.
To use Windows Sever 2008 mode, the following requirements must be met:
The domain must be at the Windows Server 2008 domain functional level.
All namespace servers must be Windows Server 2008.
Note: You can migrate a domain-based namespace from Windows 2000 Server mode to
Windows Server 2008 mode by using the DFSutil command-line tool. You also can
enable or disable Access-based Enumeration by using the Share and Storage
Management MMC.
Stand-Alone Namespace
A stand-alone namespace is a DFS namespace that you create on a single server.
The DFS namespace server may be a member of a domain or workgroup. A stand-
alone DFS namespace server only requires the File Server role. Stand-alone DFS
namespaces are not fault-tolerant, but you can install a stand-alone DFS namespace
as a cluster resource on a Windows Server 2008 server cluster.
A stand-alone namespace is used when:
Your organization has not implemented Active Directory directory service.
Your organization does not meet the requirements for a Windows Server 2008
mode, domain-based namespace, and you have requirements for more than
5,000 DFS folders. Stand-alone DFS namespaces support up to 50,000 folders
with targets.
Planning File and Print Services 6-49
Folders
Folders are the primary namespace elements. They appear after the namespace
root (\\server\rootname or \\domain\rootname) and help build the namespace
hierarchy. You use folders in a namespace to organize file shares and their contents
in the same way you use folders on a hard disk to organize files. When you create a
folder using the DFS Management console, you type a name for the folder and
specify whether to add any folder targets.
6-50 Planning for Windows Server 2008 Servers
Key Points
You can increase data availability in your organization by holding two or more
copies of files on different servers and configuring the shares as folder targets for
the same DFS folder in a namespace. To ensure that the files are the same in the
two different locations, you can configure DFS Replication to synchronize the
content.
DFS-R is a state-based, multimaster replication engine that supports replication
scheduling and bandwidth control. DFS-R uses RDC to synchronize files and their
contents between computers.
RDC is an advanced compression technology that optimizes data transfers over
networks that have limited bandwidth. Instead of transferring similar or redundant
data repeatedly, RDC accurately identifies file deltas and transmits only differences
to achieve bandwidth savings. This effectively reduces the size of the data that is
sent and the overall bandwidth requirements for the transfer.
6-52 Planning for Windows Server 2008 Servers
Note: Each replicated folder has its own staging folder, which by default is located under
the local path of the replicated folder in the DfsrPrivate\Staging folder.
DFS-R uses a version vector exchange protocol to determine which files need
to be synchronized. The protocol sends less than 1 kilobyte (KB) per file
across the network to synchronize the metadata associated with changed files
on the sending and receiving members.
When a file is changed, only the changed blocks are replicated, not the entire
file. The RDC protocol determines the changed file blocks. Using default
settings, RDC works for any type of file larger than 64 KB, transferring only a
fraction of the file over the network.
DFS-R uses a conflict resolution heuristic of last writer wins for files that are
in conflict (that is, a file that is updated at multiple servers simultaneously)
and earliest creator wins for name conflicts.
Planning File and Print Services 6-53
DFS-R is self-healing and can automatically recover from USN journal wraps,
USN journal loss, or loss of the DFS Replication database.
DFS-R uses a Windows Management Instrumentation (WMI) provider that
provides interfaces to obtain configuration and monitoring information from
the DFS Replication service.
Additional Reading
Distributed File System Replication: Frequently Asked Questions:
http://go.microsoft.com/fwlink/?LinkId=102241&clcid=0x409
6-54 Planning for Windows Server 2008 Servers
Key Points
You can configure DFS Replication groups in two ways:
You can use a multipurpose replication group for replication of data between
two or more servers for the purpose of data availability, publication, or
content-sharing scenarios. This type of replication group uses multimaster
replication.
You can use a data collection replication group for replication of data between
two or more servers in a branch office scenario to enable backup of the branch
office data at the main office (also referred to as a hub site). Data collection
replication groups also use multimaster replication. In this scenario, no users
perform backup tasks at the branch office and administrators at the main
office can back up and restore data by using the replicated folder. In this
scenario, it is recommended that you configure permissions to prevent main
office users from modifying the replicated content.
Planning File and Print Services 6-55
Note: We recommend this scenario only if users can tolerate some file inconsistencies as
changes are replicated throughout the branch servers. Also note that DFS-R only
replicates a file after it is closed. Therefore, DFS-R is not recommended for replicating
database files or any files that are held open for long periods of time.
Data Collection
DFS technologies can collect files from a branch office and replicate them to a hub
site, thus allowing the files to be used for a number of specific purposes. Critical
data can be replicated to a hub site using DFS-R, and then backed up at the hub
site using standard backup procedures. This increases the branch office data
recoverability if a server fails, because files will be available in two separate
locations and also backed up. Additionally, companies can reduce branch office
costs by eliminating backup hardware and onsite information technology (IT)
personnel expertise. Replicated data also can be used to make branch office file
shares fault-tolerant. If the branch office server fails, clients in the branch office can
access the replicated data at the hub site.
Data Distribution
You can use DFS Namespaces and DFS-R to publish and replicate documents,
software, and other line-of-business data throughout your organization. DFS
Namespaces and folder targets can increase data availability and distribute client
load across various file servers.
6-56 Planning for Windows Server 2008 Servers
You are undoubtedly familiar with the process of administering printers. However,
in Windows Server 2008, the new Print Services role enables you to share your
attached printers on the network and to centralize print server and network printer
management tasks.
Objectives
After completing this lesson, you will be able to:
Describe the shared printing components.
Describe a printer server.
Manage printer drivers.
Manage shared printers with Group Policy.
Planning File and Print Services 6-57
Key Points
To help you plan more effectively for shared printing, it is important to understand
the components and terminology of the shared printing architecture.
Print queue. A logical representation of a physical printer; it is the software
entity that links the printer that a user connects to with the print device that
their output arrives on. You can configure the print queue to handle print jobs
in a specified manner. The following table summarizes these settings.
Option Description
Always available/Available The printer always prints output or only prints
from output between times you designate.
Option Description
Spool print documents so The print processor uses a spool folder to hold a
program finishes printing print job until the printer device is ready to process it
faster and produce the output.
Start printing immediately As the first page spools, the print device begins to
produce the output.
Start printing after last The printer produces no output until the entire print
page is spooled job spools.
Print directly to the printer This is useful only if you connect the printer locally
and it has enough memory. This option disables the
following four options: Hold mismatched jobs, Print
spooled documents first, Keep printed documents,
and Enable advanced printing features.
Hold mismatched jobs The printer does not process jobs that a user submits
after selecting the wrong paper type in the client
application.
Keep printed documents This option keeps a spool copy of local print jobs.
Enable advanced printing This enables Enhanced Meta File printing, which
features results in faster spooling. However, the print job may
take longer to complete. Disabling this setting results
in RAW print processing, which may be more
reliable.
New Driver You can use this button to update the printer driver.
Printing Defaults This option configures the default layout and paper
handling options for print jobs.
Print Processor This option defines the print processor for print jobs.
Key Points
When planning print services, one of the first choices you must make is whether to
allow users to print directly to printers, or whether you want to share the printers
by using the Print Services role in Windows Server 2008. There are a number of
advantages to creating a printer server:
Printer Management. The new Print Services role provides a consolidated and
centralized management console that enables you to perform the following
tasks:
Open and manage active print queues.
Pause and restart printer jobs.
Deploy shared printers by using Group Policy.
Manage printer properties.
Add new printer drivers.
Planning File and Print Services 6-61
The main disadvantage of using a printer server is that it imposes a load on the
server computer. Processing print jobs renderingcan be CPU intensive. In
addition, spooling and de-spooling print jobs imposes a load on the disk
subsystem.
6-62 Planning for Windows Server 2008 Servers
Key Points
Key Points
Publishing
When you create and share a printer, you can optionally decide to list the printer
in Active Directory; this is known as publishing. Publishing makes it easier for
users to locate printers by searching for them.
Printer Locations
When you publish a printer, you can associate the printer with a location; this is a
multipart name that defines the physical location of the printer. In order to use
printer location strings, you must also define locations for your site and subnet
objects in Active Directory; this enables a client computer to determine its physical
location based on its IP configuration.
Planning File and Print Services 6-65
For example, if you have configured a site with the location string of Head
Quarters, and it contains a subnet called Floor6, and you have a printer in room3,
you might associate the location string Head Quarters/Floor6/room3 with the
printer. Users can now search by location, but you can also modify group policy
settings to prepopulate the printer location search dialog box with the current
computer location.
Deploying Printers
Rather than install and configure the printer onto each client computer, you can
also use group policy to deploy shared printers. You can achieve this either by
using the Group Policy Management console, or else by using the Printer
Management snap-in. Deploying printers enables you to make the printer available
easily on the client computer.
6-66 Planning for Windows Server 2008 Servers
Adatum has a number of new sales offices in the western region. Allison Brown, the
IT manager, has asked you to look into deploying the necessary server roles to
support users in the region. The sales department users access a number of shared
folders at the head office location, and want access to that content in the regional
branch offices. In addition, you determine that storage management is a concern in
the regions; the branch servers will be deployed with DAS, and ensuring that they
do not run out of disk space is an important factor in your plans.
Planning File and Print Services 6-67
f Task 2: Update the Sales Branch Offices: File and Print Services
document with your proposals
Answer the questions in the Sales Branch Offices: File and Print Services
document.
6-68 Planning for Windows Server 2008 Servers
Gregory Weber
From: Alan Steiner [Alan@adatum.com]
Sent: 11 October 2009 08:41
To: Gregory@adatum.com
Subject: Re: Sales offices: file and print services
Attachments: Requirements.doc
Greg,
Yes, Joe and I had a meeting and he sent over the attached document. Ive added
my comments, so it should have all the information you require.
Regards
Alan.
----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 10 October 2009 17:10
To: Alan@adatum.com
Subject: Sales offices: file and print services
Alan,
Im trying to determine which server roles I need to deploy to the regional sales
offices. I know youve been talking to Joe Healy. Rather than me repeat all the same
questions, what information did he provide about the way the department shares
its data?
Regards,
Greg
Planning File and Print Services 6-69
Requirement Overview
Deploy the required services to the branch sales offices to meet the needs outlined in
the Requirements document.
Additional Information
The requirements are summarized as follows:
Deploy server roles to support file and print services.
Create a single UNC name to allow access to all sales shared resources. This single
UNC name should not be a single point of failure.
Provide for a means of synchronizing data between the branch and head office
sales shared folders.
Impose restrictions to prevent creation of executable files in data areas.
Impose hard limit on amount of disk space each user can consume in the data
folder.
Deploy printers to client computers quickly and easily.
Proposals
1. What server roles will you need to deploy to the branch servers to satisfy these
requirements?
2. Will you need to make any changes to the infrastructure at the head office to
support these requirements?
3. What folder and shared folder permissions would you recommend for sales data
areas?
Planning File and Print Services 6-71
Proposals (continued)
4. How will you address the requirement for a single UNC name for all sales shared
resources and avoid a single point of failure?
6. What role or feature enables you to impose a restriction on the types of files that
users can create in designated folders?
7. What role or feature enables you to impose a restriction on the disk space users
can consume in designated folders?
8. Provide additional details about the specifics of the process you will use to
provide for the previous two requirements:
Results: After this exercise, you should have a completed Sales Branch Offices: File and
Print Services document.
6-72 Planning for Windows Server 2008 Servers
Results: After this exercise, you should have successfully configured file and print
services for the branch office.
Review Questions
1. Which File Services server role supports UNIX users?
10. How can fault tolerance of the content in a DFS namespace be provided?
Planning Server and Network Security 7-1
Key Points
Defending your organization in depth means that you apply a combination of
people, processes, and technology to protect against threats at each layer. If one
layer is compromised, the protections for other layers are still in place. Using a
layered approach increases the probability of detecting an attacker and reduces the
probability that an attack will be successful. As a general guideline, design and
build each layer of security under the assumption that every other layer has been
breached.
Planning Server and Network Security 7-5
Key Points
Some of the risks associated with Defense-in-Depth layers are:
Data. Any unauthorized or accidental access to data is a risk. This access can
include modification of data, deletion of data, or just viewing data.
Application. Loss of application functionality through denial of service is one
risk. However, a flawed application can also create risks for other layersfor
example, accidental data corruption.
Host. Operating system flaws are one source of risk. However, default
configuration options and weak passwords are also a risk. Failure of computer
components would also be included here.
Internal network. Risks on the internal network includes packet sniffing and
unauthorized use of wireless networks. Visiting consultants who connect to
the network are also a source of risk, as is simple failure of network
components.
Planning Server and Network Security 7-7
Key Points
When you perform risk analysis, you need to consider the value of each asset, the
cost of downtime, and the likelihood of a risk occurring. After you have identified
all of the risks, you can begin to identify methods to mitigate those risks.
Eventually, after the risks and their mitigation methods have been identified, you
can select the mitigation methods that you want to implement.
Note: Elimination of risk is not a realistic goal for computer security. The goal should be
to mitigate risk in a cost-effective way based on your risk analysis.
Planning Server and Network Security 7-9
Key Points
Every organization evaluates security risks and asset values differently. With your
instructor, discuss the measures that your organization has in place to mitigate risk
at each layer of the Defense-in-Depth model.
Planning Server and Network Security 7-11
Windows Firewall with Advanced Security can be used to protect both clients and
servers on your network by implementing a firewall on each host. You must
determine the rules that will be used to protect the computers on your network.
This includes the inbound rules, outbound rules, and connection security rules.
After you have determined the rules to be implemented, you must determine how
the rules will be created and applied to each computer.
7-12 Planning for Windows Server 2008 Servers
Key Points
Windows Firewall with Advanced Security is an updated version of the Windows
Firewall that first appeared in Windows XP. One of the major updates is the
inclusion of outbound rules and connection security rules.
The types of rules are:
Inbound. These rules control the network connections that the local computer
will accept from other computers. By default, all inbound connections are
blocked.
Outbound. These rules control the network connection that the local
computer can make with other computers. By default, all outbound
connections are allowed.
Connection security. These rules are a replacement for the IPsec rules in
previous versions of Windows. They are used to create and control IPsec
connections between computers.
7-14 Planning for Windows Server 2008 Servers
Key Points
The rules you create in Windows Firewall with Advanced Security have a number
of options that can be configured. Unlike with some firewalls, with Windows
Firewall with Advanced Security the options for configuration are not limited to
just port-based rules. The rules can also be created for specific programs.
Windows Firewall with Advanced Security also recognizes different network
profiles. Windows Vista and Windows Server 2008 recognize each unique
network that you connect to based on the Media Access Control (MAC) address of
the default gateway. Each network can be given a name and is assigned a profile.
The profiles are:
Public. This profile is meant to be used on publicly accessible networks. It is
typically used for laptop users that roam in public locations such as hotels.
Private. This profile is meant to be used on private networks where other
computers are known and secure. It is used for trusted locations such as a
home network or a corporate network.
7-16 Planning for Windows Server 2008 Servers
Key Points
Windows Vista and Windows Server 2008 include connection security rules as a
replacement for IPsec rules. When connection security rules are used, the
communication between computers is authenticated.
There are several types of connection security rules:
Isolation rules are used to prevent unauthorized computers from
communicating with each other. Domain isolation can be implemented with
these rules.
Server-to-server rules authenticate, and possibly encrypt, communication
between two hosts. These are typically used to secure communication between
a few hosts because you specify endpoints (IP addresses) that the rules apply
to.
Tunnel rules are used when Windows Server 2008 computers act as routers
and IPsec is used to secure communication between them.
7-18 Planning for Windows Server 2008 Servers
Key Points
Server and domain isolation are systems that use IPsec to segment and isolate parts
of a network. Computers on the isolated network ignore all requests from
computers outside the isolated network. The isolated network is created by using
isolation connection security rules and requiring authentication for inbound
connections.
All computers in the isolated network must be part of a domain. This is because
Kerberos will be used to provide authentication that identifies the computers. This
allows access to computers on the isolated network to be enforced based on the
identity of the computers. Exceptions can be created for specific hosts that do not
support IPsec or are not members of the domain by using authentication
exemption connection security rules.
Domain isolation restricts communication to computers that are members of the
domain. This prevents unauthorized access to hosts on your network. For
example, a visiting consultant who connects a laptop to your network would not
be able to communicate with any of the computers in the domain.
7-20 Planning for Windows Server 2008 Servers
Note: It is significantly more complex to implement server isolation when using IPsec
policies rather than connection security rules.
Key Points
There are multiple ways to deploy new firewall rules to hosts. Consider the
following:
Some applications will automatically create any necessary firewall rules for
their functionality. When you install a new application, you can review the
firewall configuration to see what changes have been made. It is useful to
document the changes made by an application in case you need to recover the
firewall configuration at a later time.
Back up firewall configuration before making changes. You can use the Export
Policy option in Windows Firewall to create a file containing the Windows
Firewall configuration. Later you can use the Import Policy option to restore
the configuration.
Windows Firewall with Advanced Security is suitable for configuring only a
small number of computers. It can only configure one host at a time. When a
manual process is repeated many times it is subject to human error.
7-22 Planning for Windows Server 2008 Servers
Key Points
Steps
1. Open Windows Firewall with Advanced Security.
2. Open an inbound rule and review the available settings.
3. Create an isolation connection security rule.
7-24 Planning for Windows Server 2008 Servers
Key Points
Viruses and malware are software that is installed on computers without
permission. When this software is installed, it is sometimes harmless, but it often
has serious consequences.
Some consequences of viruses and malware are:
Insertion of additional advertising into Web pages. The malware attempts to
generate revenue by placing additional advertisements on your computer that
you would not normally see. Often these advertisements appear as part of Web
search results or as pop-up windows.
Theft of passwords and personal data. Personal information is valuable to
those interested in identity theft or transferring money out of a bank account.
Malware can monitor the keystrokes on your computer for passwords and
other sensitive information.
Planning Server and Network Security 7-27
To prevent your computers from becoming infected with viruses and malware, it is
important to understand how they enter your network. Some of the ways viruses
and malware enter the network are:
As an e-mail attachment. Sometimes malware is sent as an e-mail attachment.
When users open the attachment, their computer becomes infected. Users
should be trained not to open e-mail attachments except from trusted sources.
As part of another program the user is installing. Many users are lured into
installing programs that seem helpful, but include malware along with the
installation. File-sharing programs are a common source of malware. Toolbars
for Internet Explorer and utilities to add emoticons to e-mail messages are also
common sources of malware.
From a Web page. Sometimes, due to flaws in Web browser software or add-
ons to Web browser software, a user can infect his or her computer simply by
viewing a Web page. In most cases, this type of vulnerability is corrected
quickly by the Web browser vendor issuing an update for the software.
Portable computers. A portable computer is inherently more vulnerable to
malware than a desktop computer just because it is moved into multiple
environments. If a portable computer becomes infected with malware and then
is reconnected to the network, it may spread the malware to other computers
on the network. Also, external vendors or staff may bring in portable
computers that do not meet organizational standards for malware protection.
Portable storage. Any type of portable storage may have malware on it that is
spread when it is attached to the computers in your network. This includes
portable disk drives, USB drives, music players, and smart phones.
7-28 Planning for Windows Server 2008 Servers
Key Points
Windows Defender helps protect client computers from spyware and malicious
software. However, Windows Defender is not anti-virus software. Windows
Defender is not part of Windows Server 2008 but should be used on client
computers to limit the chance of malware spreading to servers.
Considerations when using Windows Defender are as follows:
Enable real-time protection. Real-time protection actively monitors a
computer for software that is attempting to install itself. This can be software
from portable storage or from a Web page. Real-time protection prevents
malware from being installed.
Ensure that Windows Defender updates are being applied. Windows
Defender uses antispyware definitions to identify malware. The definitions are
provided by Windows Update. You need to ensure that new definitions are
being downloaded and applied or your computers will be vulnerable to recent
attempts.
Planning Server and Network Security 7-29
For more information, see the Join the Spynet community page on the
Windows Help and How-to Web site at http://go.microsoft.com
/fwlink/?LinkID=167159&clcid=0x409.
Key Points
Antivirus software is an essential part of any network security plan. There is a wide
variety of vendors with antivirus products with a wide range of features. All
computers on a network, including servers, should have antivirus software.
Microsoft produces the Forefront line of security products, which includes
antivirus software.
General considerations for antivirus software are as follows:
Select antivirus software that can be centrally managed. Central
management is essential for most organizations. This enables you to easily
review the status of all computers from a central console and respond to them
quickly. This also allows you to deploy the software from a single console and
provide definition updates from a central location. Centralized management is
one of the primary differentiators between consumer and business-level
antivirus software.
Planning Server and Network Security 7-31
Key Points
Internet Explorer 8 is primarily used on client computers. However, it is also
included on Windows Server 2008. On servers, Internet Explorer includes
Enhance Security Configuration (ESC).
ESC raises the security settings for the security zones to provide additional
protection for your servers. For Internet Web sites, this prevents ActiveX controls
and scripts from running. If you encounter a Web site running scripts or ActiveX
controls, you are prompted to add the site to the Trusted Sites security zone.
Internet Explorer maintains two lists of sites in the Trusted Sites security zone.
One list is used when ESC is enabled; the other is used when ESC is disabled.
You can use Server Manager to enable or disable ESC for users or administrators
independently. On most servers, you should leave ESC enabled. Most Internet
browsing, including searching for troubleshooting documents, should be
performed from a client computer, rather than a server. However, you should
disable ESC for users on a terminal server if the users are expected to do Web
browsing in the terminal services session.
Planning Server and Network Security 7-33
Other Internet Explorer 8 security features relevant to browsing from servers are as
follows:
IT professionals can increase security and trust through improvements in
ActiveX controls that enable command of how and where an ActiveX control
loads and which users can load them.
The XSS Filter in Internet Explorer 8 helps block cross-site scripting (XSS)
attacks, currently one of the most common Web site vulnerabilities.
Data Execution Prevention (DEP) is enabled by default to help prevent system
attacks in which malicious data exploits memory-related vulnerabilities to
execute code.
The SmartScreen Filter helps protect against phishing Web sites and sites
known to distribute malware. With the SmartScreen Filter enabled, Internet
Explorer 8 performs a detailed examination of the entire URL string and
compares the string to a database of sites known to distribute malware, and
then the browser checks with the Web service. If the Web site is known to be
unsafe, it is blocked and the user is notified with a bold SmartScreen blocking
page that offers clear language and guidance to help avoid Web sites known to
be unsafe.
Protected Mode forces Internet Explorer to request permission before writing
to files or the registry. The functionality relies on User Account Control. Some
Web-based applications do not work properly with Protected Mode enabled. If
an application needs to function without Protected Mode, add it to the Trusted
Sites security zone.
7-34 Planning for Windows Server 2008 Servers
Key Points
User Account Control (UAC) is typically thought of as a security measure for client
computers, but it is also in place on Windows Server 2008. The purpose of UAC is
to allow most processes to run as a standard user account and be elevated to
administrator only when required. The elevation is performed without requiring
the use of Run As or making the user log off. Overall, UAC increases security
because any malware on the computer running in the context of the user will be
limited to running only processes that require standard user permissions.
For administrators, security is enhanced by Admin Approval Mode, which is
enabled by default. When a computer is configured to use Admin Approval Mode
and an administrator logs on, two access tokens are generated. One access token
has user-level permissions, and the other has administrator-level permissions.
Planning Server and Network Security 7-35
Key Points
The Security Configuration Wizard (SCW) is included with Windows Server 2008
to help you reduce the attack surface of your computer by creating and applying a
security policy.
When you run SCW, it analyzes the computer to determine which roles, features,
and applications are installed. You can review this list and make modifications.
SCW then makes suggestions to enable and disable services, modify registry
settings for security, and audit.
After you use SCW to create a security policy, you can apply the policy to the same
computer or save it to a file and then apply it to another computer. After you apply
a security policy, the settings can be rolled back if required.
Planning Server and Network Security 7-37
Note: Windows Server 2008 security includes some templates with recommended
settings for applying security to Windows Server 2008 environments. Templates are
included for domain controllers and member servers. You can download the Windows
Server 2008 Security Guide from the Microsoft Web site at http://go.microsoft.com
/fwlink/?LinkID=167160&clcid=0x409.
7-38 Planning for Windows Server 2008 Servers
Remote access is used by many organizations to provide users with access to data
from outside the network. The most common type of remote access is virtual
private networks (VPNs). When planning a remote access solution, you must
determine which VPN protocols will be used, as each has a unique set of
characteristics that make it suited to different scenarios. Network policies and
Network Policy Server are used to control the authentication for remote access and
can be used in several configurations to meet the needs of your organization.
Objectives
After completing this lesson, you will be able to:
Describe considerations for VPN protocols.
Describe considerations for network policies.
Describe considerations for Network Policy Server.
Planning Server and Network Security 7-39
Key Points
A VPN uses a tunneling protocol to transfer data on a remote network. Tunneling
allows data that would not normally travel well over a remote connection to travel
to a remote network. For example, programs that use remote procedure calls
(RPC) have difficulty traversing firewalls. When a VPN is used, the application
requests are encapsulated in the packet used by the tunneling protocol.
A VPN can be used to access data and applications remotely. However, a VPN
requires the client computer to be configured with a VPN connection. This makes a
VPN suitable only for computers that can be configured, such as a home computer
or a company laptop. It is not typically possible to create a VPN connection on a
public access computer at a library or Internet caf.
A VPN connection typically has high latency, which makes a VPN unsuitable for
running most applications. Terminal Services is a better solution for running most
applications. A VPN is a reasonable way to transfer data.
7-40 Planning for Windows Server 2008 Servers
Key Points
Network policies are a set of rules used by Routing and Remote Access Servers
(RRAS) to determine which users are able to remotely connect. The most
commonly implemented RRAS functionality is a VPN server.
Some considerations for network policies are:
By default, each RRAS server has its own set of network policies. If you have
multiple RRAS servers, you must create the same set of policies on each server
for the same behavior to occur on each server.
You can maintain different network policies on different servers to meet the
needs of different user groups. For example, the engineering group may
maintain its own VPN server that only engineering users are able to use, while
another VPN server is used for other users in the organization.
The default network policies prevent access. To allow access, you must create a
new network policy or allow access on the Dial-in tab in the properties of a
user account.
7-42 Planning for Windows Server 2008 Servers
Key Points
Network Policy Server (NPS) is a role service for the Network Policy and Access
Services role. Some of the functionality in NPS was provided by Internet
Authentication Server (IAS) in Windows Server 2003. It contains three
components:
RADIUS server. A RADIUS server is a central service that provides
authentication services for other applications. RRAS servers can forward
authentication requests to the RADIUS server instead of using local network
policies.
RAIDUS proxy. A RADIUS proxy is a central service that routes RADIUS
authentication requests to the appropriate RADIUS server.
NAP policy server. NAP requires a central location for health polices. A NAP
policy server performs this function.
7-44 Planning for Windows Server 2008 Servers
Key Points
NAP is a system that enforces client health before allowing access to the network.
Client health is defined in policies by an administrator and enforced by a Network
Policy Services (NPS) server. NAP does not block intruders or malicious users.
Instead, NAP ensures that clients have an appropriate configuration such as
software updates installed and antivirus software that is current.
NAP includes multiple enforcement mechanisms. You can implement one or more
of these mechanisms at the same time, depending on your network scenario.
When a computer is noncompliant with the health policy, you can then allow
limited access to the network. The limited access is, typically, to remediation
servers. Remediation servers provide resources for computers to become
compliant. For example, a remediation server could be a Windows Server Update
Services (WSUS) server that clients can use to download and apply required
updates.
7-48 Planning for Windows Server 2008 Servers
Key Points
NAP uses a System Health Validator (SHV) on the server side and a System Health
Agent (SHA) on the client side to evaluate health status. The SHA and SHV are a
matched set that must be deployed together. NAP includes a Windows SHV, and a
corresponding Windows SHA is included in Windows XP SP3, Windows Vista,
Windows 7, and Windows Server 2008.
The settings monitored by the Windows SHV are based on the settings that are
monitored by Windows Security Center on the client. Software must be compatible
with the Windows Security Center to be monitored.
7-50 Planning for Windows Server 2008 Servers
Note: Security Update Protection should not be enabled unless you have configured
WSUS for your network. If clients are not registered with a WSUS server and Security
Update Protection is enabled, clients are automatically placed on the restricted network
even if they are configured with the necessary updates.
NAP can be extended to monitor additional settings and software. You can do this
by deploying additional SHAs on NAP clients and additional SHVs on NPS servers.
Some products that NAP can integrate with are:
System Center Configuration Manager (SCCM). When SCCM is integrated
with NAP, you can monitor the application of specific updates.
Microsoft Forefront Client Security. When Forefront client security is
integrated with NAP, you can perform additional actions. For example, you
can perform an auto-remediation of a stopped service by restarting the stopped
service. You can perform Forefront integration by using the Microsoft
Forefront Integration Kit for Network Access Protection.
Note: To find organizations that are shipping an SHA and SHV for their products, see the
Network Access Protection Communities and Partners page on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkID=167163&clcid=0x409.
Planning Server and Network Security 7-51
Key Points
DHCP enforcement requires the use of a NAP-integrated DHCP server. The DHCP
server included with Windows Server 2008 is NAP- integrated for IPv4 addressing,
but not for IPv6. The health status of the client computer is sent with the DHCP
lease request.
If the client computer is noncompliant, a lease is given with:
A default gateway of 0.0.0.0
A subnet mask of 255.255..255.255
Static routes to remediation servers
7-52 Planning for Windows Server 2008 Servers
Key Points
VPN enforcement requires the use of a NAP-integrated VPN server. The RRAS
server included with Windows Server 2008 is NAP integrated. The health status of
the client computer is sent as part of the authentication process.
When a computer is noncompliant, the VPN connection is still authenticated.
However, IP filters are used to restrict access to only remediation servers.
Considerations for VPN enforcement include the following:
VPN enforcement is best suited to situations in which a VPN is already being
used. It is unlikely that you will implement VPN connections on an internal
network to use VPN enforcement.
7-54 Planning for Windows Server 2008 Servers
Key Points
To implement 802.1X enforcement, you must ensure that the network switches or
wireless access points (WAPs) support 802.1X authentication. The switches or
WAPs then act as an enforcement point for NAP clients. The health status of the
client is sent as part of the authentication process.
When a computer is noncompliant, the switch places the computer on a separate
virtual local area network (VLAN) or uses packet filters to restrict access to only
remediation servers.
7-56 Planning for Windows Server 2008 Servers
Key Points
To implement IPsec enforcement, you must put additional software components
on the network. A Health Registration Authority (HRA) is required to act as an
enforcement point, and a Certification Authority (CA) is required to generate
health certificates. However, no specific hardware components are required. So
IPsec enforcement can be implemented in any environment.
The health status of a computer is verified with an HRA. The HRA then issues a
health certificate to the computer. The health certificate is used for IPsec
authentication.
When a computer is noncompliant, the computer is unable to successfully
complete IPsec authentication and is limited to a restricted network. The restricted
network has remediation servers on it.
7-58 Planning for Windows Server 2008 Servers
Gregory Weber
From: Allison Brown [Allison@adatum.com]
Sent: 4 Aug 2009 10:22
To: Gregory@adatum.com
Subject: Security Plan for Finance Application
Greg,
As we discussed in the meeting this morning, Id like you to take the lead on
planning security for the new Web-based finance application. Here are some of the
requirements that have come up:
All users of the application must be authenticated.
All data transferred over the network to or from the application must be
encrypted.
Access must be limited to only domain-joined computers in the finance
department.
The IT management committee has really bought in to the idea of Defense-in-
Depth that you presented at the last committee meeting. I think it would be helpful
if you could present the security plan for this server in that context.
Let me know if you require any clarification.
Regards
Allison
Planning Server and Network Security 7-61
Application
Host
Internal
network
Perimeter
Physical
security
Policies,
procedures,
and awareness
Planning Server and Network Security 7-63
Application
Host
Internal
network
Perimeter
Physical
security
Policies,
procedures,
and awareness
Results: After this exercise, you should have a completed security plan for new finance
application and a plan for preventing malware on the network.
7-64 Planning for Windows Server 2008 Servers
Results: After this exercise, you should have successfully implemented firewall rules.
Planning Server and Network Security 7-67
Note: A custom configuration is used because SEA-DC1 has only a single network
adapter. You must have two network adapters to select the Remote Access (Dial-Up Or
VPN) configuration.
Planning Server and Network Security 7-69
Note: If you experience an error during your connection attempt, review the
configuration of your SSTP listener by using the instructions from Setting Up
The SSTP Listener And Verifying It in the Routing And Remote Access Blog at
http://go.microsoft.com/fwlink/?LinkID=167164&clcid=0x409. In particular, you must
manually remove and replace the certificate used by SSTP if you want to replace it.
Results: After this exercise, you should have successfully implemented an SSTP VPN.
Planning Server and Network Security 7-71
Results: After this exercise, you should have successfully implemented NAP with DHCP
enforcement.
Review Questions
1. How does Defense-in-Depth help you identify and mitigate risks?
3. How can you identify when viruses or malware have infected a computer?
4. How does UAC prevent viruses and malware from infecting a computer?
Configuration is time-consuming
because network policies must be
created on each VPN server
2. You have recently migrated your servers to Windows Server 2008. After the
migration, administrators are being prompted for permission each time they
run an administrative tool on the server. A colleague suggests that this
functionality be disabled because it is annoying. How do you respond?
Planning Server and Network Security 7-77
When you are faced with multiple administrative tasks during your working day, it
is important that you know which tool to use for a specific task. Windows Server
2008 provides tools with both a graphical interface and a command-line interface.
Windows PowerShell extends the capabilities of the command line, and provides
you with a feature-rich, powerful, programmatic interface for performing your
administrative tasks.
As networks get larger, and servers more distant from the administrators that
manage them, it is important that you understand how to enable and perform
administrative tasks remotely.
Planning Server Administration 8-5
Key Points
There are many different administrative tools that you use in order to manage
Windows Server; many of these tools provide a graphical interface. If you have
administered earlier versions of Windows, you are probably familiar with many of
these tools. Windows Server 2008 provides two new administrative tools with a
graphical interface: the Initial Configuration Tasks (ICT) wizard and Server
Manager.
Server Manager
The new Server Manager console simplifies the task of administering and securing
server roles with Windows Server 2008. Server Manager in Windows Server 2008
provides tools to:
Add, remove, or manage server roles.
Add, remove, or manage server features.
Access diagnostics tools, including Event Viewer, Device Manager, and the
Reliability and Performance console.
Perform configuration of tasks, firewall settings, services, local users and
groups, and WMI settings.
Configure and manage storage.
In short, the Server Manager console provides a single point for managing a server.
The Server Manager console uses integrated wizards to guide you through the
process of adding server roles; these wizards perform all the necessary dependency
checks and perform conflict resolution so that your server is stable, reliable, and
secure.
Note: You can use Server Manage to add several roles at once, even if they are
unrelated. For example, if you plan to provision a server as a branch office, you might
select the DNS Server, DHCP Server, and Print Server roles simultaneously.
8-8 Planning for Windows Server 2008 Servers
Note: The Server Manager console replaces the Computer Management tool in Windows
Server 2003.
Planning Server Administration 8-9
Key Points
Although graphical tools are often simpler to use than command-line tools,
command-line tools can often be the quickest way of performing an administrative
task. For example, using Active Directory Users and Computers to change the
telephone number for all users that reside in a particular office building could take
a little while, whereas using a command-line tool enables you to perform the
update in a single, simple line of syntax.
ServerManagerCmd.exe
The ServerManagerCmd.exe tool enables you to perform certain Server Manager
tasks outside of the Windows graphical user interface (GUI), such as installation or
removal of roles, role services and features, command validation, and querying the
current state of the computer.
In addition, ServerManagerCmd.exe allows for installation or removal of multiple
roles, role services, or features in a single command instance by using XML answer
files.
8-10 Planning for Windows Server 2008 Servers
Windows PowerShell
You install Windows PowerShell as a Windows Server 2008 feature. It is included
as a standard part of the Windows Server 2008 operating system. Windows
PowerShell is based on cmdlets that enable you to perform virtually any
management or administrative tasks by using simple, discoverable, verb-noun
syntax. One of the most far-reaching features of Windows PowerShell is the ability
to pipe, or pass, the result of one command to a following command; in this way,
you can create very powerful administrative commands with very little knowledge
of scripting.
Key Points
Use standard command-line tools.
Use Windows PowerShell.
Use the Directory Service (DS) tools.
High-level steps:
1. Use the Netsh command-line tool to configure network settings.
2. Use the Netdom command-line tool to perform Active Directoryrelated
administrative tasks.
3. Use winrs to execute a command on a remote server.
4. Install the Windows PowerShell feature.
5. Perform some typical Windows PowerShell tasks.
Planning Server Administration 8-13
Question: How would you accomplish the task of updating users office location
by using Active Directory Users and Computers? For example, if all users with a
specific office location of London were moving to Windsor?
8-14 Planning for Windows Server 2008 Servers
Key Points
In the early days of networking, it was common for administrators to perform
management tasks sitting at the server console. As networks have grown in size
and importance, this practice of interactive administration has diminished.
Consequently, it is important that you understand how to enable and use the
various remote management tools and technologies provided in Windows
Server 2008.
Note: You can download the RSAT tools for Windows Vista from the Microsoft Download
Center at http://go.microsoft.com/fwlink/?LinkID=166022&clcid=0x409.
Remote Desktops
Perhaps one of the easiest ways of performing remote administration is to use
Remote Desktop. You can enable Remote Desktop on your remote server by using
the Remote Settings link from System in Control Panel. You can then use the
Remote Desktop Connection to connect to your remote server from any other
server or client computer. The advantage of using this method is that it requires no
additional features or software to be installed on the client or server computer.
If you want to administer multiple computers simultaneously, you can use the
Remote Desktops snap-in. To do this, run tsmmc.msc on any server computer. You
can then create Remote Desktop connections to multiple remote computers.
Winrm quickconfig
Additional Information
For more information about Windows Remote Management tools, see
http://go.microsoft.com/fwlink/?LinkID=164006&clcid=0x409.
8-16 Planning for Windows Server 2008 Servers
Firewall Issues
It is important to realize that by default, Windows Firewall is enabled on all
network connections. Remote administration tools use a variety of protocols and
ports to connect to remote servers. You must modify the firewall settings to enable
remote administration. The following settings are relevant for enabling remote
administration:
Remote Administration
Remote Desktop
Remote Event Log Management
Remote Scheduled Tasks Management
Remote Service Management
Remote Volume Management
Windows Management Instrumentation (WMI)
Windows Remote Management
Planning Server Administration 8-17
With the Server Core installation type, Windows Server 2008 can be installed with
core functionality. By installing only the files, services, and related files needed to
support core network infrastructure roles, Server Core provides a more secure and
stable platform.
Objectives
After completing this lesson, you will be able to:
Describe Server Core.
List the server roles and features supported by Server Core.
Determine when to deploy Server Core.
Enable effective administration of Server Core.
8-18 Planning for Windows Server 2008 Servers
Key Points
Windows Server 2008 Server Core provides a minimal operating system
installation; this reduces disk space and memory requirements; the reduced
footprint in Server Core requires less maintenance and reduces opportunities for
network attacks, and can make Server Core a good candidate for remote branch
office scenarios.
Server Core is a minimal server installation option for Windows Server 2008
without a GUI. Server Core provides an environment for running key network
infrastructure roles only. To accomplish this, the Server Core installation option
installs only a subset of the executable files and supporting dynamic-link libraries
(DLLs).
Planning Server Administration 8-19
You can perform an unattended Server Core deployment to install and configure
Server Core simultaneously, rendering post-installation configuration of the new
server unnecessary; this capability can be used to support scenarios like rapid
datacenter capacity scale-out or server deployment for remote branch offices.
Server Core supports network infrastructure roles, including:
DHCP Server
DNS Server
File Server
Domain Controller
Key Points
The server core installation of Windows Server 2008 supports the following server
roles:
Active Directory Domain Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
DHCP Server
DNS Server
File Services
Print Services
Hyper-V
Web Services (IIS)
Planning Server Administration 8-21
Key Points
Scenario 1
Fabrikam wants to deploy new branch servers to its regional development centers.
The managers have asked you to advise them where they could implement Server
Core, and where they must use a full installation of Windows Server 2008.
Scenario 3
Northwind Traders has started to deploy Windows Server 2008 servers around the
organization. The company wants to ensure that its branch offices can support its
users needs in the event of a network failure between the branch and the head
office. Security is important because the branch offices often have customers
walking in off the street, and there is nowhere at the branches to physically secure
servers.
Key Points
Because no GUI is available, configuring and administering a Server Core
installation requires a different approach when compared to a full Windows Server
2008 installation. The minimal interface in Server Core requires a modified use of
command prompt administrative tools or remote administration over the network.
Initial Configuration
Before you can administer the server, you must complete the post-installation
configuration steps. These are:
Specify the IPv4 address. A DHCP address is configured by default, but you
can specify a static address.
If you need to join the Server Core system to an existing Windows domain,
you will need a username and password for an account that has the proper
credentials.
Note: The program to allow is substituted with Remote Administration, Remote Service
Management, and the other remote management options discussed in the last lesson.
Slmgr.vbs -ato
Note: Not all tasks can be performed from the command line or remotely through an
MMC snap-in. To enable you to configure these settings, the scregedit.wsf script is
included with the Server Core installation of Windows Server 2008. Scregedit.wsf can be
used to configure the paging file, enable automatic updates, enable error reporting,
enable Remote Desktop, and enable Terminal Server clients on previous versions of
Windows to connect to the Windows Server Corebased computer. Scregedit.wsf is
located in the \Windows\System32 folder of the server running the Server Core
installation.
8-26 Planning for Windows Server 2008 Servers
The case-sensitive Ocsetup Role Package command enables you to add or remove
server roles.
To add a role.
To remove a role.
Note: You cannot use the Active Directory Domain Controller Installation Wizard
(Dcpromo.exe) on a server running Server Core. You must use an unattended file with
Dcpromo.exe to install or remove the Domain Controller role on a server running a
Server Core installation.
Planning Server Administration 8-27
Key Points
In your role as a server administrator, you have many different tasks to perform;
some you perform infrequently, such as deploying additional servers; others, you
perform more frequently, such as resetting user passwords.
In order to enable you to work more efficiently, you can consider delegating some
of these tasks to other users within the organization. This topic describes the
common administrative tasks that you could consider delegating.
Server Administration
To some extent, all of the administrative tasks discussed in this topic can be
considered to be server administration. However, for the purposes of this
discussion, server administration focuses on the tasks you perform solely on the
server computer:
Stop and start computer services.
Perform backup and restore operations.
Add and remove server roles or features.
Manage storage.
Configure local folder security.
Enable and configure sharing.
Configure firewall settings.
Configure specific applications that are installed on the server, for example
Microsoft Exchange Server, Microsoft SQL Server, or others.
Shut down the server.
8-30 Planning for Windows Server 2008 Servers
Note: This is not an exhaustive list of all administrative tasks, but rather should serve as
the basis for discussion about which administrative tasks could be delegated, and to
whom.
8-32 Planning for Windows Server 2008 Servers
Key Points
This is an open discussion. Consider the list of administrative tasks in the
preceding topic, and as a class, discuss which you might consider delegating. In
addition, explain to whom you might delegate the task. For example, you might
decide to delegate the ability to reset user passwords to someone at a branch office
with relevant technical experience at management level. However, you might not
want that same user to be responsible for deploying computer accounts.
Planning Server Administration 8-33
Key Points
Delegate common administrative tasks
High-level steps:
1. Delegating administrative tasks to members of a local group.
2. Delegating administrative tasks by using the Delegate Control wizard.
3. Viewing and modifying Active Directory object permissions to enable
delegation.
4. Testing the delegated abilities.
The Sales department branch offices have been operational for some time. Joe
Healy has requested that he has more control over the administration of the Sales
branches.
Requirement Overview
Determine which tasks can be delegated to Joe Healy in Sales.
Specify how this delegation will be achieved.
Additional Information
Proposals
1. Which features will you need to install on a recently deployed departmental server
to support administrative delegation?
2. How will you manage the requirement that Joe needs to be able to manage which
GPOs apply to the Sales OU without giving him the ability to edit the GPO
settings?
5. Because you are not permitted to grant Joe any delegated permissions directly,
how will you achieve the required delegation?
Planning Server Administration 8-37
Results: After this exercise, you should have a completed Branch Office Delegation
proposal document.
8-38 Planning for Windows Server 2008 Servers
Note: If you are already logged on as Joe, please log off and then proceed with the lab.
Results: After this exercise, you should have successfully delegated administration to
the branch personnel.
Review Questions
1. Which administrative tool(s) could you use to add server roles?
2. Which command-line tool(s) enables you to import objects into the Active
Directory directory service?
5. Automatic updates are enabled on Server Core by using the Netsh Updates
context. True or False?
Planning and Implementing Monitoring and Maintenance 9-1
The Windows Server 2008 operating system can use many monitoring tools.
This lesson discusses the range of monitoring features that are available for
Windows Server 2008 and how you can plan to measure the efficiency of the
operating system and hardware components through monitoring.
Objectives
After completing this lesson, you will be able to:
Explain why it is important to monitor servers.
List various monitoring methods.
Plan for event monitoring.
9-4 Planning for Windows Server 2008 Servers
Key Points
This is an open discussion. Consider why it is necessary to monitor servers, and
suggest these reasons to your instructor.
Planning and Implementing Monitoring and Maintenance 9-5
Key Points
You should select the most appropriate tool to suit the type of monitoring that is
required.
There are several methods that you can use to collect performance data from
servers in your organization. You should use each of these methods to suit your
requirements.
Real-time monitoring of computers is useful when you want to determine the effect
of performing a specific action or troubleshoot specific events. This type of
monitoring can also help you to ensure that you are meeting service-level
agreements (SLAs).
Analyzing historical data can be useful for tracking trends over time, determining
when to relocate resources, and deciding when to invest in new hardware to meet
the changing requirements of your business. You should use historical
performance data to assist you when you plan future server requirements.
9-6 Planning for Windows Server 2008 Servers
Tool Description
Windows Server 2008 Windows Server 2008 Event Viewer collects information
Event Viewer that relates to server operations. This data can help to
identify performance issues on a server. You should
search for specific events in the event log file to locate
and identify problems.
Windows System Using WSRM, you can control how CPU resources are
Resource Manager allocated to applications, services, and processes.
(WSRM) Managing these resources improves system performance
and reduces the chance that these applications, services,
or processes will interfere with the rest of the system.
WSRM is a feature of Windows Server 2008.
Key Points
You should consider the cost that monitoring events incurs. The cost that is
incurred to monitor systems is an investment in ensuring that your systems
continue to run effectively and efficiently. You can measure costs by using several
metrics, including:
Time allocated to personnel to perform monitoring tasks.
Money invested in monitoring systems.
Additional Reading
For more information about SCOM 2007, see the Microsoft System Center
Operations Manager Web site. http://go.microsoft.com/fwlink
/?LinkID=166112&clcid=0x409.
For more information about the Dynamic Systems Initiative, see Dynamic Systems
Initiative Overview White Paper on the Microsoft Web site.
http://go.microsoft.com/fwlink/?LinkID=166115&clcid=0x409.
Planning and Implementing Monitoring and Maintenance 9-9
This lesson discusses some of the key server components to measure. You will
learn how to use analysis and planning techniques from collected performance
metrics to improve your server infrastructure.
Objectives
After completing this lesson, you will be able to:
Determine which hardware components you should monitor.
Describe common performance metrics.
Analyze performance trends.
Plan for future capacity requirements.
9-10 Planning for Windows Server 2008 Servers
Key Points
This is an open discussion.
Planning and Implementing Monitoring and Maintenance 9-11
Key Points
You should familiarize yourself with basic performance measurement objects and
counters to monitor the main hardware components.
The following table lists some common performance metrics to measure.
Object Descriptions
Cache Monitors file system cache. The cache is an area of physical
memory that is used to store recently used data to permit
access to the data without having to read from the disk.
Object Descriptions
Key Points
You should give careful consideration to the value of performance data to ensure
that it reflects the real server environment.
You should consider performance analysis alongside business plans.
It may be possible to reduce the number of servers in operation after you have
measured performance.
By analyzing performance trends, you can predict when existing capacity is likely
to be exhausted. You should review historical analysis with consideration to your
business and use this to determine when additional capacity is required. Some
peaks are associated with one-time activities such as very large orders. Other peaks
occur on a regular basis, such as a monthly payroll, and these peaks may require
increased capacity to meet increasing numbers of employees.
9-14 Planning for Windows Server 2008 Servers
Key Points
New server applications and services affect the performance of your IT
infrastructure. These services may receive dedicated hardware although they often
use the same local area network (LAN) and wide area network (WAN) network
infrastructure. Planning for future capacity should include all hardware
components and how new servers, services, and applications affect the existing
infrastructure. Factors such as power, cooling, and rack space are often overlooked
during initial exercises to plan capacity expansion. You should consider how your
servers can scale up and out to support an increased workload.
Tasks such as upgrading to Windows Server 2008 and updating operating systems
may affect your servers and network. It is not unknown for an update to cause a
problem with an application. Careful performance monitoring before and after
updates are applied can identify problems.
9-16 Planning for Windows Server 2008 Servers
Windows Server 2008 provides a range of tools to monitor the operating system
and applications that you can use to tune your system for efficiency. You should
use these tools and complement them where necessary with your own tools.
Objectives
After completing this lesson, you will be able to:
List the Windows Server 2008 monitoring tools.
Describe the function of Performance Monitor.
Describe the function of Reliability Monitor.
Determine when to use third-party monitoring tools.
Use event subscriptions.
Identify business requirements.
9-18 Planning for Windows Server 2008 Servers
Key Points
Windows Server 2008 has a range of built-in tools to assist you in monitoring your
systems.
The following table lists tools that you can use to monitor Windows Server 2008.
Tool Description
Windows Server 2008 Windows Server 2008 Event Viewer collects
Event Viewer information that relates to server operations. This data
can help to identify performance issues on a server.
You should search for specific events in the event log
file to locate and identify problems.
Log files are available through the Event Viewer
console; this removes much of the requirement for log
file interrogation by using tools such as Notepad.
However, some installation files and third-party
applications continue to require the use of programs
such as XML Notepad to review log file entries.
Planning and Implementing Monitoring and Maintenance 9-19
Tool Description
Key Points
Performance Monitor provides a visual display of Windows performance objects
and counters, either in real time or as a review of historical data. Performance
Monitor features multiple graph views that you can use to review performance log
data. You can create custom views in Performance Monitor that you can export as
data collector sets for use with performance and logging features.
New features of the Windows Reliability and Performance Monitor to Windows
Server 2008 include the following:
Data collector sets. Data collector sets group data collectors into reusable
elements for use with different performance monitoring scenarios.
Planning and Implementing Monitoring and Maintenance 9-21
Performance counters are values that are generated by the operating system
or applications to indicate performance measurements. You can use these
measurements for analysis and troubleshooting. You add performance counters to
Performance Monitor by selecting individual counters or by creating custom data
collector sets.
9-22 Planning for Windows Server 2008 Servers
Note: It is best practice to perform the monitoring activity from a remote computer; that
is, use Performance Monitor and related tools, such as data collector sets, to collect
statistics from a remote computer rather than from the local computer. The process of
running the monitoring tools imposes a load on the monitoring system and affects the
integrity of the data collected from the monitored system if they were one and the same.
You can collect data for any performance-related object from the remote computer. For
example, if the remote computer is running Microsoft Exchange Server or Microsoft SQL
Server, you can access these objects from the monitoring workstation.
Planning and Implementing Monitoring and Maintenance 9-23
Key Points
The Reliability monitor can be accessed through the Reliability and Performance
monitor.
Reliability Monitor provides a system stability overview and trend analysis with
detailed information about individual events that may affect the overall stability of
the system.
Windows Server 2008 uses the Reliability Analysis Component (RAC) to calculate
a reliability index that provides an indication of your overall system stability over
time. RAC also keeps track of any important changes to the system that are likely
to affect stability, such as Windows updates, application installations, and driver
installations. RAC begins collecting data at the time of system installation.
By using the Reliability Monitor, you can see the trends in your system reliability
index correlated with any potentially destabilizing events so that you can easily
trace a reliability change directly to a particular event.
9-24 Planning for Windows Server 2008 Servers
Key Points
Third-party tools can help you monitor your server environment.
Hardware vendor tools are useful in detecting performance issues that occur
because of faulty hardware.
Many third-party tools integrate with Operations Manager to provide a centralized
monitoring console for your organization.
Windows Server 2008 provides a range of monitoring tools to meet the
requirements of your operating system. System administrators often require
additional tools to simplify the process of monitoring many computers and
providing a complete picture of their server health. Some programs also require
specific tools to monitor their performance.
Planning and Implementing Monitoring and Maintenance 9-25
Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored in
multiple logs on multiple computers. Event Viewer provides the ability to collect
copies of events from multiple remote computers, and store them locally. To
specify which events to collect, you create an event subscription. After a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Using the event-collecting feature requires that you configure both the forwarding
and the collecting computers. The functionality depends on the Windows Remote
Management (WinRM) and the Windows Event Collector services (Wecsvc). Both
of these services must be running on computers participating in the forwarding
and collecting process.
Planning and Implementing Monitoring and Maintenance 9-27
Key Points
Performance tuning is an ongoing exercise where you never achieve perfection.
You should ensure that your server operations run effectively and meet all of your
business SLAs.
You should always attempt to find the most cost-effective solution to a
performance bottleneck.
When you discover a performance issue, you can respond to the event in many
ways. Sometimes, you may want to record the data for future analysis or start a
performance-monitoring tool to collect additional data. Alternatively, you may
decide to do nothing.
By taking measured and appropriate actions to an event, you can ensure that you
continue to meet SLAs and provide appropriate service for your users.
9-28 Planning for Windows Server 2008 Servers
In this lesson, you will learn about the various options for software updates and
some of the best practices that you need to follow when performing software
updates.
Objectives
After completing this lesson, you will be able to:
Describe Microsoft Update.
Describe Automatic Updates.
Describe Windows Server Update Services (WSUS).
Determine the best way to deploy WSUS in your organization.
Use best practice with WSUS.
9-30 Planning for Windows Server 2008 Servers
Key Points
Definition
Microsoft Update is a Web site that helps keep your systems up to date.
Use Microsoft Update to obtain updates for Windows operating systems and
applications, updated device drivers, and software. New content is added to the
site regularly, so you can always get the most recent updates to help protect your
server and the client computers on your network.
Key Points
Automatic Updates is a configurable option in Windows. It can download and
install operating system updates without any user intervention. The updates can be
downloaded from the Microsoft Update Web site or a WSUS server. Configuration
of Automatic Updates can be controlled centrally by the administrator.
Note: If required, the version of Automatic Updates is upgraded the first time a WSUS
server is contacted.
Digital Signatures
To ensure that the programs you download from Microsoft Update are from
Microsoft, all files are digitally signed. The purpose of digital signatures is to ensure
the authenticity and integrity of the signed files. Automatic Updates installs a file
only if it contains this digital signature.
9-34 Planning for Windows Server 2008 Servers
Key Points
WSUS is an optional component for Windows 2000 Server or Window Server
2003 that can be downloaded from the Microsoft Web site. It acts as a central
point on your network for distributing updates to workstations and servers.
Supported Clients
WSUS Service Pack 1 (SP1) supports the following clients:
Windows Vista or later
Windows Server 2008 or later
Windows Server 2003, any edition
Windows XP Professional SP2 or later
Windows 2000 Professional SP4, Windows 2000 Server SP4, or
Windows 2000 Advanced Server with SP4
Planning and Implementing Monitoring and Maintenance 9-35
Server Component
You install the server component of WSUS on a server running Windows Server
2003 or Windows Server 2008 inside your corporate firewall. The firewall must be
configured to allow your internal server to synchronize content with the Microsoft
Update Web site whenever critical updates for Windows are available. The
synchronization can be automatic, or the administrator can perform it manually.
Synchronized updates must be approved before they can be installed by client
computers. This allows testing of updates with corporate applications before
distribution. This is a key benefit of WSUS over Microsoft Update.
Client Component
Automatic Updates is the client software that downloads and installs updates from
a WSUS server. The client must be configured with the location of a WSUS server.
The location can be configured through registry edits or through Group Policy.
Using Group Policy is strongly recommended.
Key Points
To allow for varied situations, you can deploy a WSUS server in several scenarios.
You can choose the deployment scenario that is most appropriate for your
organization. The decision factors may include the number of locations in your
network or the speed of your Internet connection.
Single-Site Network
In a single-site network, a single WSUS server can be sufficient to support as many
as 5,000 clients. This is suitable for most single-site networks.
Key Points
Due to the complex interdependencies between operating system components and
corporate applications, it is strongly recommended that all updates be tested
before deploying them to WSUS clients. This is particularly important for custom
designed or in-house applications that may not be as well written as commercially
available applications.
Guidelines
Use the following guidelines to install updates on the client computers on your
network.
Use computer groups for testing.
Computer groups let you control which computers are approved to install updates.
Using computer groups to install updates on test computers avoids the hassle of
downloading updates for testing through a separate process.
Planning and Implementing Monitoring and Maintenance 9-39
Scenario
Some of the users at A. Datum Corporation are reporting issues with certain
servers in the New York offices that have been identified as running slowly. The IT
manager, Allison Brown, has forwarded to you some performance log files from the
problematic server. You must evaluate data that is collected from performance logs
and identify where potential problems may exist.
Question: Write a brief report that outlines your findings and suggests possible
solutions to the problem.
9-42 Planning for Windows Server 2008 Servers
Question: Write a brief report that outlines your findings and suggests possible
solutions to the problem.
Question: Write a brief report that outlines your findings and suggests possible
solutions to the problem.
Results: After this exercise, you should have identified performance issues with servers
and suggested steps to resolve the problems.
Planning and Implementing Monitoring and Maintenance 9-43
Question: Which specific counters do you anticipate will require careful analysis?
Results: After this exercise, you should have identified steps to create a data collector
set for measuring file server performance.
9-44 Planning for Windows Server 2008 Servers
Results: After this exercise, you should have created a performance alert by using
Windows System Resource Manager (WSRM).
Planning and Implementing Monitoring and Maintenance 9-45
Review Questions
1. What are the benefits of monitoring server performance?
2. What are some of the tasks that you should undertake when you create a
performance baseline for a server?
You can use disk fault-tolerance, Windows Server 2008 Network Load Balancing,
and failover clustering to facilitate greater data availability and workload scalability.
Disk fault-tolerance ensures that your server continues to operate despite the
failure of one, or perhaps more than one, of the attached disks.
Network Load Balancing (NLB) is also used to support scalability and availability,
and is designed to work with applications in which maintaining state between
client requests is not critical.
Failover clustering can support both scalability and availability, and is designed to
work with applications that maintain state between client requests.
10-4 Planning for Windows Server 2008 Servers
Key Points
This is an open discussion. Think about the sorts of problems that can occur that
will result in either service interruption or data loss; discuss these with the class.
10-6 Planning for Windows Server 2008 Servers
Key Points
Hard disks are one of the few components with moving parts in your server
computer. The constant movement inevitably means that the parts wear out, and
the hard disk fails. In order to ensure the continued operation of your server
following a disk failure, you must implement fault tolerance within your storage
sub-system.
Using Redundant Array of Independent Drives (RAID) enables you to provide disk
fault tolerance.
Cost and
Configuration Performance Reliability Availability capacity
RAID 0 Balanced load. Data loss after one Single loss prevents Minimal
(striping) Potential for better failure. access to entire cost.
response times, Single loss affects array. Two-disk
throughput, and entire array. minimum.
concurrency.
Difficult stripe unit
size choice.
RAID 1 Two data sources for Single loss and Single loss and often Twice the
(mirroring) every read request often multiple multiple losses (in cost of
(up to 100% losses (in large large configurations) RAID.
performance boost configurations) are do not prevent Two-disk
on reads). survivable. access. minimum.
However, writes must
update all mirrors.
RAID 0+1 Two data sources for Single loss and Single loss and often Twice the
(striped every read request often multiple multiple losses (in cost of
mirrors) (up to 100% read losses (in large large configurations) RAID 0.
performance boost). configurations) are do not prevent Four-disk
Balanced load. survivable. access. minimum.
Potential for better
response times,
throughput, and
concurrency.
However, writes must
update mirrors and
you are faced with a
difficult stripe unit
size choice.
10-8 Planning for Windows Server 2008 Servers
RAID 5 Balanced load. Single loss Single loss does not One
(rotated Potential for better survivable; prevent access. additional
parity) read response times, however, in- However, multiple disk
throughput, and progress write losses prevent required.
concurrency. requests might access to entire Three-disk
still corrupt. array. minimum.
However, up to 75%
write performance hit. Multiple losses To speed
affect entire array. reconstruction,
Read performance
degrades in failure After a single loss, application access
mode. array is vulnerable might be slowed or
until stopped.
reconstructed.
RAID 6 (two Balanced load. Single loss Single loss does not Two
separate Potential for better survivable; prevent access. additional
erasure codes) read response times, however, in- More than two disks
throughput, and progress write losses prevent required.
concurrency. requests might access to entire Five-disk
still corrupt. array. minimum.
However, up to 83%
write performance hit. Note that more To speed
than two losses reconstruction,
Read performance
affect entire array. application access
degrades in failure
mode. After two losses, might be slowed or
array is vulnerable stopped.
All sectors must be
until
read for
reconstructed.
reconstruction: major
slowdown.
Danger of data in
invalid state after
power loss and
recovery.
Planning High Availability and Disaster Recovery 10-9
RAID 1+0 Mirrored sets in a RAID 1+0 creates The array can have Minimum
(mirrored sets striped set provide an a second striped multiple drive losses of 4 disks.
in a striped increase in set to mirrored as long as no mirror Must use an
set) performance with an drives. loses all of its drives. even
increase in complexity. Performance is number of
better because all disks.
remaining disks
are used.
Key Points
Network Load Balancing (NLB) provides high availability and scalability for
TCP/IP-based services, including Web servers, File Transfer Protocol (FTP) servers,
other mission-critical servers, and COM+ applications. In an NLB configuration,
multiple servers run independently, and do not share any resources. Client
requests are distributed among the servers, and in the event of a server failure, NLB
detects the problem and distributes the load to another server. NLB allows you to
increase network service performance and availability.
Performance
NLB supports server performance scaling by distributing incoming network traffic
among one or more virtual IP addresses assigned to the NLB cluster. The hosts in
the cluster concurrently respond to different client requests, even multiple requests
from the same client. For example, a Web browser might obtain each of the
multiple images in a single Web page from different hosts within an NLB cluster.
This speeds up processing and shortens the response time to clients.
10-12 Planning for Windows Server 2008 Servers
Protocol Examples
HTTP and HTTPS Microsoft Internet Information Services (IIS): Port 80
FTP Microsoft IIS: Port 20, port 21, and ports 1024-65535
PPTP & IPSec Virtual private network (VPN) servers: 1723 for PPTP
Windows Media Windows Media Server: TCP on port 80, 554, and 1755; UDP
over HTTP on port 1755 and 5005
HTTP & HTTPS Microsoft Internet Security and Acceleration Server (ISA)
Scalability
NLB allows administrators to scale network services to meet client demand. New
servers can be added to a load balancing cluster without rewriting applications or
reconfiguring clients. The Load Balancing cluster does not need to be taken offline
to add new capacity, and members of the Load Balancing cluster do not need to be
based on identical hardware.
Planning High Availability and Disaster Recovery 10-13
Key Points
A failover cluster is a group of independent computers that work together to
increase the availability of applications and services. Physical cables and software
connect the clustered servers, known as nodes. If one of the cluster nodes fails,
another node begins to provide service (a process known as failover). Therefore,
users experience a minimum of service disruptions.
In the Windows Server 2008 Enterprise and Windows Server 2008 Datacenter
operating system editions, the improvements to failover clusters, formerly known
as server clusters, are aimed at simplifying clusters, making them more secure, and
enhancing cluster stability.
Note: The failover cluster feature is not available in the Windows Web Server 2008 or
Windows Server 2008 Standard editions.
10-14 Planning for Windows Server 2008 Servers
Additional Reading
For additional information about clustering, see Course 6423A: Implementing and
Managing Windows Server 2008 Clustering.
Planning High Availability and Disaster Recovery 10-15
Key Points
Carefully review the hardware on which you plan to deploy a failover cluster
to ensure that it is compatible with Windows Server 2008. This is especially
necessary if you are currently using that hardware for a server cluster running
Windows Server 2003. Hardware that supports a server cluster running Windows
Server 2003 does not necessarily support a failover cluster running Windows
Server 2008.
Note: You cannot perform a rolling upgrade from a server cluster running Windows
Server 2003 to a failover cluster running Windows Server 2008. However, after you create
a failover cluster running Windows Server 2008, you can use a wizard to migrate certain
resource settings to it from a server cluster running Windows Server 2003.
10-16 Planning for Windows Server 2008 Servers
Important: Microsoft supports a failover cluster solution only if all the hardware
components are marked as Certified for Windows Server 2008. Additionally, the
complete configuration (servers, network, and storage) must pass all tests in the Validate
a Configuration Wizard, which is included in the Failover Cluster Management snap-in.
Additional Reading
For more information about iSCSI, see the iSCSI Cluster Support FAQ on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=61375.
For information about hardware compatibility for Windows Server 2008, see the
Windows Server catalog at http://go.microsoft.com/fwlink/?LinkID=59821.
For information about the maximum number of servers that you can have in a
failover cluster, see the Edition Comparison by Technical Specification page of the
Windows Server 2008 Web site at http://go.microsoft.com/fwlink/?LinkId=92091.
10-18 Planning for Windows Server 2008 Servers
Key Points
There are several scenarios in which failover clustering can be used as a high-
availability solution.
File Server
Failover clustering can be used to provide high availability for shared folders. The
highly available shared folders are stored on a shared storage device such as SAS or
an iSCSI SAN.
The clustered nodes use a heartbeat signal to check whether each node is alive.
In a two-node cluster, if one node fails, the remaining node must pick up all of the
file shares.
To ensure the highest availability, the cluster should host the maximum number of
shares that can be hosted by a single node. 2-node server clusters are focused on
high availability, not scale-out, therefore you should not expect to hold more
shares on a 2-node cluster than a single node.
Planning High Availability and Disaster Recovery 10-19
Application Server
Failover clustering can be used to provide high availability for an application such
as a Web-based application. This scenario may use a combination of failover
clustering and NLB to make an application highly available.
An example of this scenario is a highly available Web application that uses a back-
end failover cluster to make the static Web content and the Microsoft SQL Server
database(s) used by the Web site highly available. Multiple front-end IIS servers
using NLB would be used to provide scalability and availability for the Web
service.
In this scenario, there is redundancy for both front-end and back-end
infrastructure.
Database Server
As in previous scenarios, the highly available resource (in this case one or more
SQL databases) is stored on a shared storage device.
The clustered nodes use a heartbeat signal to check whether each node is alive, at
both the operating system level and the SQL Server level. At the operating system
level, the nodes in the cluster are in constant communication, validating the health
of all the nodes.
During failover of the SQL Server instance, SQL Server resources start up on the
new node. Windows clustering starts the SQL Server service for that instance on
the new node and SQL Server goes through the recovery process to start the
databases. After the service is started and the master database is online, the SQL
Server resource is considered to be up. Now the user databases will go through the
normal recovery process, which means that any completed transactions in the
transaction log are rolled forward (the Redo phase), and any incomplete
transactions are rolled back (the Undo phase).
10-20 Planning for Windows Server 2008 Servers
Key Points
It is important to understand how failover clustering and NLB contrast. The
following table compares the functionality and recommended uses for failover
Clustering and NLB.
Provides high availability, scalability for Provides high availability and scalability
stateful applications and server for stateless applications
consolidation
10-22 Planning for Windows Server 2008 Servers
Requires the use of shared or replicated Doesnt require any special hardware or
storage on cluster-compatible hardware software; works out of the box
Planning High Availability and Disaster Recovery 10-23
Windows Backup has been improved in Windows Server 2008, with new features
such as Complete PC Backup. Backup with Windows Server 2008 uses Volume
Shadow Copy Service (VSS) and block-level backup technology to efficiently back
up and recover the operating system, files and folders. After the first full backup is
created, Backup automatically runs incremental backups by saving only the data
that has changed since the last backup.
Objectives
After completing this lesson, you will be able to:
Describe the fundamental considerations of a backup strategy.
Determine what data must be backed up.
Describe Shadow Copies.
Determine how to implement shadow copies.
Plan a suitable backup strategy.
10-24 Planning for Windows Server 2008 Servers
Key Points
There are many ways in which you can unintentionally lose information on a
computer: a power surge, lightning, floods, hardware failures, and malicious
software. One of the most important considerations in an organization is backing
up your important information to prevent this potential information loss.
What to Back Up
Deciding what to back up is one consideration when developing a backup plan.
On a home computer, a user may want to back up bank records and other financial
information, digital photographs, software purchased and downloaded from the
Internet, music purchased and downloaded from the Internet, the e-mail address
book, a Microsoft Office Outlook calendar, and any other personal documents.
This decision is even more critical for businesses. Business information loss may
significantly disrupt business productivity. In most situations, a full data backup is
desirable. The key question for the organization is what data is vital to the
company? This may be things like customer or client database information, payroll
records, product information, and so forth.
Planning High Availability and Disaster Recovery 10-25
Key Points
This is an open discussion. Consider your own organization, and determine where
critical data exists; discuss what data needs to be backed up.
10-28 Planning for Windows Server 2008 Servers
Key Points
The Previous Versions feature in Windows Server 2008 enables your users to
access previous versions of files and folders on your network. This is useful
because users can:
Recover files that were deleted accidentally. If you delete a file accidentally, you
can open a previous version and copy it to a safe location.
Recover from accidentally overwriting a file. If you overwrite a file accidentally,
you can recover a previous version of the file.
Compare versions of a file while working. You can use previous versions when
you want to check what has changed between two versions of a file.
Users can access previous versions using the folder Properties dialog box. Available
versions appear on the Previous Versions tab under Folder Versions.
To enable previous file versions access, you must enable shadow copies of shared
folders on the file server. Shadow copies are copies of files that are located on the
server and appear as previous versions.
Planning High Availability and Disaster Recovery 10-29
The copy-on-write method creates shadow copies that are differential rather than
full copies of the original data. This method makes a copy of the original data
before it is overwritten with new changes. When a change to the original volume
occurs, but before it is written to disk, the block about to be modified is read and
then written to a differences area, which preserves a copy of the data block before
it is overwritten with the change. Using the blocks in the differences area and
unchanged blocks in the original volume, a shadow copy can be logically
constructed that represents the shadow copy at the point in time in which it was
created.
10-30 Planning for Windows Server 2008 Servers
Key Points
When using Shadow Copy, there are some considerations that you should keep in
mind, such as those in the following topics.
Note: Regardless of the volume space that you allocate for shadow copies, you can have
a maximum of 64 shadow copies for any volume. When the sixty-fifth shadow copy is
taken, the oldest shadow copy is purged.
10-32 Planning for Windows Server 2008 Servers
Note: If you plan to store the shadow copies on the same volume as the user files, note
that a burst of disk I/O can cause all shadow copies to be deleted. If you cannot tolerate
the sudden deletion of shadow copies, use a volume that will not be shadow copied,
preferably on separate disks, for storing shadow copies.
Additional Reading
For more information on restoring a previous version of a file or folder, see
Windows Server 2008 Help Topic: How do I restore a previous version of a file or
folder?
For more information on best practices for shadow copies of shared folders, see
Best Practices for Shadow Copies of Shared Folders at http://go.microsoft.com
/fwlink/?LinkID=139994.
Planning High Availability and Disaster Recovery 10-33
Key Points
Question: Why is using the Shadow Copies facility not a replacement for formal
backups?
The sales department at A. Datum Corporation has an application that has a Web-
based front end. The back end is provided by a Microsoft SQL Server database
application. Recently, a failure in the front end caused system unavailability for
several hours. Joe Healy, the Sales manager, has contacted Allison Brown, the IT
manager, and requested she finds a solution for the availability issue.
Planning High Availability and Disaster Recovery 10-35
Scenario
Read any of the supporting documentation, and then propose a high-availability
solution that meets the requirements in the High Availability for Sales Database
document.
The main tasks for this exercise are as follows:
Read the supporting documentation.
Update the High Availability for Sales Database document with your
proposals.
10-36 Planning for Windows Server 2008 Servers
Gregory Weber
From: Alan Steiner [Alan@adatum.com]
Sent: 14 February 2010 13:30
To: Gregory@adatum.com
Subject: Re: Sales Database
Greg,
The sales database is currently in the head office only, although that is set to
change; were creating a distributed version of the database later this year. The
distributed version will work essentially the same way, but there will be localized
versions of the databases replicated among the sales branch offices. It has a SQL
Server back-end, and the front-end is Web-based; IIS provides the front-end access.
The actual database is stored on disks attached to an iSCSI SAN.
The outage was caused when the Web server hosting the front end suffered a
power supply failure; it just started to smoke and then went offline!
In terms of backup, we currently perform a full backup to tape each Friday using a
third-party system; thereafter, we perform incremental backups to tape each work
day evening. Of course, SQL Server is performing replication during the working
day, so multiple instances of the data do exist. It would be nice to be able to
perform the backups more quickly.
Hope all that helps you,
Alan
----- Original Message -----
From: Gregory Weber [Gregory@adatum.com]
Sent: 14 February 2010 12:29
To: Alan@adatum.com
Subject: Sales Database
Alan,
Ive got to come up with a solution to that database outage in Sales last month.
What can you tell me about it? Also, while I think about it, how is backup handled?
Thanks,
Greg
Planning High Availability and Disaster Recovery 10-37
Requirement Overview
To provide a high-availability solution that ensures that the failure of any single
component will not cause the Sales database to become unavailable.
To ensure that the database is recoverable in the event of multiple disk failures.
Additional Information
All servers are installed with Windows Server 2008 Enterprise Edition.
Proposals
1. In the current system, what component(s) is a point of failure?
2. For each element, how would you propose to prevent a system failure resulting
from a component failure?
3. What Windows Server 2008 role or feature could help provide for each of these
proposals?
f Task 2: Update the High Availability for Sales Database document with
your proposals
Answer the questions in the High Availability for Sales Database document.
Results: After this exercise, you should have a completed High Availability for Sales
Database proposal document.
Planning High Availability and Disaster Recovery 10-39
Note: Only enter the name webfarm; the domain suffix is added automatically.
IP address: 10.10.10.10
Note: You will test the cluster at the end of the exercise.
f Task 12: Verify the presence of previous versions of the Web site
1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub,
right-click wwwroot, and then click Properties.
2. Verify that there are previous versions listed.
Note: Even though an NLB Cluster member is unavailable, the Web site is still available.
Results: After this exercise, you should have successfully implemented your high-
availability and recovery plan.
Review Questions
1. You plan to deploy a Web farm. You want to provide a fault tolerant front end
for client computers connecting from the Internet. Which would be the most
suitable technology?
2. You want to implement a RAID solution that provides good read performance
and reasonable fault tolerance; however, lower cost is a factor. Which RAID
standard(s) would be suitable?
Key Points
Key Points
Microsoft Virtual PC is a virtualization technology for running multiple operating
system instances on a desktop computer. The latest version is Virtual PC 2007
Service Pack 1 (SP1) and can be downloaded from the Microsoft Web site.
The supported host operating systems for Virtual PC 2007 are:
Windows XP Professional (x86 and x64)
Windows XP Tablet PC Edition
Windows Server 2003 (x86 and x64)
Windows Vista Business, Enterprise, and Ultimate Editions (x86 and x64)
The primary use for Virtual PC is for testing scenarios where only a few virtual
machines with limited resources are required. Virtual PC uses only a single
processor core, which limits the volume of processing that all virtual machines can
do. Also, Virtual PC supports only 32-bit guest operating systems. This limits the
maximum memory to 4 GB.
11-8 Planning for Windows Server 2008 Servers
Key Points
Microsoft Virtual Server is designed to run production servers in a virtual
environment. The latest version is Virtual Server 2005 R2 SP1 and can be
downloaded from the Microsoft Web site.
The supported host operating systems for Virtual Server are:
Windows Server 2003 (x86 and x64)
Windows XP (x86 and x64, nonproduction)
Windows Vista (x86 and x64, nonproduction)
Like Virtual PC, Virtual Server can be used to create a test environment for new
applications and operating system changes. Virtual Server supports multiple CPU
cores for each virtual machine and you can control how CPU cores are allocated to
each virtual machine. However, guest operating systems are limited to 32-bit
editions and, consequently, 4 GB of RAM per virtual machine.
11-10 Planning for Windows Server 2008 Servers
Key Points
Hyper-V is a server role included in 64-bit editions of Windows Server 2008
(Standard, Enterprise, and Datacenter) to host virtual machines. When the Hyper-
V role is installed on a computer, the Windows hypervisor is installed and begins
running after the computer is restarted. The Windows hypervisor is a bare metal
hypervisor that runs before the operating system.
Partitions
The instance of Windows Server 2008 with the Hyper-V role installed is the parent
partition. Child partitions are the virtual machines created to run new operating
system instances. If the parent partition fails, the child partitions will also fail. For
this reason, it is common to use the Server Core installation option of Windows
Server 2008 as the operating system in the parent partition. Using the Server Core
installation option reduces the attack surface of the parent partition and,
consequently, reduces the risk of failure. However, using the Server Core
installation option does not prevent failures of the parent partition due to other
reasons, such as hardware failure or unstable drivers.
11-12 Planning for Windows Server 2008 Servers
Note: Both Virtual PC and Virtual Server use a monolithic hypervisor that runs inside of
Windows.
Key Points
Many organizations prefer to host only a single application on a server. This
simplifies management and maintenance. When multiple applications are on a
server, it is possible that an update to one application may cause problems with
another application. Also, sometimes the best way to fix a nonfunctional
application is to restart the server. When multiple applications are on a single
server, the server reboot affects many users, not just the users of the
nonfunctioning application.
When there are many application servers with a single application, in many cases,
the utilization of system resources is very low. The processor utilization of a server
often averages less than 10 percent.
Maintenance of older application servers is also an issue. As hardware becomes
older, it will start to fail. In some cases, the application server may have poor
documentation and may be difficult to re-create. It may be very expensive or
difficult to rebuild the server on new hardware.
Planning Virtualization 11-15
Key Points
It is a best practice to test all changes to a computing environment in a test lab
before implementing them in your live environment. This helps to ensure that
changes do not have unintended consequences. For example, you should test
software updates and configuration changes.
To make testing as reliable as possible, the test lab should closely resemble your
production environment. However, in some cases, this may require many servers.
The cost of creating a test lab with many physical servers is quite high and many
organizations simply do not have the physical space to host a test lab with many
physical servers. In the past, when an organization could not afford a test lab,
testing was not performed, which created a higher risk of problems when changes
were implemented.
Planning Virtualization 11-17
Key Points
Virtualization enables several scenarios that increase server availability and
simplify disaster recovery. Most of the benefit is due to the independence of the
virtual machine from the physical hardware of the virtualization hosts. This
independence makes it easy to move a virtualized server from one virtualization
host to another.
Business continuity scenarios include:
Simplified disaster recovery. It is difficult to restore a backup from one
physical server to another physical server with different hardware. A virtual
machine can simply be moved to a new virtualization host and started there
because there are not hardware incompatibilities. If the virtual machine files
are located on a storage area network (SAN), downtime can be only a minute.
Planning Virtualization 11-19
Microsoft provides Virtual PC, Virtual Server, and Hyper-V to implement server
virtualization. Each has unique requirements and benefits and is appropriate in
different scenarios.
Objectives
After completing this lesson, you will be able to:
Describe System Center Virtual Machine Manager.
Describe how VMM can be used for server consolidation.
Describe how VMM can be used for provisioning resources.
Describe how VMM can be used to enhance business continuity.
Describe how VMM can be used to optimize performance.
Planning Virtualization 11-21
Key Points
System Center Virtual Machine Manager (VMM) is a product for managing
multiple virtualization hosts and their virtual machines through a single console. It
is a solution that solves many of the challenges introduced by virtualized
infrastructure.
Intelligent Placement
Choosing an appropriate Hyper-V host for a virtual machine is important to ensure
the good performance of the machine. When adding a new virtual machine to a
host, you need to ensure that the host has sufficient resources available. For
example, there must be sufficient free memory on the host to run the virtual
machine.
Intelligent Placement analyzes the performance characteristics of a server that is
being virtualized and the hosts available to place a virtual machine on. Based on
the analysis, hosts are ranked for you to choose from.
11-22 Planning for Windows Server 2008 Servers
Key Points
Server consolidation is the process by which multiple physical servers are
virtualized and run as virtual machines on a lesser number of virtualization hosts.
This reduction in physical servers results in higher resource utilization on the
virtualization hosts. Having a lower number of physical servers reduces hardware
costs, power utilization, and data center cooling requirements. When virtual
machines with similar security requirements are consolidated onto a single host,
security can also be increased. For example, computers to be isolated on the same
network segment can be placed on the same host.
Identification of Virtualization Candidates
Microsoft System Center Operations Manager 2007 can be used to collect long-
term performance data from virtualization candidates. VMM uses the performance
data from SCOM to generate a report on processor, physical memory, disk usage,
and network throughput.
11-24 Planning for Windows Server 2008 Servers
Key Points
Provisioning a physical server can take days or even weeks if new hardware is
required. The time required to provision a physical server includes the time for
gaining approvals for server purchase, ordering the server, and configuring the
server. When VMM is used to create virtual machines, a new virtual machine can
be provisioned in just minutes. The central component in provisioning is the
library.
11-26 Planning for Windows Server 2008 Servers
Companion CD Content
Provisioning a physical server can take days or even weeks if new hardware is
required. The time required to provision a physical server includes the time for
gaining approvals for server purchase, ordering the server, and configuring the
server. When VMM is used to create virtual machines, a new virtual machine can
be provisioned in just minutes. The central component in provisioning is the
library.
The library contains resources for building virtual machines. The resources in a
library include virtual disks, ISO files, and templates. The operating system for new
virtual machines is stored in the library, on a virtual disk that has been Sysprepped.
A new virtual machine can be created by using individual library components or a
template. Alternatively, an existing virtual machine can be copied.
Provisioning can be delegated to other users. A delegated administrator uses the
VMM Administrator Console to perform actions within the scope defined by the
administrator. The scope can be limited to specific libraries or hosts. A self-service
user creates and manages virtual machines through the VMM Self-Service Portal.
You can restrict self-service users to creating virtual machines on specific hosts and
limit the actions they can perform on virtual machines. Quotas can be used to limit
the number of virtual machines created or resources used by self-service users. Self-
service users are often configured for test lab or development environments.
Planning Virtualization 11-27
Key Points
VMM does not provide any new functionality for virtual machines that enhance
business continuity. However, VMM does effectively manage business continuity
features that are provided by the virtualization host.
Clustering
VMM integrates with Windows Server 2008 failover clustering to provide highly
available virtual machines. After a host cluster has been configured, you use the
VMM Administrator Console to designate virtual machines as highly available.
Highly available virtual machines can fail over from one virtualization host in the
cluster to another.
11-28 Planning for Windows Server 2008 Servers
Key Points
Ensuring optimal performance for virtual machines is a time-consuming process.
To ensure optimal performance, you must:
Monitor virtual machines and hosts.
Define events that indicate a problem.
Act on events to resolve a problem.
Key Points
Hyper-V hosts provide multiple ways by which disks can be accessed by the host
and virtual machines. This provides the flexibility to meet the needs of your
specific deployment.
Most virtual machines are configured using virtual disks. Virtual disks are files with
the .vhd extension that store all of the content in virtual machine disks. Each .vhd
file corresponds to a disk of a virtual machine. The .vhd file can be located on local
storage or a SAN.
Planning Virtualization 11-33
Key Points
Network configuration is critical for virtualized environments, because multiple
virtual machines share the same connectivity. That increases the need for both
speed and reliability. The capacity of the network connectivity for the virtualization
host must exceed the network requirements of all running virtual machines.
Network configuration options include:
VLANs. VLANs are commonly used by organizations to segment network
traffic traveling through their switches. Traffic is often segmented by IP
address for routing, but can also be segmented by other characteristics such as
MAC address range to isolate Voice over IP (VoIP) traffic. The networking
configuration supports the use of VLANs so that virtual machines can be
places on specific VLANs.
Planning Virtualization 11-35
Companion CD Content
Network configuration is critical for virtualized environments, because multiple
virtual machines share the same connectivity. That increases the need for both
speed and reliability. The capacity of the network connectivity for the virtualization
host must exceed the network requirements of all running virtual machines.
Network configuration options include:
VLANs. VLANs are commonly used by organizations to segment network
traffic traveling through their switches. Traffic is often segmented by IP
address for routing, but can also be segmented by other characteristics such as
MAC address range to isolate Voice over IP (VoIP) traffic. The networking
configuration supports the use of VLANs so that virtual machines can be
places on specific VLANs.
Multiple network adapter cards. If you want to physically separate network
traffic for virtual machines, you can use multiple network adapter cards. You
create an external network for each network adapter card. Then virtual
machines are placed on external networks. This increases the overall network
capacity of the host when both network adapters are connected to the same
network.
11-36 Planning for Windows Server 2008 Servers
Key Points
Hyper-V is included only in 64-bit editions of Windows Server 2008. Using a 64-bit
operating system allows each Hyper-V host to support a large amount of memory.
In theory, 64-bit hardware can address 16 exabytes of memory. However, this is
practically limited by server hardware design and the operating system.
Some considerations for memory utilization are:
Determine the total memory allocated to each virtual machine. The memory
required in a virtualization host is the total of the memory allocated to each
virtual machine and memory required by the host operating system.
Each Hyper-V guest supports up to 64 GB of memory. This makes
virtualization possible for applications servers with large memory
requirements such as database servers and Microsoft Exchange Server servers.
Turning off a virtual machine reduces memory requirements. When you turn
off or shut down a virtual machine, it no longer uses memory on the host. In
test environments, it is common to shut down one virtual machine in order to
free memory to run another.
11-38 Planning for Windows Server 2008 Servers
Key Points
The virtual machines placed on a virtualization host all share the physical
processing power of that server. Hyper-V supports the use of multiple processors
and multiple cores per processor. This allows each host to provide a large volume
of processing capacity to the virtual machines.
Do not overload the host. You need to take care that the demands of the
virtual machines are not in excess of what the physical host can provide. If you
place virtual machines with too much demand for processing power on a host,
then application performance in the virtual machines will be reduced.
Consider utilization patterns. When placing virtual machines on hosts, try to
select virtual machines that do not have peak utilization at the same time. For
example, some virtual machines, such as domain controllers, will have their
highest utilization when users arrive in the morning, while other virtual
machines, such as application servers, will have their highest utilization later in
the day as users begin performing their daily tasks.
Planning Virtualization 11-39
Key Points
Host clustering creates highly available virtual machines. The virtualization hosts
are part of a failover cluster and each virtual machine is a clustered application. If a
virtualization host fails, the virtual machines from that host are restarted on a
different host. The failover process takes a few minutes because it takes that long
for the operating system to boot up in the restarted virtual machines.
Considerations for host clustering include:
At least two Hyper-V hosts are required. To create a cluster you need at least
two Hyper-V hosts running Windows Server 2008, Enterprise or Datacenter
editions. The Standard edition is not capable of performing clustering. You can
use more hosts to have additional nodes in the cluster and more flexibility for
failover.
Planning Virtualization 11-41
Note: Host clustering in Windows Server 2008 R2 supports sharing of LUNs for highly
available virtual machines.
11-42 Planning for Windows Server 2008 Servers
Ive attached a list of our servers and their specification to get you started.
Regards
Allison
11-44 Planning for Windows Server 2008 Servers
Processor Memory
Name Purchase date utilization utilization Disk space
ExchangeNode1 July 2007 50% 3GB 120 GB
ExchangeNode2 July 2007 4% 500 MB 20GB
FinanceApp June 2009 20% 1.5 GB 30 GB
SQLProd Sept 2006 70% 2 GB 80 GB
PServer Feb 2002 15% 500 MB 7 GB
File1 Feb 2002 10% 500 MB 200 GB
PayrollApp Oct 2005 5% 500 MB 20 GB
Terminal June 2006 70% 1.5 GB 30 GB
SQLTest Nov 2004 30% 1 GB 80 GB
Billing Mar 2008 20% 1 GB 40 GB
Notes:
ExchangeNode1 and ExchangeNode2 are part of a cluster.
PayrollApp is used only twice a month for submitting payroll information to
the bank.
SQLProd is used by applications in production.
SQLTest is used only by technical support staff when testing updates to
applications.
Billing is used each day to perform time tracking and is considered mission
critical.
Planning Virtualization 11-45
Results: After this exercise, you should have a completed plan for a virtualization pilot
project.
11-46 Planning for Windows Server 2008 Servers
Note: The BIOS configuration steps in this exercise are correct for a Dell Optiplex 755
with an Intel processor. The steps may vary depending on the model of the computer
you are using, BIOS revision, and the processor type. For example, the name of specific
settings may be different or already enabled. Ask your instructor for help if required.
Note: You will be provided with the software required to complete this lab from your
instructor. It may or may not be a DVD.
Results: After this exercise, you should have successfully implemented a Hyper-V host
and created a virtual machine.
Planning Virtualization 11-49
Review Questions
1. What is the difference between a microkernelized hypervisor and a monolithic
hypervisor?
4. Where are the virtual disks stored when a host cluster is implemented?
11-50 Planning for Windows Server 2008 Servers
2. You are an IT architect at a large insurance provider. You have migrated many
important applications to VMs and want to increase the availability of those
VMs. How can availability of VMs be increased when you use Hyper-V?
3. You are the manager responsible for controlling the process that is used for
testing new application updates and releases at a large insurance provider. In
the past, you have maintained development, test, and production servers for
all applications. This resulted in hundreds of servers being stored in the data
center. How can you use Hyper-V to reduce hardware costs for development
and testing?
Planning Virtualization 11-51
Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.
Lab: Planning File and Print Services L6-57
f Task 2: Update the Sales Branch Offices: File and Print Services
document with your proposals
Answer the questions in the Sales Branch Offices: File and Print Services
document.
Requirement Overview
Deploy the required services to the branch sales offices to meet the needs outlined
in the Requirements document.
Additional Information
The requirements are summarized as follows:
Deploy server roles to support file and print services.
Create a single UNC name to allow access to all sales shared resources. This single
UNC name should not be a single point of failure.
Provide for a means of synchronizing data between the branch and head office
sales shared folders.
Impose restrictions to prevent creation of executable files in data areas.
Impose hard limit on amount of disk space each user can consume in the data
folder.
Deploy printers to client computers quickly and easily.
L6-58 Module 6: Planning File and Print Services
Proposals
1. What server roles will you need to deploy to the branch servers to satisfy these
requirements?
Answer: File Services and Print Services
2. Will you need to make any changes to the infrastructure at the head office to
support these requirements?
Answer: Certain File Services service roles will need to be available to support
DFS.
3. What folder and shared folder permissions would you recommend for sales
data areas?
Answer: Data folders should be secured with the Modify permission for the
relevant global groupin this case, SalesGG. The shared folder can be
configured as Everyone Full Control because the agreed upon permissions are
therefore Modify for the SalesGG through the share onto the folder.
4. How will you address the requirement for a single UNC name for all sales
shared resources and avoid a single point of failure?
Answer: By deploying a DFS domain-based name space and adding folders to
the namespace. Adding additional namespace servers will provide fault
tolerance of the namespace.
5. How will you synchronize the sales data at each location?
Answer: By using DFS-R. A full mesh topology would be suitable.
6. What role or feature enables you to impose a restriction on the types of files
that users can create in designated folders?
Answer: FSRM file screening.
7. What role or feature enables you to impose a restriction on the disk space
users can consume in designated folders?
Answer: FSRM quotas.
Lab: Planning File and Print Services L6-59
8. Provide additional details about the specifics of the process you will use to
provide for the previous two requirements:
Answer: File screen: the Block Executable Files would be an appropriate
template on which to base the file screen.
Quotas: use of the 200 MB Limit Reports to User template is indicated.
9. How do you intend to deploy printers to client computers?
Answer: Creating, sharing, and then deploying with group policy.
Results: After this exercise, you should have a completed Sales Branch Offices: File and
Print Services document.
L6-60 Module 6: Planning File and Print Services
Results: After this exercise, you should have successfully configured file and print
services for the branch office.
Results: After this exercise, you should have a completed security plan for the new
finance application and a plan for preventing malware on the network.
Lab: Planning Server and Network Security L7-73
Note: Negotiation of IPsec policies may be slow in the virtualized environment. A wait of
2 or 3 minutes is possible before the negotiation is complete and you are able to access
the Web site at 10.10.0.10.
Results: After this exercise, you should have successfully implemented firewall rules.
Lab: Planning Server and Network Security L7-77
Note: A custom configuration is required because this server has only a single network
card. In most cases, you could use the Remote Access (Dial-Up Or VPN) configuration.
Note: If you experience an error during your connection attempt, review the
configuration of your SSTP listener by using the instructions from Setting Up
The SSTP Listener And Verifying It in the Routing and Remote Access Blog at
http://blogs.technet.com/rrasblog/archive/2007/03/07/configuration-of-sstp-listener-
and-verification.aspx. In particular, you must manually remove and replace the certificate
used by SSTP if you want to change it.
L7-82 Module 7: Planning Server and Network Security
Requirement Overview
Determine which tasks can be delegated to Joe Healy in Sales.
Specify how this delegation will be achieved.
Additional Information
None
Proposals
1. Which features will you need to install on a recently deployed departmental
server to support administrative delegation?
Answer: Answers will vary, but in order to support the Windows PowerShell
scripts, the server will require Windows PowerShell. Because client computers
are not allowed to host management and administration tools, the local server
must have the Remote Server Administration Tools feature installed.
L8-88 Module 8: Planning Server Administration
Proposals (continued)
2. How will you manage the requirement that Joe needs to be able to manage
which GPOs apply to the Sales OU without giving him the ability to edit the
GPO settings?
Answer: Assign a group to which Joe belongs, the Manage Group Policy links
Active Directory permission on the Sales OU.
3. What delegated permissions will you give to Joe in Active Directory?
Answer: Aside from the Manage Group Policy links permission, these
additional permissions are required on the Sales OU in order to administer
Users, Groups, and Computers:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, and manage groups
Modify the membership of a group
Create and delete computer objects
4. How will you achieve this?
Answer: The Delegate Control wizard will enable you to establish most of
these permissions as common tasks. However, the computer administration
permissions need to be assigned manually, or as custom tasks.
5. Because you are not permitted to grant Joe any delegated permissions
directly, how will you achieve the required delegation?
Answer: Create a global group and add Joe to the group; grant that group
permissions.
Results: After this exercise, you should have a completed Branch Office Delegation
proposal document.
Lab: Planning Server Administration L8-89
Note: if you are already logged on as Joe, please log off and then proceed with the lab.
$objOU = [ADSI]"LDAP://OU=sales,DC=Adatum,DC=com"
$objUSR = $objOU.Create("User","cn=Tom Higginbotham")
$objUSR.Put("SAMACCOUNTNAME","Tom")
$objUSR.SetInfo()
f Task 2: Update the High Availability for Sales Database document with
your proposals
Answer the questions in the High Availability for Sales Database document.
Requirement Overview
To provide a high-availability solution that ensures that the failure of any single
component will not cause the Sales database to become unavailable.
To ensure that the database is recoverable in the event of multiple disk failures.
Additional Information
All servers are installed with Windows Server 2008 Enterprise Edition.
L10-104 Module 10: Planning High Availability and Disaster Recovery
Proposals (continued)
1. In the current system, what component(s) is a point of failure?
Answer: The back-end database; the front-end Web servers; the storage that
hosts the database; the supply of power to all systems.
2. For each element, how would you propose to prevent a system failure
resulting from a component failure?
Answer: The back-end database. Implement Failover Clustering; this is
required because the database is statefulthat is, it contains data that
changes, and each client computers view of the system is different at a point
in time.
The front-end Web servers. Implement Network Load Balancing; the front end
is stateless, and contains no changing data. Client computers are indifferent as
to which Web server they connect through.
The storage that hosts the database. Consider implementing a RAID solution
for the storage that hosts the database.
The supply of power to all systems. An uninterruptable power supply (UPS)
does provide some uptime during a power failure, and often enough to
properly shut down a database to avoid corruption.
3. What Windows Server 2008 role or feature could help provide for each of
these proposals?
Answer: Windows Server 2008 provides the Network Load Balancing and
Failover Clustering features. Although disk fault tolerance can be provided
through the software, it is usually more appropriate to implement a fault-
tolerant array through hardware.
4. After implementing the roles or features proposed, is there any remaining
component that represents a single point of failure?
Answer: Loss or unavailability of a datacenter.
5. Have you any recommendations regarding this component(s)?
Answer: Alan Steiner mentioned that the database is to be replicated among
the branches. This will provide a contingency in the event of link-failure.
Results: After this exercise, you should have a completed High Availability for Sales
Database proposal document.
Lab: Planning High Availability and Disaster Recovery L10-105
Note: You will test the cluster at the end of the exercise.
f Task 12: Verify the presence of previous versions of the Web site
1. In Windows Explorer, double-click Local Disk (C:), double-click inetpub,
right-click wwwroot, and then click Properties.
2. In the wwwroot Properties dialog box, click the Previous Versions tab.
3. Verify that there are previous versions listed, and then click OK.
Note: Even though an NLB Cluster member is unavailable, the Web site is still available.
Results: After this exercise, you should have successfully implemented your high-
availability and recovery plan.
Note: Your answers may vary from the lab answer key in this plan. There are several
acceptable combinations of servers to virtualize. This is only one example.
Results: After this exercise, you should have a completed plan for a virtualization pilot
project.
Lab: Planning Virtualization L11-115
Note: The first set of BIOS configuration steps in this exercise are correct for a Dell
Optiplex 755 with an Intel processor. Also included are steps for a HP DC5850 machine.
The steps will vary depending on the model of the computer you are using, BIOS
revision, and the processor type. For example, the name of specific settings may be
different or already enabled. Ask your instructor for help if required.
Note: You will be provided with the software required to complete the lab installation
from your Instructor. It may or may not be a DVD.
2. To access the boot menu of a Dell Optiplex 755 computer, press F12. Read the
POST screen of your computer to determine the appropriate key for your
computer.
3. Select the DVD-ROM drive, and then press ENTER.
4. If prompted, press a key to start the computer from DVD.
5. To accept the default language as US English, click Next.
6. Click Install now.
7. Clear the Automatically activate Windows when Im online check box, and
then click Next.
Lab: Planning Virtualization L11-117
Results: After this exercise, you should have successfully implemented a Hyper-V host
and created a virtual machine.